ADAMnetworks CEO David Redekop disclosed a newly identified vulnerability class called Underminr on May 23, 2026 — a technique that exploits shared CDN infrastructure to hide malicious command-and-control connections behind trusted domain names, affecting approximately 88 million domains hosted on large-scale CDN providers in the US, UK, and Canada.
How Underminr Routes Attacker C2 Through Legitimate CDN Tenant Names
Underminr is a variant of domain fronting — a technique that CDN providers partially mitigated between 2018 and 2020 — but it exploits a detection gap that those prior mitigations left open. The attack works by manipulating how DNS decisions, edge IP addresses, SNI headers, HTTP Host headers, and CDN tenant routing decisions are correlated.
An attacker using Underminr presents the SNI header and HTTP Host header of a legitimate, trusted domain while forcing the request to route to the IP address of a different CDN tenant — one the attacker controls. From the perspective of DNS-based security filters and network monitoring tools, the connection appears to originate from and terminate at a trusted domain. The traffic actually reaches attacker-controlled infrastructure hosted on the same CDN platform.
What Underminr Enables Attackers to Do — and What Defenders Cannot See
The technique has several practical applications for malicious actors. Underminr can hide command-and-control server connections in a way that passes through CDN security controls and evades network egress policies. It can circumvent DNS-based security filtering, since the request appears to resolve to a trusted hostname. It can also deliver payloads like ClickFix through what appears to be legitimate HTTPS traffic to a domain already on an organization’s allowlist.
Approximately 80% or more of affected infrastructure routes through major CDN providers, according to Redekop’s disclosure. No CVE has been assigned and no patch exists at the time of disclosure. Remediation requires CDN providers themselves to implement correlation of DNS, SNI, and Host header data across tenant routing decisions — a change that requires action from the CDN platform, not from individual organizations or website operators.
Why DNS Filtering and Domain Allowlisting Cannot Stop Underminr
The disclosure has direct implications for enterprise defense-in-depth strategies built around DNS filtering and domain allowlisting. Both controls are commonly deployed as core perimeter defenses against C2 traffic. Underminr bypasses both without modification, because the traffic appears to go to a domain that passes DNS checks and may already be explicitly trusted.
The 88-Million-Domain Scale and Persistent CDN Exposure
The 88-million-domain estimate reflects the scale of CDN-hosted infrastructure worldwide, not the number of domains under attacker control. The vulnerability exists at the CDN platform level, meaning any of the approximately 88 million affected domains could be used as cover for C2 traffic by an attacker who understands the technique — without those domain operators’ knowledge or involvement.
Domain fronting was previously used by nation-state threat actors and ransomware operators to obscure C2 traffic. CDN providers’ 2018–2020 mitigations significantly reduced that avenue but did not eliminate the underlying class of CDN tenant isolation assumptions that Underminr exploits. Until CDN providers implement the recommended correlation controls, security teams should recognize that blocking known-bad C2 IPs or domain names will not reliably detect Underminr-based C2 activity.
