CVE-2026-34908 Elastic Security · Elastic

Detect CVE-2026-34908 — Ubiquiti UniFi OS Improper Access Control Exploitation in Elastic Security

Detects exploitation attempts targeting CVE-2026-34908, an improper access control vulnerability (CWE-284) in Ubiquiti UniFi OS. This vulnerability is listed on the CISA Known Exploited Vulnerabilities catalog and allows attackers to bypass access controls on UniFi OS devices. Detection focuses on unauthorized API access, anomalous management plane requests, and lateral movement patterns consistent with UniFi controller compromise.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Defense Evasion Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip with maxspan=10m
  [network where event.category == "network" and
   (destination.domain like~ "*unifi*" or destination.domain like~ "*ubiquiti*") and
   url.path like~ "/api/*" and
   http.response.status_code in (200, 201, 204) and
   http.request.method in ("GET", "POST", "PUT", "DELETE")]
  [network where event.category == "network" and
   (destination.domain like~ "*unifi*" or destination.domain like~ "*ubiquiti*") and
   (url.path like~ "/api/s/default/cmd/*" or url.path like~ "/proxy/network/api/s/default/cmd/*" or url.path like~ "/api/system*") and
   http.response.status_code in (200, 201, 204)]
critical severity medium confidence

Elastic EQL sequence detection identifying a two-step pattern of initial UniFi API access followed by access to privileged administrative command endpoints, both returning successful responses. This sequence is consistent with access control bypass exploitation of CVE-2026-34908.

Data Sources

PacketbeatElastic Network LogsElastic Agent Network Events

Required Tables

logs-network.*packetbeat-*

False Positives & Tuning

  • UniFi mobile or desktop client performing routine management operations from authorized hosts
  • Administrators running bulk configuration changes via the UniFi API
  • Automated provisioning scripts that legitimately sequence API calls to configure devices
  • UniFi auto-update processes that authenticate and then call management endpoints

Other platforms for CVE-2026-34908

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated UniFi OS Admin API Enumeration

    Expected signal: Network logs showing HTTP GET requests to multiple /api/ paths on the target UniFi controller IP, returning HTTP status codes that vary by endpoint accessibility.

  2. Test 2Unauthorized UniFi OS Command Endpoint Access

    Expected signal: Network logs showing a POST request to /api/s/default/cmd/stamgr on the target IP with a JSON body. A 200 response with an action response body indicates the access control bypass is exploitable.

  3. Test 3UniFi OS New Admin User Creation via API Bypass

    Expected signal: Network logs showing a POST to /api/s/default/rest/admin with a 200 or 201 response. UniFi controller audit log should record a new admin creation event without a corresponding login event from the source IP.

Last updated: 2026-06-24 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-34908 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0005Defense EvasionTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1021Remote Services

Same Tactic: Initial Access

Popular Detections