CVE-2026-34909

Ubiquiti UniFi OS Path Traversal Exploitation Attempt

Initial Access Defense Evasion Discovery Last updated:

Detects exploitation attempts targeting CVE-2026-34909, a path traversal vulnerability (CWE-22) in Ubiquiti UniFi OS. This vulnerability is actively exploited in the wild (CISA KEV) and allows attackers to traverse directory boundaries to access sensitive files or execute unauthorized actions on UniFi network management devices.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Ubiquiti
Product
UniFi OS

Weakness (CWE)

CWE-22

Timeline

Disclosed
June 23, 2026

CVSS

Unscored
Read the write-up →

What is CVE-2026-34909 Ubiquiti UniFi OS Path Traversal Exploitation Attempt?

Ubiquiti UniFi OS Path Traversal Exploitation Attempt (CVE-2026-34909) maps to the Initial Access and Defense Evasion and Discovery tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Ubiquiti UniFi OS Path Traversal Exploitation Attempt, covering the data sources and telemetry it touches: CommonSecurityLog, W3CIISLog, AzureFirewallApplicationRule, NetworkAccessTraffic. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Defense Evasion Discovery
Microsoft Sentinel / Defender
kusto 
union CommonSecurityLog, W3CIISLog
| where TimeGenerated >= ago(7d)
| where RequestURL has_any ("../", "..%2F", "..%5C", "%2e%2e%2f", "%2e%2e/", "..%252f", ".%2e/", "%2e./")
   or RequestURL matches regex @"(\.{2}[/\\]){2,}"
| where DeviceVendor has_any ("Ubiquiti", "UniFi") or ApplicationProtocol has_any ("HTTPS", "HTTP")
| where DestinationPort in (443, 80, 8080, 8443)
| extend DecodedURL = url_decode(RequestURL)
| where DecodedURL has_any ("../", "/etc/passwd", "/etc/shadow", "/proc/", "/var/log", "/data/unifi")
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, RequestURL, DecodedURL, RequestMethod, ResponseCode, DeviceVendor, DeviceProduct
| summarize AttemptCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), URLSamples = make_set(DecodedURL, 5) by SourceIP, DestinationIP, DestinationPort
| where AttemptCount >= 1
| order by AttemptCount desc

Detects HTTP requests containing path traversal sequences targeting Ubiquiti UniFi OS devices. Looks for URL-encoded and plain traversal patterns in web logs.

critical severity high confidence

Data Sources

CommonSecurityLog W3CIISLog AzureFirewallApplicationRule NetworkAccessTraffic

Required Tables

CommonSecurityLog W3CIISLog

False Positives

  • Legitimate security scanners or vulnerability assessment tools running against UniFi infrastructure
  • Penetration testing activities authorized against network infrastructure
  • Web application firewall rule testing generating traversal payloads in test environments
  • Automated backup or monitoring agents accessing file paths that superficially resemble traversal patterns

Sigma rule & cross-platform mapping

The detection logic for Ubiquiti UniFi OS Path Traversal Exploitation Attempt (CVE-2026-34909) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-34909 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-34909

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-24 Research depth: standard
References (4)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Basic Path Traversal Probe Against UniFi OS Management Interface

    Expected signal: HTTP request log entry on the UniFi device or upstream proxy showing the traversal sequence in the URL. Network flow record for destination port 8443 from the test source IP.

  2. Test 2URL-Encoded Path Traversal Bypass Attempt

    Expected signal: HTTP request containing URL-encoded traversal sequence `%2e%2e%2f` captured in proxy or IDS logs. Detection should fire on both raw and decoded URL fields.

  3. Test 3Double-Encoded Traversal Sequence for WAF Bypass Simulation

    Expected signal: HTTP request log entry containing `%252f` in the URL, captured by proxy or WAF logs upstream of the UniFi device.

  4. Test 4Automated Path Traversal Scan Using Nuclei

    Expected signal: Multiple rapid HTTP requests to port 8443 containing various traversal payloads in quick succession, consistent with scanner behavior. Source IP generates a burst of traversal-pattern requests within seconds.

Unlock Pro Content

Get the full detection package for CVE-2026-34909 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0005Defense EvasionTA0007Discovery

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1552.001Credentials In FilesT1021.004SSH

Same Tactic: Initial Access

Popular Detections