Hackers Exploit CDN to Bypass Domain Reputation Abuse Shared

Hackers are exploiting a vulnerability within shared Content Delivery Network (CDN) infrastructure, allowing them to conceal malicious traffic behind trusted, high-reputation domains and bypass the security controls organizations depend on daily.

The technique, now tracked under the name “Underminr,” is not a software bug but a deliberate abuse of how CDNs are designed to work.

Modern CDN providers serve thousands of customers at the same time, routing traffic for all of them through shared infrastructure and edge nodes. Attackers have found a way to exploit this setup by registering their own domains with a CDN that also serves well-known, reputable websites.

Once on the same shared network, they can craft requests that look like they are heading to a trusted destination while the actual data flows straight to attacker-controlled servers. Security tools that check domain names or TLS handshake indicators see nothing wrong and let the traffic through.

Rescana said in a report shared with Cyber Security News (CSN) that they identified the active exploitation of this vulnerability and published a detailed report warning organizations about its reach and real-world impact.

The research highlights how this technique goes far beyond what is traditionally known as domain fronting, a method that security teams have monitored for years.

According to ADAMnetworks research cited in the Rescana report, over 88 million domains are potentially at risk, including those hosted by major CDN providers such as Cloudflare, Akamai, AWS CloudFront, and Fastly.

No CVE has been assigned as of May 2026, since the issue is architectural rather than a patch-ready software defect. That means there is no simple update to push out, and the problem is expected to remain active for the foreseeable future.

How Underminr Works in Practice

The Underminr technique takes advantage of how CDNs use the HTTP Host header and Server Name Indication, or SNI, in TLS handshakes to decide where to route incoming traffic.

When an attacker’s domain shares the same CDN edge node as a trusted domain, the attacker can send requests that carry the trusted domain’s SNI while the actual backend handling the connection is entirely under their control.

Security appliances that inspect traffic at the perimeter see a connection going to a reputable name and pass it through without triggering an alert.

What makes this especially hard to catch is the use of HTTP/2 multiplexing, a protocol feature that allows multiple data streams to run over a single connection at the same time.

Attackers can interleave their malicious traffic with normal, legitimate requests, blurring the line between what is dangerous and what is routine.

Observed attacker behavior includes registering domains with CDN providers, crafting SNI-spoofed requests pointed at major SaaS providers, and routing actual payloads through their own infrastructure.

Real-World Exploitation and Threat Actor Ties

Active exploitation of Underminr has been confirmed and reported by industry outlets including SecurityWeek and SC Magazine. Threat actors are using this method to drop malware, run phishing campaigns, and build resilient command-and-control channels that avoid triggering traditional security controls.

The tactics observed align closely with techniques historically associated with APT29 and APT41, though no direct attribution to a specific group has been confirmed.

The appeal of this technique is clear. It is scalable, difficult to block without disrupting legitimate traffic, and effective against organizations of all sizes. Both state-backed actors and financially motivated criminal groups are expected to continue using it as awareness of the method grows.

 that defending against Underminr requires a layered approach that moves beyond basic perimeter filtering. Organizations should deploy deep packet inspection to match SNI and Host headers against expected CDN endpoints, and watch for unusual traffic patterns directed at high-reputation domains that do not align with normal business activity.

CDN configurations should be reviewed to ensure proper isolation between tenants, and security teams should engage directly with their CDN providers to understand what architectural mitigations are being rolled out.

Updating threat intelligence feeds with known attacker-registered domains and investing in behavioral analytics can also help surface suspicious activity before it causes damage.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.