CVE-2026-34908 — Ubiquiti UniFi OS Improper Access Control Exploitation
Detects exploitation attempts targeting CVE-2026-34908, an improper access control vulnerability (CWE-284) in Ubiquiti UniFi OS. This vulnerability is listed on the CISA Known Exploited Vulnerabilities catalog and allows attackers to bypass access controls on UniFi OS devices. Detection focuses on unauthorized API access, anomalous management plane requests, and lateral movement patterns consistent with UniFi controller compromise.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Ubiquiti
- Product
- UniFi OS
Weakness (CWE)
Timeline
- Disclosed
- June 23, 2026
References & Proof of Concept
- https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-34908
What is CVE-2026-34908 CVE-2026-34908 — Ubiquiti UniFi OS Improper Access Control Exploitation?
CVE-2026-34908 — Ubiquiti UniFi OS Improper Access Control Exploitation (CVE-2026-34908) maps to the Initial Access and Privilege Escalation and Defense Evasion and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2026-34908 — Ubiquiti UniFi OS Improper Access Control Exploitation, covering the data sources and telemetry it touches: CommonSecurityLog, Network Firewall Logs, Proxy Logs. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let UniFiIPs = dynamic([]);
let SuspiciousEndpoints = dynamic(["/api/", "/proxy/network/api/", "/api/s/default/", "/api/login", "/api/self"]);
CommonSecurityLog
| where TimeGenerated >= ago(24h)
| where DeviceVendor has_any ("Ubiquiti", "UniFi") or DestinationHostName has_any ("unifi", "ubiquiti")
| where RequestURL has_any (SuspiciousEndpoints)
| where (RequestMethod in ("GET", "POST", "PUT", "DELETE") and (isnotempty(SourceIP)))
| extend IsAdminEndpoint = RequestURL has_any ("/api/s/default/cmd/", "/proxy/network/api/s/default/cmd/", "/api/system")
| extend IsUnauthenticated = ResponseCode in ("200", "201", "204") and (isempty(AdditionalExtensions) or AdditionalExtensions !has "authenticated")
| where IsAdminEndpoint == true
| summarize
RequestCount = count(),
DistinctEndpoints = dcount(RequestURL),
Endpoints = make_set(RequestURL, 20),
ResponseCodes = make_set(ResponseCode, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SourceIP, DestinationIP, DestinationHostName
| where RequestCount >= 3 or DistinctEndpoints >= 2
| extend RiskScore = case(
RequestCount >= 20, "High",
RequestCount >= 5, "Medium",
"Low")
| project FirstSeen, LastSeen, SourceIP, DestinationIP, DestinationHostName, RequestCount, DistinctEndpoints, Endpoints, ResponseCodes, RiskScore
| order by RequestCount descDetects suspicious access to UniFi OS administrative API endpoints from potentially unauthenticated or unauthorized sources. Looks for patterns consistent with CVE-2026-34908 access control bypass, including repeated requests to privileged API paths and anomalous response codes.
Data Sources
Required Tables
False Positives
- Legitimate UniFi controller management traffic from authorized admin workstations
- Automated monitoring or health check tools polling UniFi OS API endpoints
- Mobile app or desktop UniFi Network application during normal controller synchronization
- Security scanners or vulnerability assessment tools running authorized scans
Sigma rule & cross-platform mapping
The detection logic for CVE-2026-34908 — Ubiquiti UniFi OS Improper Access Control Exploitation (CVE-2026-34908) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-34908
References (4)
- https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-34908
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated UniFi OS Admin API Enumeration
Expected signal: Network logs showing HTTP GET requests to multiple /api/ paths on the target UniFi controller IP, returning HTTP status codes that vary by endpoint accessibility.
- Test 2Unauthorized UniFi OS Command Endpoint Access
Expected signal: Network logs showing a POST request to /api/s/default/cmd/stamgr on the target IP with a JSON body. A 200 response with an action response body indicates the access control bypass is exploitable.
- Test 3UniFi OS New Admin User Creation via API Bypass
Expected signal: Network logs showing a POST to /api/s/default/rest/admin with a 200 or 201 response. UniFi controller audit log should record a new admin creation event without a corresponding login event from the source IP.
Unlock Pro Content
Get the full detection package for CVE-2026-34908 including response playbook, investigation guide, and atomic red team tests.