Three CVSS 10.0 unauthenticated RCEs in Ubiquiti UniFi OS, a legitimate Azure AD enumeration tool being weaponized by nation-state actors, and a Trend Micro endpoint security zero-day already in CISA’s KEV catalog. Here is what matters for defenders today.

In the News

Ubiquiti Patches Three CVSS 10.0 UniFi OS RCEs — No Authentication Required

Ubiquiti released firmware updates addressing three maximum-severity vulnerabilities in UniFi OS. Each flaw carries a CVSS score of 10.0 and allows unauthenticated remote code execution. The attack requirements are minimal: network access to the device management interface, no credentials, no user interaction. Every UniFi console, gateway, and access point running an unpatched firmware version is affected.

UniFi devices are everywhere in small and medium enterprise environments. They are often deployed by MSPs or in-house IT teams and then left on flat networks where user VLANs can reach management interfaces directly. The combination of deployment density, minimal patch discipline in SMB environments, and the trivial exploitation path makes this a high-priority patching event.

The three flaws affect the same UniFi OS REST API surface. Ubiquiti has not published detailed technical advisories beyond confirming the CVSS scores and the unauthenticated RCE impact. Proof-of-concept exploits have not been publicly observed at the time of writing, but the CVSS 10.0 rating and the unauthenticated attack vector mean the window between patch availability and active exploitation will be short.

What defenders should do: Patch immediately. If patching is delayed, isolate UniFi device management interfaces on a dedicated management VLAN unreachable from user networks and the internet. Audit firewall rules to confirm no management ports are exposed externally. Run asset discovery to identify UniFi devices that IT may not be tracking — branch offices and conference rooms are common blind spots.

MITRE ATT&CK: T1190 — Exploit Public-Facing Application, T1059 — Command and Scripting Interpreter

Nation-State Actors Weaponize ROADtools for Azure AD Reconnaissance

Palo Alto Unit 42 published research documenting nation-state threat actors using ROADtools — a legitimate, open-source Azure AD enumeration framework — for pre-attack reconnaissance in cloud intrusions. ROADtools queries the Microsoft Graph API to enumerate users, groups, service principals, application registrations, and OAuth permissions. The output gives an attacker a complete identity and privilege map of the target tenant before any lateral movement begins.

The challenge is detection. ROADtools generates Graph API calls that are individually indistinguishable from legitimate administrative activity. A security admin running an access review queries the same endpoints. The differentiator is behavioral: bulk enumeration of every group, every service principal, and every application registration in a short time window from an unfamiliar IP or device. Without behavioral baselining of Graph API activity, this reconnaissance is invisible.

Unit 42 observed the tool being used after initial access via compromised credentials — not as the initial access vector itself. The attack chain follows a pattern: stolen credentials (often from phishing or infostealer logs) → ROADtools enumeration → identification of high-privilege service principals or overly permissive OAuth applications → lateral movement to data stores or admin roles.

What defenders should do: Baseline normal Graph API query volumes and patterns per user and service principal in your Azure AD tenant. Alert on bulk directory enumeration — specifically, queries that dump all group memberships, all service principals, or all application registrations in a single session. Review conditional access policies to ensure that administrative API access is restricted to compliant, managed devices. Audit and reduce overly permissive OAuth application consent grants, which are the assets ROADtools identifies for attackers.

MITRE ATT&CK: T1087.004 — Account Discovery: Cloud Account, T1069.003 — Permission Groups Discovery: Cloud Groups, T1078.004 — Valid Accounts: Cloud Accounts

Trend Micro Apex One Zero-Day Added to CISA KEV — CVE-2026-34926

CVE-2026-34926 is a directory traversal vulnerability in Trend Micro Apex One’s on-premise management server. The flaw allows an authenticated attacker to read arbitrary files from the server, including configuration data, agent deployment credentials, and security policy definitions. Trend Micro confirmed active exploitation in a security advisory, and CISA added the CVE to the Known Exploited Vulnerabilities catalog, triggering BOD 22-01 mandatory remediation timelines for federal agencies.

The irony of an endpoint protection management server being the vulnerability is not lost on defenders. An Apex One server holds the exclusion lists, deployment tokens, and policy configurations for every endpoint agent it manages. File read access to that server gives an attacker the blueprint for evading the very tool deployed to detect them.

The CVSS score of 7.5 reflects the authenticated requirement, but in practice, post-compromise scenarios — where the attacker already has credentials from phishing or credential stuffing — make this trivially chainable. The attacker does not need admin-level access to the Apex One console; any authenticated session is sufficient to trigger the traversal.

What defenders should do: Apply the latest Apex One SP1 patch immediately. If running an on-premise Apex One deployment, restrict network access to the management server to authorized admin workstations only. Monitor the Apex One server’s file access logs for traversal patterns (e.g., ../ sequences in HTTP request paths). Consider whether the on-premise management architecture is defensible long-term or whether migration to a cloud-managed endpoint platform eliminates this class of vulnerability.

