Researchers say attackers are exploiting a weakness in shared content delivery network (CDN) infrastructure to make malicious connections look like they are going to legitimate websites. The technique, dubbed Underminr, is described as a variant of domain fronting that abuses mismatches between DNS lookups, server name indication (SNI), HTTP Host headers, edge IP addresses, and CDN tenant routing; ADAMnetworks says it affects roughly 88 million domains and has been used to bypass Protective DNS filtering, conceal command-and-control traffic, and tunnel VPN or proxy connections over TCP port 443.
Why it matters: Organizations that rely on DNS filtering or allowlists could miss malicious outbound traffic that appears to be headed to trusted domains. Defenders should review CDN egress controls, correlate DNS, SNI, Host header, and destination IP telemetry, and watch for guidance or mitigations from affected providers.
Ionut Arghire
2026.05.23
100% relevant
This article appears to be the first tracked report establishing Underminr as a distinct, named CDN abuse technique with active exploitation and broad defensive implications.
← Back to all stories