Detect Ubiquiti UniFi OS Path Traversal Exploitation Attempt in Google Chronicle
Detects exploitation attempts targeting CVE-2026-34909, a path traversal vulnerability (CWE-22) in Ubiquiti UniFi OS. This vulnerability is actively exploited in the wild (CISA KEV) and allows attackers to traverse directory boundaries to access sensitive files or execute unauthorized actions on UniFi network management devices.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2026_34909_unifi_path_traversal {
meta:
author = "df00tech Detection Engineering"
description = "Detects path traversal exploitation attempts against Ubiquiti UniFi OS (CVE-2026-34909)"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2026-34909"
tags = "cve-2026-34909, path-traversal, unifi, ubiquiti, kev"
events:
$e.metadata.event_type = "NETWORK_HTTP"
$e.network.http.method != ""
$e.target.port in (80, 443, 8080, 8443)
(
re.regex($e.network.http.request_url, `(\.{2}[\/]|\.\.%2[Ff]|\.\.%5[Cc]|%2[Ee]%2[Ee]%2[Ff]|%252[Ff])`) or
re.regex($e.network.http.request_url, `(%2e%2e|%252e%252e)`) or
re.regex($e.network.http.request_url, `(etc/passwd|etc/shadow|data/unifi|opt/unifi|proc/self)`) nocase
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting HTTP path traversal patterns targeting UniFi OS management ports, matching known traversal encoding variants.
Data Sources
Required Tables
False Positives & Tuning
- Authorized vulnerability assessment tools generating traversal payloads during scheduled scans
- Internal security tooling testing WAF rules against network devices
- Misconfigured clients sending malformed requests to UniFi management APIs
- Red team simulations using path traversal payloads as part of sanctioned exercises
Other platforms for CVE-2026-34909
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Basic Path Traversal Probe Against UniFi OS Management Interface
Expected signal: HTTP request log entry on the UniFi device or upstream proxy showing the traversal sequence in the URL. Network flow record for destination port 8443 from the test source IP.
- Test 2URL-Encoded Path Traversal Bypass Attempt
Expected signal: HTTP request containing URL-encoded traversal sequence `%2e%2e%2f` captured in proxy or IDS logs. Detection should fire on both raw and decoded URL fields.
- Test 3Double-Encoded Traversal Sequence for WAF Bypass Simulation
Expected signal: HTTP request log entry containing `%252f` in the URL, captured by proxy or WAF logs upstream of the UniFi device.
- Test 4Automated Path Traversal Scan Using Nuclei
Expected signal: Multiple rapid HTTP requests to port 8443 containing various traversal payloads in quick succession, consistent with scanner behavior. Source IP generates a burst of traversal-pattern requests within seconds.
References (4)
- https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-34909
Unlock Pro Content
Get the full detection package for CVE-2026-34909 including response playbook, investigation guide, and atomic red team tests.