Detect CVE-2026-34908 — Ubiquiti UniFi OS Improper Access Control Exploitation in Google Chronicle
Detects exploitation attempts targeting CVE-2026-34908, an improper access control vulnerability (CWE-284) in Ubiquiti UniFi OS. This vulnerability is listed on the CISA Known Exploited Vulnerabilities catalog and allows attackers to bypass access controls on UniFi OS devices. Detection focuses on unauthorized API access, anomalous management plane requests, and lateral movement patterns consistent with UniFi controller compromise.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2026_34908_unifi_access_control_bypass {
meta:
author = "df00tech Detection Engineering"
description = "Detects potential exploitation of CVE-2026-34908 - Ubiquiti UniFi OS Improper Access Control"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2026-34908"
cve = "CVE-2026-34908"
events:
$e.metadata.event_type = "NETWORK_HTTP"
$e.network.http.response_code = 200 or
$e.network.http.response_code = 201 or
$e.network.http.response_code = 204
(
re.regex($e.network.http.request_url, `/api/s/default/cmd/`) or
re.regex($e.network.http.request_url, `/proxy/network/api/s/default/cmd/`) or
re.regex($e.network.http.request_url, `/api/system`) or
re.regex($e.network.http.request_url, `/api/admin`)
)
(
re.regex($e.principal.hostname, `(?i)unifi`) or
re.regex($e.target.hostname, `(?i)unifi`) or
re.regex($e.target.hostname, `(?i)ubiquiti`)
)
$e.principal.ip = $src_ip
$e.target.ip = $dst_ip
match:
$src_ip, $dst_ip over 10m
outcome:
$risk_score = max(
if($e.network.http.response_code = 200, 50, 0) +
if(re.regex($e.network.http.request_url, `/cmd/`), 50, 0)
)
$event_count = count_distinct($e.metadata.id)
$endpoints = array_distinct($e.network.http.request_url)
condition:
#e >= 2
}Chronicle YARA-L rule detecting repeated successful HTTP access to privileged UniFi OS administrative API paths. Triggers when two or more successful responses are observed to command or system endpoints on UniFi infrastructure within a 10-minute window.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate administrator sessions using UniFi Network application performing bulk operations
- Cloud-managed UniFi controllers communicating with managed devices during provisioning
- Automated configuration compliance checks run by network operations teams
- UniFi remote access sessions via Ubiquiti cloud relay infrastructure
Other platforms for CVE-2026-34908
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated UniFi OS Admin API Enumeration
Expected signal: Network logs showing HTTP GET requests to multiple /api/ paths on the target UniFi controller IP, returning HTTP status codes that vary by endpoint accessibility.
- Test 2Unauthorized UniFi OS Command Endpoint Access
Expected signal: Network logs showing a POST request to /api/s/default/cmd/stamgr on the target IP with a JSON body. A 200 response with an action response body indicates the access control bypass is exploitable.
- Test 3UniFi OS New Admin User Creation via API Bypass
Expected signal: Network logs showing a POST to /api/s/default/rest/admin with a 200 or 201 response. UniFi controller audit log should record a new admin creation event without a corresponding login event from the source IP.
References (4)
- https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-34908
Unlock Pro Content
Get the full detection package for CVE-2026-34908 including response playbook, investigation guide, and atomic red team tests.