Your Clean Domain Could Be Masking an Attack: The Underminr Vulnerability Explained

Your domain has a good reputation. It resolves to a CDN edge IP that firewalls and protective DNS services trust. Security tools see traffic to your domain and wave it through. But what if an attacker could use that trust, your clean IP, your good name, to mask a connection to a completely different, malicious destination?

That's exactly what the Underminr vulnerability, disclosed by ADAMnetworks in May 2026, demonstrates. It's a technique that exploits how modern CDNs, shared hosting, and DNS interact, allowing adversaries to hide malicious connections behind legitimate domains. The scale is staggering: conservative estimates suggest over 58 million domains are vulnerable, and the expanded mapping puts the number closer to 88 million.

This isn't a theoretical attack. ADAMnetworks has confirmed observed abuse in the wild. The Underminr research specifically references SoftEther VPN as a deployment tool for these techniques, a tool used by Flax Typhoon, a China-aligned APT group that Microsoft has tracked since 2021 targeting government, education, and critical manufacturing organizations, primarily in Taiwan but expanding globally. The combination of CDN shared-edge abuse with nation-state tradecraft makes this a serious concern for any organization with domains on shared infrastructure.