Executive Summary
The Underminr vulnerability is a critical and actively exploited flaw in shared Content Delivery Network (CDN) infrastructure that enables attackers to conceal malicious connections behind trusted, high-reputation domains. By leveraging architectural weaknesses in how CDNs multiplex traffic for multiple tenants, adversaries can bypass security controls, evade detection, and deliver command-and-control (C2) traffic, malware, and phishing campaigns at scale. The impact of Underminr is broader than traditional domain fronting, affecting a vast number of domains and major CDN providers. This report provides a comprehensive technical analysis, exploitation evidence, threat actor tactics, affected product scope, and actionable mitigation guidance.
Technical Information
The Underminr vulnerability arises from the architectural design of modern CDN providers, which often multiplex traffic for numerous customer domains over shared infrastructure. Attackers exploit this by registering their own domains with a CDN that also serves high-profile, trusted domains. Through manipulation of the HTTP Host header or Server Name Indication (SNI) in TLS handshakes, attackers can craft requests that appear to target a reputable domain, while the actual payload is routed to attacker-controlled infrastructure.
This technique is not a software bug but an abuse of CDN routing logic. When a request is made, the CDN infrastructure uses the Host header or SNI to determine which backend to route the traffic to. If an attacker’s domain shares the same CDN edge node as a trusted domain, the attacker can send requests that appear to be destined for the trusted domain, but are actually handled by the attacker’s backend. Security appliances and monitoring tools, which often rely on domain reputation or SNI inspection, see the connection as legitimate and allow it through, effectively cloaking the malicious activity.
Unlike classic domain fronting, which typically relies on mismatches between the SNI and Host header to route traffic through a front domain, Underminr leverages the CDN’s own multiplexing and routing logic to achieve a similar effect, but at a much larger scale. According to ADAMnetworks research, over 88 million domains are potentially affected, including those served by major providers such as Cloudflare, Akamai, AWS CloudFront, and Fastly.
Attackers can use this technique to deliver malware, establish resilient C2 channels, and exfiltrate data, all while blending their traffic with legitimate business communications. The abuse of HTTP/2 multiplexing and SNI-based routing further complicates detection, as multiple streams can be interleaved over a single connection, making it difficult to distinguish malicious from benign traffic.
Exploitation in the Wild
Active exploitation of Underminr has been confirmed by ADAMnetworks and reported by industry outlets including SecurityWeek and SC Magazine. Threat actors are leveraging this vulnerability to deliver malware payloads, conduct phishing campaigns, and establish C2 channels that evade traditional detection mechanisms. Observed tactics, techniques, and procedures (TTPs) include the use of trusted SaaS and CDN domains as cover for malicious traffic, blending attacker infrastructure with legitimate business traffic, and abusing advanced protocol features such as HTTP/2 multiplexing.
For example, attackers have been observed registering domains with a CDN provider, then crafting requests that use the SNI of a trusted domain (such as a major SaaS provider) while routing the actual traffic to their own backend. Security tools see the connection as going to the trusted domain, allowing it through perimeter defenses. This enables attackers to deliver phishing lures, drop malware, and maintain stealthy C2 communications, all while hiding behind the reputation of globally trusted brands.
APT Groups using this vulnerability
As of this report, there is no direct attribution of Underminr exploitation to specific Advanced Persistent Threat (APT) groups. However, the TTPs observed align closely with those used by groups known for domain fronting and CDN abuse, such as APT29 and APT41 in previous campaigns. These groups have historically leveraged similar techniques to evade detection, establish resilient C2 infrastructure, and conduct large-scale phishing and data exfiltration operations. The use of Underminr is likely to appeal to both state-sponsored and financially motivated actors due to its effectiveness and the difficulty of detection.
Affected Product Versions
The Underminr vulnerability is not tied to specific software versions but to the shared infrastructure model of modern CDN providers. Any domain that shares CDN infrastructure with attacker-registered domains is potentially at risk. This includes, but is not limited to, domains served by Cloudflare, Akamai, AWS CloudFront, Fastly, and other major CDN vendors. According to ADAMnetworks, over 88 million domains are potentially affected. The vulnerability is architectural in nature, and no CVE has been assigned as of May 2026.
Workaround and Mitigation
Mitigating Underminr requires a multi-layered approach that goes beyond traditional domain reputation and perimeter filtering. Organizations should implement deep packet inspection to correlate SNI and Host headers with expected CDN endpoints, monitor for anomalous traffic to high-reputation domains (especially if the traffic pattern does not match normal business use), and review CDN configurations to ensure isolation from untrusted tenants. Engaging with CDN providers is critical, as some are rolling out architectural changes and mitigations to prevent cross-tenant abuse. Security teams should also update threat intelligence feeds with attacker-registered domains as published by ADAMnetworks and other researchers. Advanced network monitoring and behavioral analytics can help detect suspicious patterns indicative of Underminr exploitation.
References
ADAMnetworks Press Release, SecurityWeek Article, SC Magazine Coverage, SecurityWeek X/Twitter, MITRE ATT&CK T1090.003, MITRE ATT&CK T1071.001.
Rescana is here for you
Rescana is committed to helping organizations navigate the evolving threat landscape. Our Third-Party Risk Management (TPRM) platform empowers security teams to continuously assess, monitor, and manage risks across their digital supply chain and vendor ecosystem. We provide actionable intelligence, automated workflows, and expert guidance to help you stay ahead of emerging threats. If you have questions about this report or need assistance with detection, response, or risk management, we are happy to help at ops@rescana.com.
