Detect Ubiquiti UniFi OS Improper Input Validation Vulnerability (CVE-2026-34910) in Splunk
Detects exploitation attempts targeting CVE-2026-34910, an improper input validation vulnerability in Ubiquiti UniFi OS. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog and allows attackers to send malformed or unexpected input to UniFi OS network management interfaces, potentially leading to unauthorized access, command execution, or device compromise. UniFi OS powers a wide range of Ubiquiti network devices including Dream Machines, Cloud Keys, and network switches used in enterprise and SMB environments.
MITRE ATT&CK
SPL Detection Query
index=* (sourcetype="cisco:asa" OR sourcetype="pan:traffic" OR sourcetype="stream:http" OR sourcetype="suricata" OR sourcetype="zeek_http")
| where (dest_port IN (443, 8443, 8080, 80) OR uri_path="*/api/*" OR uri_path="*/proxy/*")
| eval suspicious_input=if(match(uri_path, "(\.\./|\.\.%2[Ff]|%00|<script|union\s+select|exec\(|eval\(|cmd=|command=|ping\s+-c|wget\s|curl\s)"), 1, 0)
| where suspicious_input=1
| eval device_hint=if(match(host, "(?i)(unifi|ubnt|ubiquiti|udm|usg|dream)") OR match(dest, "(?i)(unifi|ubnt|ubiquiti)"), "UniFi-Device", "Unknown")
| stats count AS attempt_count, dc(uri_path) AS distinct_paths, values(uri_path) AS sample_paths, values(http_method) AS methods by src_ip, dest_ip, dest_port, device_hint
| where attempt_count > 3
| sort - attempt_countDetects input validation exploitation attempts against Ubiquiti UniFi OS by identifying HTTP requests containing path traversal, injection, and command execution patterns directed at common UniFi management ports.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized vulnerability scanning tools performing scheduled assessments
- Legitimate URL-encoded parameters in UniFi mobile controller application traffic
- Network monitoring tools that generate synthetic traffic for device health checks
- Security researchers with authorized access performing CVE validation testing
Other platforms for CVE-2026-34910
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-34910 Path Traversal Probe Against UniFi OS API
Expected signal: HTTP requests with path traversal sequences ('../', '%2f') in URL paths to port 443 should appear in web proxy logs, firewall logs, and IDS/IPS alerts
- Test 2CVE-2026-34910 Command Injection Parameter Fuzzing
Expected signal: HTTP GET requests containing command injection strings (cmd=, command=, exec(), eval()) in query parameters to port 8443 visible in network logs
- Test 3CVE-2026-34910 Authenticated API Manipulation with Malformed Input
Expected signal: POST/PUT requests with SQL injection and command injection strings in JSON body fields to UniFi OS API endpoints; authentication attempts with malformed username fields
References (4)
- https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-34910
Unlock Pro Content
Get the full detection package for CVE-2026-34910 including response playbook, investigation guide, and atomic red team tests.