Hackers Exploit Shared CDN Infrastructure in 'Underminr' Technique to Bypass Domain Reputation Security
Attackers are abusing shared CDN infrastructure in a technique called 'Underminr' to bypass domain-reputation security controls, potentially affecting over 88 million domains.

Hackers are actively exploiting a flaw in shared Content Delivery Network (CDN) infrastructure to hide malicious traffic behind trusted, high-reputation domains, effectively slipping past security tools. The technique, tracked as 'Underminr,' is not a software bug but a deliberate abuse of CDN design. Modern CDN providers serve thousands of customers through shared infrastructure and edge nodes. Attackers register their own domains with a CDN that also serves reputable websites, then craft requests that appear to head to a trusted destination while data flows to attacker-controlled servers. Security tools checking domain names or TLS handshake indicators see nothing wrong and let traffic through.
Rescana identified active exploitation and published a detailed report warning organizations about the technique's reach and real-world impact. According to ADAMnetworks research cited in the report, over 88 million domains are potentially at risk, including those hosted by major CDN providers such as Cloudflare, Akamai, AWS CloudFront, and Fastly. No CVE has been assigned as of May 2026, since the issue is architectural rather than a patch-ready software defect, meaning there is no simple update to push out.
The Underminr technique exploits how CDNs use the HTTP Host header and Server Name Indication (SNI) in TLS handshakes to route traffic. When an attacker's domain shares the same CDN edge node as a trusted domain, the attacker can send requests carrying the trusted domain's SNI while the backend handling the connection is under their control. Security appliances see a connection to a reputable name and pass it through without alerting. The use of HTTP/2 multiplexing makes detection even harder, as attackers can interleave malicious traffic with legitimate requests.
Active exploitation of Underminr has been confirmed by SecurityWeek and SC Magazine. Threat actors are using the method to drop malware, run phishing campaigns, and build resilient command-and-control channels. The tactics align with techniques historically associated with APT29 and APT41, though no direct attribution has been confirmed. The technique is scalable, difficult to block without disrupting legitimate traffic, and effective against organizations of all sizes.
Defending against Underminr requires a layered approach beyond basic perimeter filtering. Organizations should deploy deep packet inspection to match SNI and Host headers against expected CDN endpoints, and watch for unusual traffic patterns directed at high-reputation domains that do not align with normal business activity. CDN configurations should be reviewed to ensure proper isolation between tenants, and security teams should engage directly with their CDN providers to understand architectural mitigations. Updating threat intelligence feeds with known attacker-registered domains and investing in behavioral analytics can also help surface suspicious activity.
ADAMnetworks' new report, which follows their initial disclosure of the Underminr technique, provides additional technical depth on four distinct attack modes—Simple, Split, ECH, and Direct-to-IP—and explicitly links the technique to China-aligned threat groups Flax Typhoon and GALLIUM, who use tools like SoftEther VPN for C2 and data exfiltration. The researchers also warn that as IPv4 exhaustion forces greater reliance on shared CDN infrastructure, the risk of cross-tenant abuse is expected to grow, potentially enabling AI-driven campaigns to scale the technique globally. ADAMnetworks has released an online scanning tool and launched a threat-intelligence sharing initiative to help organizations detect whether their domains are vulnerable to this bypass.