Detect Ubiquiti UniFi OS Improper Input Validation Vulnerability (CVE-2026-34910) in IBM QRadar
Detects exploitation attempts targeting CVE-2026-34910, an improper input validation vulnerability in Ubiquiti UniFi OS. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog and allows attackers to send malformed or unexpected input to UniFi OS network management interfaces, potentially leading to unauthorized access, command execution, or device compromise. UniFi OS powers a wide range of Ubiquiti network devices including Dream Machines, Cloud Keys, and network switches used in enterprise and SMB environments.
MITRE ATT&CK
QRadar Detection Query
SELECT sourceip, destinationip, destinationport, URL, "HTTP Method", "HTTP Response Code", LOGSOURCENAME(logsourceid) AS log_source, COUNT(*) AS attempt_count
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Palo Alto PA Series', 'Juniper SRX', 'Check Point FireWall-1', 'Snort', 'Suricata')
AND destinationport IN (443, 8443, 8080, 80)
AND (
URL ILIKE '%../%'
OR URL ILIKE '%..%2f%'
OR URL ILIKE '%..%2F%'
OR URL ILIKE '%cmd=%'
OR URL ILIKE '%command=%'
OR URL ILIKE '%union%select%'
OR URL ILIKE '%exec(%'
OR URL ILIKE '%eval(%'
OR URL ILIKE '%wget %'
OR URL ILIKE '%curl %'
OR URL ILIKE '%%00%'
)
AND LOGSOURCENAME(logsourceid) ILIKE '%unifi%'
OR (
destinationip IN (SELECT destinationip FROM events WHERE LOGSOURCENAME(logsourceid) ILIKE '%ubiquiti%' LAST 7 DAYS)
)
GROUP BY sourceip, destinationip, destinationport, URL, "HTTP Method", "HTTP Response Code", log_source
HAVING attempt_count > 3
ORDER BY attempt_count DESC
LAST 24 HOURSQRadar AQL query to detect suspicious HTTP requests against Ubiquiti UniFi OS devices by correlating input validation bypass patterns against known UniFi management ports and device identifiers.
Data Sources
Required Tables
False Positives & Tuning
- Authorized penetration tests logged by SIEM during scheduled assessment windows
- Security information management tools aggregating device API data with complex query strings
- Network performance monitoring solutions that probe device interfaces with parameter-heavy requests
- Backup and configuration management tools accessing UniFi APIs with encoded credentials
Other platforms for CVE-2026-34910
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-34910 Path Traversal Probe Against UniFi OS API
Expected signal: HTTP requests with path traversal sequences ('../', '%2f') in URL paths to port 443 should appear in web proxy logs, firewall logs, and IDS/IPS alerts
- Test 2CVE-2026-34910 Command Injection Parameter Fuzzing
Expected signal: HTTP GET requests containing command injection strings (cmd=, command=, exec(), eval()) in query parameters to port 8443 visible in network logs
- Test 3CVE-2026-34910 Authenticated API Manipulation with Malformed Input
Expected signal: POST/PUT requests with SQL injection and command injection strings in JSON body fields to UniFi OS API endpoints; authentication attempts with malformed username fields
References (4)
- https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-34910
Unlock Pro Content
Get the full detection package for CVE-2026-34910 including response playbook, investigation guide, and atomic red team tests.