CVE-2026-34910 Elastic Security · Elastic

Detect Ubiquiti UniFi OS Improper Input Validation Vulnerability (CVE-2026-34910) in Elastic Security

Detects exploitation attempts targeting CVE-2026-34910, an improper input validation vulnerability in Ubiquiti UniFi OS. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog and allows attackers to send malformed or unexpected input to UniFi OS network management interfaces, potentially leading to unauthorized access, command execution, or device compromise. UniFi OS powers a wide range of Ubiquiti network devices including Dream Machines, Cloud Keys, and network switches used in enterprise and SMB environments.

MITRE ATT&CK

Tactic
Initial Access Execution Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip with maxspan=5m
  [network where destination.port in (443, 8443, 8080, 80)
   and (
     url.path like~ "*../*" or
     url.path like~ "*..%2f*" or
     url.path like~ "*%00*" or
     url.query like~ "*union+select*" or
     url.query like~ "*exec(*" or
     url.query like~ "*cmd=*" or
     url.query like~ "*command=*" or
     url.query like~ "*wget+*" or
     url.query like~ "*curl+*"
   )
  ] with runs=3
critical severity medium confidence

Uses EQL sequence detection to identify repeated suspicious input patterns targeting UniFi OS management ports within a 5-minute window, filtering for known exploitation strings associated with CVE-2026-34910.

Data Sources

Elastic Network EventsPacketbeatZeek Integration

Required Tables

logs-network.*logs-zeek.*packetbeat-*

False Positives & Tuning

  • Automated network monitoring tools generating repeated probe requests
  • Load balancer health checks with URL-encoded special characters
  • SIEM or SOAR playbooks that perform repeated API calls with complex parameters
  • Misconfigured web crawlers indexing UniFi management interfaces

Other platforms for CVE-2026-34910

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-34910 Path Traversal Probe Against UniFi OS API

    Expected signal: HTTP requests with path traversal sequences ('../', '%2f') in URL paths to port 443 should appear in web proxy logs, firewall logs, and IDS/IPS alerts

  2. Test 2CVE-2026-34910 Command Injection Parameter Fuzzing

    Expected signal: HTTP GET requests containing command injection strings (cmd=, command=, exec(), eval()) in query parameters to port 8443 visible in network logs

  3. Test 3CVE-2026-34910 Authenticated API Manipulation with Malformed Input

    Expected signal: POST/PUT requests with SQL injection and command injection strings in JSON body fields to UniFi OS API endpoints; authentication attempts with malformed username fields

Last updated: 2026-06-24 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-34910 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1133External Remote ServicesT1021.004SSH

Same Tactic: Initial Access

Popular Detections