cisco-ucm-cluster-enum: Cisco Unified Communications Manager - Cluster Enumeration

日期: 2026-02-03 | 影响软件: 未知 | POC: 已公开

漏洞描述

Enumerated Cisco UCM cluster nodes (servers) using the unauthenticated UDS API (XML), allowing identification of backend servers without authentication.

PoC代码[已公开]

id: cisco-ucm-cluster-enum

info:
  name: Cisco Unified Communications Manager - Cluster Enumeration
  author: Morgan Robertson
  severity: low
  description: |
    Enumerated Cisco UCM cluster nodes (servers) using the unauthenticated UDS API (XML), allowing identification of backend servers without authentication.
  reference:
    - https://developer.cisco.com/site/user-data-services/develop-and-test/api-reference/#servers
  metadata:
    verified: true
    product: unified_communications_manager
    vendor: cisco
    shodan-query: http.title:"Unified Communications Self Care Portal"
    fofa-query: title="Unified Communications Self Care Portal"
  tags: cisco,ucm,misconfig

http:
  - method: GET
    path:
      - "{{BaseURL}}/cucm-uds/servers"

    headers:
      Accept: application/xml

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: header
        words:
          - "text/xml"
          - "application/xml"
        condition: or

      - type: word
        part: body
        words:
          - '<servers uri'
          - '<server>'
        condition: and

    extractors:
      - type: xpath
        name: cluster_nodes
        xpath:
          - "/servers/server"
# digest: 4a0a0047304502204268423ab81f1e93393178449d72c3ea4b4af431a829eb17115e3e7211269ffa02210082ad194e71f2ecc609f1b70396a44150a0bcd3a1e2c02440f7640091b8350a09:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/cisco/cisco-ucm-cluster-enum.yaml