Detect Ubiquiti UniFi OS Path Traversal Exploitation Attempt in Microsoft Sentinel
Detects exploitation attempts targeting CVE-2026-34909, a path traversal vulnerability (CWE-22) in Ubiquiti UniFi OS. This vulnerability is actively exploited in the wild (CISA KEV) and allows attackers to traverse directory boundaries to access sensitive files or execute unauthorized actions on UniFi network management devices.
MITRE ATT&CK
KQL Detection Query
union CommonSecurityLog, W3CIISLog
| where TimeGenerated >= ago(7d)
| where RequestURL has_any ("../", "..%2F", "..%5C", "%2e%2e%2f", "%2e%2e/", "..%252f", ".%2e/", "%2e./")
or RequestURL matches regex @"(\.{2}[/\\]){2,}"
| where DeviceVendor has_any ("Ubiquiti", "UniFi") or ApplicationProtocol has_any ("HTTPS", "HTTP")
| where DestinationPort in (443, 80, 8080, 8443)
| extend DecodedURL = url_decode(RequestURL)
| where DecodedURL has_any ("../", "/etc/passwd", "/etc/shadow", "/proc/", "/var/log", "/data/unifi")
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, RequestURL, DecodedURL, RequestMethod, ResponseCode, DeviceVendor, DeviceProduct
| summarize AttemptCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), URLSamples = make_set(DecodedURL, 5) by SourceIP, DestinationIP, DestinationPort
| where AttemptCount >= 1
| order by AttemptCount descDetects HTTP requests containing path traversal sequences targeting Ubiquiti UniFi OS devices. Looks for URL-encoded and plain traversal patterns in web logs.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate security scanners or vulnerability assessment tools running against UniFi infrastructure
- Penetration testing activities authorized against network infrastructure
- Web application firewall rule testing generating traversal payloads in test environments
- Automated backup or monitoring agents accessing file paths that superficially resemble traversal patterns
Other platforms for CVE-2026-34909
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Basic Path Traversal Probe Against UniFi OS Management Interface
Expected signal: HTTP request log entry on the UniFi device or upstream proxy showing the traversal sequence in the URL. Network flow record for destination port 8443 from the test source IP.
- Test 2URL-Encoded Path Traversal Bypass Attempt
Expected signal: HTTP request containing URL-encoded traversal sequence `%2e%2e%2f` captured in proxy or IDS logs. Detection should fire on both raw and decoded URL fields.
- Test 3Double-Encoded Traversal Sequence for WAF Bypass Simulation
Expected signal: HTTP request log entry containing `%252f` in the URL, captured by proxy or WAF logs upstream of the UniFi device.
- Test 4Automated Path Traversal Scan Using Nuclei
Expected signal: Multiple rapid HTTP requests to port 8443 containing various traversal payloads in quick succession, consistent with scanner behavior. Source IP generates a burst of traversal-pattern requests within seconds.
References (4)
- https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-34909
Unlock Pro Content
Get the full detection package for CVE-2026-34909 including response playbook, investigation guide, and atomic red team tests.