MITRE ATT&CK: T1083 — File and Directory Discovery, T1005 — Data from Local System

Kimwolf Botnet Operator Arrested — 2M+ IoT Devices Remain Vulnerable

Canadian and U.S. law enforcement arrested the alleged operator behind the Kimwolf DDoS botnet, which enslaved over two million IoT devices for DDoS-for-hire services. The botnet recruited devices through default credentials and known firmware vulnerabilities in consumer and SMB routers, IP cameras, and NAS appliances. Customers of the service paid to direct volumetric DDoS attacks against targets of their choosing.

The arrest is a positive law enforcement outcome but does not solve the underlying problem. The two million compromised devices are still running default credentials and unpatched firmware. The botnet infrastructure will be dismantled, but the device population will be re-recruited by the next botnet operator — historically within weeks of a takedown. The operational reality is that IoT device hygiene in SMB and consumer environments remains negligible.

What defenders should do: Run asset discovery scans targeting your network’s IoT segments. Identify devices with default credentials and known vulnerable firmware versions. Enforce network segmentation that prevents IoT devices from initiating outbound connections to arbitrary internet destinations. Monitor for anomalous outbound traffic volume from IoT VLANs — a device generating sustained high-bandwidth outbound flows is a strong DDoS participation indicator.

MITRE ATT&CK: T1498 — Network Denial of Service, T1078.001 — Valid Accounts: Default Accounts

Today’s Deep Dive — Detecting Legitimate Tool Abuse in Azure AD

The Unit 42 research on ROADtools represents a broader pattern: threat actors increasingly rely on tools that defenders also use. ROADtools is not malware. It is an open-source framework built by security researcher Dirk-jan Mollema for legitimate Azure AD auditing. The same capability that helps a security team understand their tenant’s identity surface gives an attacker a pre-attack map.

Detection cannot rely on blocking the tool or matching a signature. The Graph API calls ROADtools makes are identical to those made by Azure AD Connect, third-party identity governance tools, and manual admin queries. The detection signal is behavioral — specifically, the volume, velocity, and scope of directory enumeration from a single identity in a single session.

Key indicators to baseline and alert on:

  1. Bulk enumeration of service principals — A single identity querying all service principals (GET /servicePrincipals with no filter) in a short window is abnormal for most admin workflows. Legitimate admin activity typically queries specific service principals by name or appId.

  2. Full group membership dumps — Querying all groups and expanding all members (GET /groups?$expand=members) across the entire tenant is a hallmark of reconnaissance. Normal operations query specific groups.

  3. Application registration enumeration — Dumping all app registrations with their credential metadata (GET /applications) provides an attacker with a list of every OAuth application, its permissions, and its key expiry dates. This is the reconnaissance step before identifying over-permissioned applications for lateral movement.

  4. Unfamiliar source context — The enumeration originates from an IP, device, or session that has not previously performed directory administrative activity. Conditional access policies that require compliant devices for Graph API access reduce this surface directly.

The compensating control is reducing what ROADtools can find. Overly permissive OAuth consent grants, service principals with persistent credentials instead of managed identities, and application registrations with excessive API permissions are the assets that make ROADtools output valuable to an attacker. Hardening those configurations reduces the blast radius of any directory enumeration, regardless of the tool used.

Detection Spotlight

The following KQL query for Microsoft Sentinel identifies potential bulk Azure AD enumeration via the Microsoft Graph API — the pattern ROADtools and similar tools produce. It looks for a single identity making an anomalous number of directory read operations in a 10-minute window.

let threshold = 50;
let timewindow = 10m;
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName has_any ("List groups", "List servicePrincipals", "List applications", "List users")
| where Result == "success"
| summarize OperationCount = count(), DistinctOperations = dcount(OperationName), Operations = make_set(OperationName) by InitiatedBy.user.userPrincipalName, bin(TimeGenerated, timewindow), IPAddress = tostring(InitiatedBy.user.ipAddress)
| where OperationCount > threshold and DistinctOperations >= 3
| project TimeGenerated, InitiatedBy_user_userPrincipalName, IPAddress, OperationCount, DistinctOperations, Operations
| sort by OperationCount desc

What it catches: A single user principal performing more than 50 directory read operations across at least three different directory object types (groups, service principals, applications, users) within a 10-minute window. This threshold filters out normal admin queries while catching the bulk enumeration pattern characteristic of ROADtools and similar reconnaissance frameworks.

False positive considerations: Identity governance platforms that perform scheduled full-tenant audits will trigger this query. Exclude known service principals for those platforms by adding a filter on InitiatedBy.user.userPrincipalName. Azure AD Connect sync operations may also trigger — baseline your tenant’s normal enumeration patterns before tuning the threshold.

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.