'Underminr' Vulnerability in Shared CDN Infrastructure Exposes 88 Million Domains to Advanced Evasion Techniques

New 'Underminr' Flaw in CDNs Puts 88 Million Domains at Risk of Evasive Attacks

HIGH
May 23, 2026
May 24, 2026
m read
VulnerabilityCloud SecurityCyberattack

Impact Scope

People Affected

Affects an estimated 88 million domains

Industries Affected

TechnologyCritical Infrastructure

Geographic Impact

United StatesUnited KingdomCanada (global)

Related Entities(initial)

Products & Tech

Content Delivery Network (CDN)

Other

ADAMnetworks

Full Report(when first published)

Executive Summary

Security researchers have uncovered a widespread and critical vulnerability in shared Content Delivery Network (CDN) infrastructure, dubbed "Underminr". This flaw enables a modern variant of domain fronting, allowing threat actors to conceal malicious Command and Control (C2) communications by masking them with legitimate, trusted domains. The technique, detailed by ADAMnetworks, is estimated to affect as many as 88 million domains globally, with a significant concentration in the United States, United Kingdom, and Canada. The vulnerability is reportedly being actively exploited, posing a significant risk of security bypass for organizations relying on DNS filtering and traditional network security controls. The rise of AI-generated malware is predicted to further automate and scale the exploitation of Underminr.


Vulnerability Details

Underminr is not a flaw in a single piece of software, but a systemic weakness in how some shared CDN infrastructures handle HTTPS requests. It allows attackers to abuse the trust placed in legitimate domains to evade detection.

Technical Analysis

The attack leverages the separation between the unencrypted and encrypted parts of an HTTPS request:

  1. Outer Layer (Unencrypted): The attacker initiates a connection to the CDN and uses a legitimate, trusted domain (e.g., trusted-customer.com) in the Server Name Indication (SNI) field of the TLS handshake. Since trusted-customer.com is a known-good domain hosted on the CDN, network security appliances and DNS filters allow the connection to proceed.
  2. Inner Layer (Encrypted): Once the secure tunnel is established with the CDN's edge server, the attacker specifies their actual malicious domain (e.g., malicious-c2-server.com) within the encrypted HTTP Host header.
  3. Request Routing: A vulnerable CDN configuration will terminate the TLS connection, inspect the inner Host header, and then route the request to the attacker's server, which is also hosted on the same shared infrastructure.

This effectively makes the CDN a malicious proxy, and all C2 traffic appears to security tools as legitimate communication with trusted-customer.com.

This is a classic example of T1568.002 - Domain Fronting, where the disconnect between the outer-layer domain and the inner-layer destination is exploited to bypass security controls.

Affected Systems

The vulnerability lies within the configuration of shared CDN infrastructure. It is not specific to one provider but is a pattern that can exist in any multi-tenant CDN environment where routing decisions are based on the inner Host header after TLS termination. The report from ADAMnetworks estimates 88 million domains are potentially affected due to being hosted on such vulnerable infrastructures.

Exploitation Status

Researchers have confirmed that the Underminr technique is actively being exploited in the wild. The ease of implementation and the high reward (evasion of primary network defenses) make it a valuable tool for sophisticated threat actors. David Redekop, CEO of ADAMnetworks, warns that this technique is a prime candidate for integration into AI-driven malware frameworks, which could automate the discovery of vulnerable domains and the execution of attacks at an unprecedented scale.

Impact Assessment

The business impact of Underminr is severe. It fundamentally undermines a key layer of network defense: DNS and IP-based filtering. Organizations that believe they are protected by blocking known-bad domains can be easily bypassed. This allows malware to establish C2 channels from within a compromised network, leading to data exfiltration, ransomware deployment, and persistent remote access, all while the traffic is camouflaged as benign web browsing to a trusted site.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns that could indicate related activity:

Type
Network Traffic Pattern
Value
Mismatch between TLS SNI and HTTP Host Header
Description
The core indicator of domain fronting. Requires TLS inspection (decrypting traffic) to detect.
Type
URL Pattern
Value
Connections to high-reputation domains with unusual traffic patterns
Description
Look for long-lived, periodic, or high-volume connections to domains that typically serve static content.
Type
Log Source
Value
CDN Access Logs
Description
If available, analyze CDN logs for requests where the routing decision points to an unexpected origin server based on the Host header.
Type
Process Name
Value
powershell.exe, curl.exe, cscript.exe
Description
Monitor for these processes making outbound HTTPS connections where the destination IP resolves to a major CDN but the context is suspicious.

Detection & Response

Detecting Underminr is challenging and requires advanced security capabilities.

  • TLS Inspection: The most effective method for detection is performing SSL/TLS inspection on outbound traffic. This allows security appliances to decrypt the traffic and compare the outer SNI domain with the inner HTTP Host header. A mismatch is a strong indicator of domain fronting. This is an implementation of the D3FEND technique Network Traffic Analysis.
  • Behavioral Analysis: Use EDR and Network Detection and Response (NDR) tools to baseline normal traffic patterns. Look for anomalies such as beaconing behavior (periodic callbacks) to trusted domains, even if the domain itself is allowed.
  • Egress Filtering: While Underminr bypasses domain-based filtering, restricting outbound connections to only a list of business-justified FQDNs and IP addresses can limit the attack surface. This is a form of Outbound Traffic Filtering.

Mitigation

Mitigation falls on both CDN providers and their customers.

  • CDN Providers: Providers must reconfigure their platforms to enforce that the inner Host header matches (or is an authorized subdomain of) the outer SNI domain. This closes the loophole that Underminr exploits.
  • Organizations (Customers):
    1. Implement TLS Inspection: Deploy next-generation firewalls or secure web gateways with full TLS inspection capabilities. This is the most direct countermeasure.
    2. Enhance Endpoint Detection: Since network controls can be bypassed, robust endpoint detection is critical. EDR tools can detect the malicious process on the host that initiates the C2 connection, regardless of how it's masked on the network.
    3. Adopt a Zero Trust Architecture: Move away from perimeter-based trust models. Assume that any connection could be malicious and require verification at every step.

Timeline of Events

1
May 23, 2026
This article was published

Article Updates

May 24, 2026

New technical analysis, MITRE ATT&CK mappings, and additional hunting hints for the 'Underminr' CDN vulnerability are provided, detailing exploitation steps and detection methods.

This update provides a more detailed technical analysis of the 'Underminr' vulnerability, outlining the reconnaissance, setup, exploitation, and bypass steps. It maps the technique to several MITRE ATT&CK techniques, including T1071.001, T1090.002, T1573.002, and T1572. New hunting hints are introduced, such as looking for JA3/JA3S hash mismatches and uncommon User-Agents for specific domains. The article further emphasizes that the ultimate mitigation responsibility lies with CDN providers to reconfigure their routing logic, while organizations should focus on TLS inspection and egress filtering.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

C2CDNDomain FrontingEvasionUnderminr

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.