CVE-2026-34909 Splunk · SPL

Detect Ubiquiti UniFi OS Path Traversal Exploitation Attempt in Splunk

Detects exploitation attempts targeting CVE-2026-34909, a path traversal vulnerability (CWE-22) in Ubiquiti UniFi OS. This vulnerability is actively exploited in the wild (CISA KEV) and allows attackers to traverse directory boundaries to access sensitive files or execute unauthorized actions on UniFi network management devices.

MITRE ATT&CK

Tactic
Initial Access Defense Evasion Discovery

SPL Detection Query

Splunk (SPL)
spl 
index=network OR index=proxy OR index=ids sourcetype IN ("cisco:asa", "pan:traffic", "stream:http", "suricata", "zeek:http", "nginx:access", "iis")
| eval decoded_uri=urldecode(uri)
| where match(uri, "(\.\.\/|\.\.%2[Ff]|\.\.%5[Cc]|%2[Ee]%2[Ee]|%252[Ff])")
   OR match(decoded_uri, "(\.\./){2,}")
   OR match(decoded_uri, "(/etc/passwd|/etc/shadow|/proc/|/var/log|/data/unifi|/opt/unifi)")
| eval dest_port=coalesce(dest_port, dpt)
| where dest_port IN (80, 443, 8080, 8443)
| stats count AS attempt_count, earliest(_time) AS first_seen, latest(_time) AS last_seen, values(decoded_uri) AS url_samples BY src_ip, dest_ip, dest_port
| where attempt_count >= 1
| eval severity="critical"
| sort -attempt_count
critical severity high confidence

Searches proxy, IDS, and web server logs for path traversal patterns targeting UniFi OS HTTP/HTTPS ports, including URL-encoded variants.

Data Sources

Proxy logsIDS/IPS logsZeek HTTP logsWeb server access logsSuricata alerts

Required Sourcetypes

stream:httpzeek:httpsuricatapan:trafficnginx:access

False Positives & Tuning

  • Authorized vulnerability scans using tools like Nessus or Qualys targeting UniFi devices
  • Security researchers conducting authorized assessments of UniFi infrastructure
  • Broken client applications with malformed URL construction that incidentally produce traversal-like strings
  • WAF or IDS test rules that replay captured exploit payloads in a safe environment

Other platforms for CVE-2026-34909

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Basic Path Traversal Probe Against UniFi OS Management Interface

    Expected signal: HTTP request log entry on the UniFi device or upstream proxy showing the traversal sequence in the URL. Network flow record for destination port 8443 from the test source IP.

  2. Test 2URL-Encoded Path Traversal Bypass Attempt

    Expected signal: HTTP request containing URL-encoded traversal sequence `%2e%2e%2f` captured in proxy or IDS logs. Detection should fire on both raw and decoded URL fields.

  3. Test 3Double-Encoded Traversal Sequence for WAF Bypass Simulation

    Expected signal: HTTP request log entry containing `%252f` in the URL, captured by proxy or WAF logs upstream of the UniFi device.

  4. Test 4Automated Path Traversal Scan Using Nuclei

    Expected signal: Multiple rapid HTTP requests to port 8443 containing various traversal payloads in quick succession, consistent with scanner behavior. Source IP generates a burst of traversal-pattern requests within seconds.

Last updated: 2026-06-24 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-34909 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0005Defense EvasionTA0007Discovery

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1552.001Credentials In FilesT1021.004SSH

Same Tactic: Initial Access

Popular Detections