Underminr CDN Misrouting Vulnerability Exploited to Conceal Malicious Traffic via Shared Edge Infrastructure
Summary
Hide ▲
Show ▼
Threat actors are actively exploiting a vulnerability in shared content delivery network (CDN) infrastructure, dubbed Underminr, to conceal malicious connections behind trusted domains. The technique abuses CDN tenant routing misconfigurations by presenting the Server Name Indication (SNI) and HTTP Host header of a reputable domain while forcing a connection to the IP address of another tenant on the same shared edge infrastructure. This mismatch allows traffic to bypass network policies and appear legitimate, enabling evasion of protective DNS services and egress filtering. Underminr has been observed in attacks targeting large-scale hosting providers, including those that previously mitigated domain fronting, and is being used to hide command-and-control (C2) communications, VPN connections, and proxy traffic. The vulnerability impacts approximately 88 million domains globally, with the highest concentrations in the US, UK, and Canada.
Timeline
-
23.05.2026 14:00 1 articles · 2h ago
Underminr CDN Misrouting Vulnerability Actively Exploited in the Wild
Threat actors are exploiting a CDN edge misrouting vulnerability dubbed Underminr to conceal malicious traffic behind trusted domains, enabling evasion of protective DNS and network egress policies. The technique abuses shared infrastructure by mismatching SNI and HTTP Host headers with destination IPs, impacting approximately 88 million domains globally.
Show sources
- ‘Underminr’ Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted Domains — www.securityweek.com — 23.05.2026 14:00
Information Snippets
-
Underminr exploits CDN edge routing misconfigurations by mismatching the SNI and HTTP Host header with the actual destination IP address of another tenant on the same shared infrastructure.
First reported: 23.05.2026 14:001 source, 1 articleShow sources
- ‘Underminr’ Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted Domains — www.securityweek.com — 23.05.2026 14:00
-
The vulnerability enables attackers to bypass Protective DNS (PDNS) and network egress policies by routing malicious traffic through allowed domains while connecting to hidden destinations.
First reported: 23.05.2026 14:001 source, 1 articleShow sources
- ‘Underminr’ Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted Domains — www.securityweek.com — 23.05.2026 14:00
-
Threat actors are leveraging Underminr to conceal command-and-control communications, VPN traffic, and proxy connections, primarily over TCP port 443.
First reported: 23.05.2026 14:001 source, 1 articleShow sources
- ‘Underminr’ Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted Domains — www.securityweek.com — 23.05.2026 14:00
-
Underminr can be exploited using four distinct strategies to evade DNS monitoring and filtering services, including malicious applications, shell scripts, and ClickFix attacks.
First reported: 23.05.2026 14:001 source, 1 articleShow sources
- ‘Underminr’ Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted Domains — www.securityweek.com — 23.05.2026 14:00
-
Approximately 88 million domains are potentially affected by Underminr, with the highest impact observed in the US, UK, and Canada.
First reported: 23.05.2026 14:001 source, 1 articleShow sources
- ‘Underminr’ Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted Domains — www.securityweek.com — 23.05.2026 14:00