CVE-2026-34910

Ubiquiti UniFi OS Improper Input Validation Vulnerability (CVE-2026-34910)

Initial Access Execution Lateral Movement Last updated:

Detects exploitation attempts targeting CVE-2026-34910, an improper input validation vulnerability in Ubiquiti UniFi OS. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog and allows attackers to send malformed or unexpected input to UniFi OS network management interfaces, potentially leading to unauthorized access, command execution, or device compromise. UniFi OS powers a wide range of Ubiquiti network devices including Dream Machines, Cloud Keys, and network switches used in enterprise and SMB environments.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Ubiquiti
Product
UniFi OS

Weakness (CWE)

CWE-20

Timeline

Disclosed
June 23, 2026

CVSS

Unscored
Read the write-up →

What is CVE-2026-34910 Ubiquiti UniFi OS Improper Input Validation Vulnerability (CVE-2026-34910)?

Ubiquiti UniFi OS Improper Input Validation Vulnerability (CVE-2026-34910) (CVE-2026-34910) maps to the Initial Access and Execution and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Ubiquiti UniFi OS Improper Input Validation Vulnerability (CVE-2026-34910), covering the data sources and telemetry it touches: CommonSecurityLog, DeviceNetworkEvents, AzureFirewallApplicationRule. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Lateral Movement
Microsoft Sentinel / Defender
kusto 
let UniFiPorts = dynamic([443, 8443, 8080, 80]);
let SuspiciousPatterns = dynamic(["../", "..%2f", "..%2F", "%00", "<script", "';--", "union select", "exec(", "eval(", "cmd=", "command=", "ping -c", "wget ", "curl "]);
union DeviceNetworkEvents, CommonSecurityLog
| where TimeGenerated > ago(24h)
| where (DeviceName contains "unifi" or DeviceName contains "ubiquiti" or DeviceVendor contains "Ubiquiti" or DestinationPort in (UniFiPorts))
| where RequestURL has_any (SuspiciousPatterns) or RequestContext has_any (SuspiciousPatterns) or AdditionalExtensions has_any (SuspiciousPatterns)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, RequestURL, RequestMethod, ResponseCode, DeviceName, DeviceVendor
| summarize AttemptCount=count(), DistinctURLs=dcount(RequestURL), SampleURLs=make_set(RequestURL, 5) by SourceIP, DestinationIP, bin(TimeGenerated, 5m)
| where AttemptCount > 3
| order by AttemptCount desc

Detects suspicious HTTP/HTTPS requests to Ubiquiti UniFi OS management interfaces containing input validation bypass patterns such as path traversal sequences, injection strings, or malformed parameters indicative of CVE-2026-34910 exploitation.

critical severity medium confidence

Data Sources

CommonSecurityLog DeviceNetworkEvents AzureFirewallApplicationRule

Required Tables

CommonSecurityLog DeviceNetworkEvents

False Positives

  • Legitimate administrative scripts that probe UniFi device APIs with complex query parameters
  • Vulnerability scanners (Nessus, Qualys, Tenable) performing authorized assessments against UniFi infrastructure
  • Penetration testing activities targeting UniFi devices under authorized engagements
  • URL-encoded characters in legitimate administrative traffic from UniFi mobile apps or controllers

Sigma rule & cross-platform mapping

The detection logic for Ubiquiti UniFi OS Improper Input Validation Vulnerability (CVE-2026-34910) (CVE-2026-34910) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-34910 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-34910

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-24 Research depth: standard
References (4)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-34910 Path Traversal Probe Against UniFi OS API

    Expected signal: HTTP requests with path traversal sequences ('../', '%2f') in URL paths to port 443 should appear in web proxy logs, firewall logs, and IDS/IPS alerts

  2. Test 2CVE-2026-34910 Command Injection Parameter Fuzzing

    Expected signal: HTTP GET requests containing command injection strings (cmd=, command=, exec(), eval()) in query parameters to port 8443 visible in network logs

  3. Test 3CVE-2026-34910 Authenticated API Manipulation with Malformed Input

    Expected signal: POST/PUT requests with SQL injection and command injection strings in JSON body fields to UniFi OS API endpoints; authentication attempts with malformed username fields

Unlock Pro Content

Get the full detection package for CVE-2026-34910 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1133External Remote ServicesT1021.004SSH

Same Tactic: Initial Access

Popular Detections