Back

Underminr Vulnerability Threatens 88 Million Domains with Brand Hijacking

Severity: High (Score: 69.8)

Sources: Morningstar, Darkreading, www.cybersecuritydive.com

Published: 2026-05-21 · Updated: 2026-05-21

Keywords: vulnerability, exploit, adamnetworks, research, uncovers, internet, infrastructure

Severity indicators: vulnerability

Summary

ADAMnetworks has identified a new vulnerability named Underminr that affects approximately 88 million domains globally, with a heightened risk in the US, Canada, and the UK. This exploit allows attackers to hijack trusted websites by manipulating web requests, effectively evading existing security measures. The vulnerability builds upon techniques similar to legacy domain fronting, which had been largely mitigated by content delivery networks (CDNs) in 2018. Underminr is currently under active exploitation, posing a significant threat as it can be scaled through AI-driven malware campaigns. The vulnerability primarily affects shared hosting ecosystems and allows attackers to bypass security protocols when connecting to command and control (C2) servers or exfiltrating data. ADAMnetworks is collaborating with industry partners to provide detection tools and an impact report for defenders. The vulnerability is particularly concerning due to its potential to undermine critical internet infrastructure. Key Points: • Underminr affects approximately 88 million domains globally, with a high risk in the US. • The vulnerability allows attackers to hijack trusted domains and evade detection. • ADAMnetworks is actively collaborating with industry partners to mitigate the threat.

Detailed Analysis

**Impact** Approximately 88 million domains worldwide are vulnerable to Underminr, with 42% of the top five million websites exposed. The US, Canada, and UK face the highest risk, with US vulnerability at 51%, over twice that of Russia and six times that of China. Affected sectors include any relying on shared hosting and CDN services, risking brand hijacking, data exfiltration, and malicious command-and-control operations. Trusted domains may suffer reputational damage and legal or operational consequences due to association with attacker activity. **Technical Details** Underminr exploits weaknesses in DNS and CDN interactions, specifically targeting shared hosting environments where multiple domains share edge IPs. Attackers manipulate the HTTP Host header and Server Name Indication (SNI) fields to route traffic through trusted domains while directing users to malicious sites, bypassing DNS filters and detection systems. This technique revives domain fronting tactics neutralized in 2018 but with new evasion methods, enabling stealthy command-and-control and data exfiltration. No CVEs or specific malware names were disclosed; the attack occurs during initial connection and routing stages of the kill chain. **Recommended Response** Defenders should deploy detection tools capable of identifying anomalous HTTP Host header and SNI mismatches and monitor for traffic patterns indicative of domain fronting abuse. Collaboration with CDN providers to implement cross-verification between DNS and CDN routing is advised, though no immediate patch exists. Utilize ADAMnetworks’ open-source detection application and regularly check domain vulnerability status via their public portal. Prioritize monitoring for AI-orchestrated malware campaigns leveraging this exploit and update incident response plans accordingly.

Source articles (3)

  • ADAMnetworks' Research Uncovers Vulnerability in Internet Infrastructure, Affecting 88 ... — Morningstar · 2026-05-21
    ADAMnetworks’ Research Uncovers Vulnerability in Internet Infrastructure, Affecting 88 Million Domains Code-named, Underminr, the vulnerability is under active exploit and has the potential to overwhe…
  • Cloudflare — www.cybersecuritydive.com · 2026-05-21
  • Content Delivery Exploit Opens Websites to Brand Hijacking — Darkreading · 2026-05-21
    The Underminr domain-fronting attack allows threat actors to modify Web requests and leverage trusted websites to cloak malicious activity. Researchers are sounding the alarm on a class of exploit inh…

Timeline

  • 2026-05-21 — ADAMnetworks announces Underminr vulnerability: ADAMnetworks reveals the Underminr vulnerability affecting 88 million domains, with active exploitation reported.
  • 2026-05-21 — Darkreading reports on Underminr attack method: Darkreading highlights how Underminr exploits web requests to hijack brand reputations of legitimate websites.

Related entities

  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • Canada (Country)
  • China (Country)
  • Russia (Country)
  • businesswire.com (Domain)
  • theguardian.com (Domain)
  • Healthcare (Industry)
  • Manufacturing (Industry)
  • 104.16.224.171 (Ipv4)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • Cloudflare (Company)
  • Fastly (Platform)
  • Domain Fronting (Vulnerability)
  • Underminr (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed