CVE-2026-34910 CrowdStrike LogScale · LogScale

Detect Ubiquiti UniFi OS Improper Input Validation Vulnerability (CVE-2026-34910) in CrowdStrike LogScale

Detects exploitation attempts targeting CVE-2026-34910, an improper input validation vulnerability in Ubiquiti UniFi OS. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog and allows attackers to send malformed or unexpected input to UniFi OS network management interfaces, potentially leading to unauthorized access, command execution, or device compromise. UniFi OS powers a wide range of Ubiquiti network devices including Dream Machines, Cloud Keys, and network switches used in enterprise and SMB environments.

MITRE ATT&CK

Tactic
Initial Access Execution Lateral Movement

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=NetworkConnectIP4 OR #event_simpleName=HttpRequest
| TargetPort in [443, 8443, 8080, 80]
| HttpPath matches regex(?i) "(\.\./|\.\.%2[Ff]|%00|union.{0,10}select|exec\(|eval\(|cmd=|command=|wget\s|curl\s)"
| HostnameField matches regex(?i) "(unifi|ubnt|ubiquiti|udm|usg|dream.machine)"
| groupBy([RemoteAddressIP4, LocalAddressIP4, TargetPort, HttpPath], function=count(1, as=AttemptCount))
| AttemptCount > 3
| sort(AttemptCount, order=desc)
critical severity medium confidence

CrowdStrike Falcon LogScale query identifying HTTP requests containing input validation exploitation patterns directed at Ubiquiti UniFi OS management interfaces on known management ports.

Data Sources

CrowdStrike Falcon Network TelemetryHTTP Request Events

Required Tables

NetworkConnectIP4HttpRequest

False Positives & Tuning

  • CrowdStrike sensor telemetry from authorized penetration tests against UniFi equipment
  • Automated provisioning systems managing UniFi devices with API calls containing encoded parameters
  • Network operations center tools that monitor UniFi management interfaces with complex queries
  • Cloud-hosted UniFi controllers generating internal API traffic with URL-encoded characters

Other platforms for CVE-2026-34910

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-34910 Path Traversal Probe Against UniFi OS API

    Expected signal: HTTP requests with path traversal sequences ('../', '%2f') in URL paths to port 443 should appear in web proxy logs, firewall logs, and IDS/IPS alerts

  2. Test 2CVE-2026-34910 Command Injection Parameter Fuzzing

    Expected signal: HTTP GET requests containing command injection strings (cmd=, command=, exec(), eval()) in query parameters to port 8443 visible in network logs

  3. Test 3CVE-2026-34910 Authenticated API Manipulation with Malformed Input

    Expected signal: POST/PUT requests with SQL injection and command injection strings in JSON body fields to UniFi OS API endpoints; authentication attempts with malformed username fields

Last updated: 2026-06-24 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-34910 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1133External Remote ServicesT1021.004SSH

Same Tactic: Initial Access

Popular Detections