Thursday, June 4, 2026

How Unifi OS exploitation may have happened

Note: if images or formatting is broken, blame Blogger. 


 

 (from discord)

 

What's going on?

Last week when I was on break doing training, I saw a reddit post regarding someones Unifi having an account added. Someone got admin user "John Sim" added & removed to/from their device.

In the replies, there were other people saying that this happened to them as well. I was going to look into this and maybe even set up a honeypot but I didn't have time.

 

Post: https://www.reddit.com/r/Ubiquiti/comments/1tnygst/super_admin_added_whilst_on_holiday/

 

Today I saw another post regarding this activity (post is like a week old but i saw it today)

This new post had URI info for the attack. I'm not sure if it's all the URLs in their logs though. 

 

Post: https://www.reddit.com/r/Ubiquiti/comments/1tp9san/aidriven_campaign_appears_to_be_targeting/

 

Unifi Post about multiple vulnerabilities: https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b

For affected products, it says: UniFi OS Server (Version 5.0.6 and earlier)

 

The setup

I actually didn't find 5.0.6 version for UDR7 and I didn't want to go lower. I just had reset and rebuilt my whole network.

I found Unifi OS for Windows with version 5.0.6 and installation was easy so I went with that.

Download page: https://ui.com/download/software/unifi-os-server

This is what I installed: UniFi OS Server 5.0.6 for Windows (x64)

So I have Unifi OS 5.0.6 running for testing and I have my UDR7 with latest updates and SSH access (this comes in handy later).


Research 

skip to exploitation section at the bottom if you don't care about my methodology & extra commentary 

 

I believe I'm looking at CVE-2026-34909: "A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account." (source: Unifi Advisory) 

 

I started by going to /proxy/users/public/avatar/x?filename=../../../../data/unifi-core/config/jwt.yaml

This gets me the JWT secret.  

 

 Next I logged into Unifi OS to see what the auth activity looks like and there is JWT token!

 

 JWT.io was used for decoding. Decoded data looks like this:

 

The next URI in reddit post is /api/auth/validate-sso/../../../proxy/users/api/v2/identity/user/owner/credential where the attacker gets 200 response. 

I visited the URL and did not get 200. 

 

At this point, I started modifying the JWT token. 

I noticed that jti and csrfToken fields didn't matter. exp field can be anything in the future. it's epoch timestamp. userId needed to be correct and same with passwordRevision. 

I crafted a new JWT token and tried it against validate-sso URI and it worked! 

 

 

Now I'm wondering how did the threat actor get legitimate userId and passwordRevision data?

The reddit post didn't mention anything else.

I ssh'ed into my UDR7 and went to the directory where the jwt.yaml file came from and started looking for passwordRevision and userid.

I found out that there is a json file that contains passwordRevision. unique_id that you see is the userId. 

 

 

I sent a request to /proxy/users/public/avatar/x?filename=../../../../data/unifi-core/config/cache/users.json. This is the second use of that traversal vuln, without auth token. 

This gets us everything we need. With jwt secret and this data, we can craft the correct token.  

 

 

What about adding users?

This is what legitimate user addition request looks like:

 

Can we add users with JWT token we crafted?

 Yes! Just make sure that the CSRF token in your request matches the token in your JWT token.

 

 

  

 Exploitation

 Here's what the process looks like from the testing I've done.

1. Request jwt.yaml

extract secret 

2. Request users.json

extract unique_id and password_revision for admin

3. Create valid JWT token

4. Use token and send request to validate-sso/credential URI and check for 200!

 

 

 

 

End

I'm not exactly sure if this is the exact method the threat actor was using. I don't have a honeypot. I don't have logs/forensic data either. I don't know of anyone that can go replicate this for me either. 

The Ubiquiti Security Advisory shows multiple vulns so there might be more things going on. 

I'm not sure about how many people have vuln Unifi OS and have it exposed to the internet. Obviously, people on reddit who got compromised did but I feel like there shouldn't be too many vulnerable setups out there but who knows. 

Someone (not me) should probably make a nuclei template for this.

 

Thanks to https://github.com/InfosecExtra for bouncing around ideas. 

 

Posted by at

Tuesday, June 2, 2026

Use of MQTT in malware part 2: quick analysis

 
Note: I've had limited time to work on this. I took some time off to finish some training but wanted to finish this project as well since it's been sitting on my todo list for months. 
I'm not a professional malware analyst or threat intel person. I'm not super confident in my analysis. I also have a limited set of tools, services, and time. 

If text formatting/spacing sucks or you can't see images, it's Bloggers fault.  
 

Analysis 

I'm labeling by hashes. You should be able to copy them to VT, Triage, Hybrid-Analysis, and Anyrun to find sandbox reports, pcaps, etc... 
 
