Affects an estimated 88 million domains
Security researchers have uncovered a widespread and critical vulnerability in shared Content Delivery Network (CDN) infrastructure, dubbed "Underminr". This flaw enables a modern variant of domain fronting, allowing threat actors to conceal malicious Command and Control (C2) communications by masking them with legitimate, trusted domains. The technique, detailed by ADAMnetworks, is estimated to affect as many as 88 million domains globally, with a significant concentration in the United States, United Kingdom, and Canada. The vulnerability is reportedly being actively exploited, posing a significant risk of security bypass for organizations relying on DNS filtering and traditional network security controls. The rise of AI-generated malware is predicted to further automate and scale the exploitation of Underminr.
Underminr is not a flaw in a single piece of software, but a systemic weakness in how some shared CDN infrastructures handle HTTPS requests. It allows attackers to abuse the trust placed in legitimate domains to evade detection.
The attack leverages the separation between the unencrypted and encrypted parts of an HTTPS request:
trusted-customer.com) in the Server Name Indication (SNI) field of the TLS handshake. Since trusted-customer.com is a known-good domain hosted on the CDN, network security appliances and DNS filters allow the connection to proceed.malicious-c2-server.com) within the encrypted HTTP Host header.Host header, and then route the request to the attacker's server, which is also hosted on the same shared infrastructure.This effectively makes the CDN a malicious proxy, and all C2 traffic appears to security tools as legitimate communication with trusted-customer.com.
This is a classic example of T1568.002 - Domain Fronting, where the disconnect between the outer-layer domain and the inner-layer destination is exploited to bypass security controls.
The vulnerability lies within the configuration of shared CDN infrastructure. It is not specific to one provider but is a pattern that can exist in any multi-tenant CDN environment where routing decisions are based on the inner Host header after TLS termination. The report from ADAMnetworks estimates 88 million domains are potentially affected due to being hosted on such vulnerable infrastructures.
Researchers have confirmed that the Underminr technique is actively being exploited in the wild. The ease of implementation and the high reward (evasion of primary network defenses) make it a valuable tool for sophisticated threat actors. David Redekop, CEO of ADAMnetworks, warns that this technique is a prime candidate for integration into AI-driven malware frameworks, which could automate the discovery of vulnerable domains and the execution of attacks at an unprecedented scale.
The business impact of Underminr is severe. It fundamentally undermines a key layer of network defense: DNS and IP-based filtering. Organizations that believe they are protected by blocking known-bad domains can be easily bypassed. This allows malware to establish C2 channels from within a compromised network, leading to data exfiltration, ransomware deployment, and persistent remote access, all while the traffic is camouflaged as benign web browsing to a trusted site.
Security teams may want to hunt for the following patterns that could indicate related activity:
powershell.exe, curl.exe, cscript.exeDetecting Underminr is challenging and requires advanced security capabilities.
Host header. A mismatch is a strong indicator of domain fronting. This is an implementation of the D3FEND technique Network Traffic Analysis.Outbound Traffic Filtering.Mitigation falls on both CDN providers and their customers.
Host header matches (or is an authorized subdomain of) the outer SNI domain. This closes the loophole that Underminr exploits.New technical analysis, MITRE ATT&CK mappings, and additional hunting hints for the 'Underminr' CDN vulnerability are provided, detailing exploitation steps and detection methods.
This update provides a more detailed technical analysis of the 'Underminr' vulnerability, outlining the reconnaissance, setup, exploitation, and bypass steps. It maps the technique to several MITRE ATT&CK techniques, including T1071.001, T1090.002, T1573.002, and T1572. New hunting hints are introduced, such as looking for JA3/JA3S hash mismatches and uncommon User-Agents for specific domains. The article further emphasizes that the ultimate mitigation responsibility lies with CDN providers to reconfigure their routing logic, while organizations should focus on TLS inspection and egress filtering.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.