Hackers Exploit Shared CDN Infrastructure in 'Underminr' Technique to Bypass Domain Reputation Security
Attackers are abusing shared CDN infrastructure in a technique called 'Underminr' to bypass domain-reputation security controls, potentially affecting over 88 million domains.
Hackers are actively exploiting a flaw in shared Content Delivery Network (CDN) infrastructure to hide malicious traffic behind trusted, high-reputation domains, effectively slipping past security tools. The technique, tracked as 'Underminr,' is not a software bug but a deliberate abuse of CDN design. Modern CDN providers serve thousands of customers through shared infrastructure and edge nodes. Attackers register their own domains with a CDN that also serves reputable websites, then craft requests that appear to head to a trusted destination while data flows to attacker-controlled servers. Security tools checking domain names or TLS handshake indicators see nothing wrong and let traffic through.
Rescana identified active exploitation and published a detailed report warning organizations about the technique's reach and real-world impact. According to ADAMnetworks research cited in the report, over 88 million domains are potentially at risk, including those hosted by major CDN providers such as Cloudflare, Akamai, AWS CloudFront, and Fastly. No CVE has been assigned as of May 2026, since the issue is architectural rather than a patch-ready software defect, meaning there is no simple update to push out.
The Underminr technique exploits how CDNs use the HTTP Host header and Server Name Indication (SNI) in TLS handshakes to route traffic. When an attacker's domain shares the same CDN edge node as a trusted domain, the attacker can send requests carrying the trusted domain's SNI while the backend handling the connection is under their control. Security appliances see a connection to a reputable name and pass it through without alerting. The use of HTTP/2 multiplexing makes detection even harder, as attackers can interleave malicious traffic with legitimate requests.
Active exploitation of Underminr has been confirmed by SecurityWeek and SC Magazine. Threat actors are using the method to drop malware, run phishing campaigns, and build resilient command-and-control channels. The tactics align with techniques historically associated with APT29 and APT41, though no direct attribution has been confirmed. The technique is scalable, difficult to block without disrupting legitimate traffic, and effective against organizations of all sizes.
Defending against Underminr requires a layered approach beyond basic perimeter filtering. Organizations should deploy deep packet inspection to match SNI and Host headers against expected CDN endpoints, and watch for unusual traffic patterns directed at high-reputation domains that do not align with normal business activity. CDN configurations should be reviewed to ensure proper isolation between tenants, and security teams should engage directly with their CDN providers to understand architectural mitigations. Updating threat intelligence feeds with known attacker-registered domains and investing in behavioral analytics can also help surface suspicious activity.