Python samples

There were multiple Python samples found. Also I kinda went for these samples because they would be relatively easy to analyze and some of them exhibited malicious behavior when looking at VT & sandbox results.

05d9f87cc1bc5272d37a0da8d8bb5a5732760c13f7745395ef388951ee3963ad

I'm guessing this was someone doing POC or testing because they had named their app trojan.py

 

They added persistence capability with startup. 

The analysis also shows screenshot ability, for Windows and Linux systems. 

 

 This sample also does IP info gathering, which might actually be an interesting behavior to look for when searching sandbox results containing broker traffic. Bunch of malware does similar with various IP lookup sites.

 

ae0b5e6dd44ecce8bdc6e71c32f007011d9dd991540e7bbf3831c72f894f0325

Another Python sample. This one also does persistence the same way, using Startup folder.

 

C2 setup

 

Command execution ability

 

It also seems to have ability to open URL and go through files. 

 

71071750fa9c9e1d9305bbb9a1f1ed75ee86bf42c0d25c12def512aae3d8b097

This sample actually used TLS/SSL communication with the broker. This sample was also very simple, well besides encryption & encoding.  


0551b908ae6233a709107c5a787f47206ed174d01ce937cee7975c969fa1b23e

This sample was actually manipulating Defender, setting up persistence, and hiding itself.  

 

 

The sample apparently can run on linux as well.

 

 

FCTRL/secure is used for communication

 

 5e69317295f1c6bf0a545261d6a814cf77c0132dacbe340cb1e605ab49436c15

 This is another sample that seems to do a lot of odd things.

Scheduled task is used for persistence 

 

Recovery settings are changed.

 

 There are various commands/abilities that you're provided

 

pctrtl topic is used in this case.

 

07e4e006a2c76fd19143d95af25d22dfc65d971f4a63db0d06e751ad4ce20d22

Final Python sample. This one also had various abilities, like screenshot, persistence, keylogger, etc.. 

There are actually multiple samples I came across that used the topic/shared key shown in this sample.

Persistence

 

 

keylogging 

 

Commands/abilities

 

 

Golang samples

I found three samples that were similar and they are being detected by AV but I don't think I've seen any write ups when I was searching for some of the function names. 

There were probably the most interesting samples I saw. The issue is, I'm not sure how prevalent these are, how they're spreading, and who's using them and for what. 

486aab85f1445776580ae854c25be52198e7e120d454daa14ce8e54bddb1326d

ffd9273d8de6b9ba66adc5a2acff0761061cdb89e1d0f4ca972b86ed004b23af

b3c1b4c66b99f970c892770ad64899ddd625cfa99707d7e3b351793d3048e30c

Communication seems to be done with /commands/ topic.  

 

 File path artifacts for .go files

 

 

 

 There are multiple commands and abilities but one of those that stood out is ability to install AnyDesk

 

 

Here are some other abilities/commands but I didn't really dive deeper into them. They're self-explanatory.  

 

 

 

Others 

ea78ccfbe0b8e91ffa8eec30f79192b0dc89c3434775914ccc575705146e59e9

This sample was interesting. File was UPX packed. (technically golang) It seems to be doing some SQL testingThis was one of the samples I didn't fully analyze.

Besides the broker, this also connects to netlify.  spiffy-crepe-c667e8[.]netlify[.]app. VT has a comment for this domain: "NKNShell Malware Distributed via VPN Website" - https://asec.ahnlab.com/en/91139/

This malware uses NKN protocol (https://nkn.org/) as well. 



Tools used

I used Ghidra, Wireshark, and MQTTExplorer. Triage and Hybrid-analysis both provide sandbox results and pcaps, memory dumps, dropped files, etc... 
 
For Python-based samples specifically, I just used web-based tools (obviously be aware of what kinda data you're handling before uploading it to random sites...)
 
 
 
 

End

 
There are things I would do differently if I had more time and resources. Doing complex queries on VT Enterprise or sandbox data would be one of the things. Broker connection + other weird behavior would find interesting things to look at.  
 
The other I'd love to do is monitor broker for C2 traffic but I mainly avoid that to avoid dealing with cryptography/math and I'm not sure if I'd see much anyway.  
 
I also didn't look for any ELF files or standalone scripts. I think those might be interesting, especially scripts if you can look for specific imports.

This was fun to look into for a bit but there are other more important security issues going on, obviously. 
 

Shoutouts

 
Thanks to Hybrid-Analysis/Crowdstrike and RecordedFuture/Hatching Triage for researcher accounts! <3 
Posted by at
Subscribe to: Posts (Atom)