Over the last few days you may have seen news articles about a newly disclosed "CDN vulnerability" called Underminr, allegedly affecting 88 million domains worldwide. The reports are alarming, the announcement website has an impressive logo, and there is even a checker tool that will probably flag your domain as "vulnerable" if you run it through.
If a client has forwarded you one of these articles, or you have spotted your own domain on the warning list, here is the short version: you do not need to do anything, and frankly the entire announcement is much closer to a marketing campaign than to a genuine security disclosure.
This article explains what is actually being described, why it does not meaningfully affect your Joomla or WordPress site, and how to recognise this kind of overblown framing the next time you see it.
What "Underminr" is actually describing
Most modern websites — including the majority of Joomla and WordPress sites — sit behind a Content Delivery Network, or CDN. Names like Cloudflare, Fastly, and AWS CloudFront are the big ones. A CDN is essentially a global network of servers that caches and serves your site faster than your own server could, and absorbs attacks before they reach your origin.
The way CDNs work, thousands of customer websites share the same edge servers and the same public IP addresses. When a browser connects, it tells the CDN — inside the encrypted handshake — which website it actually wants. The CDN looks at that label and serves the correct site.
That is not a flaw. That is the design. Without it, every website on the planet would need its own dedicated public IP address, and the internet ran out of those over a decade ago.
The "Underminr" claim, translated into plain English, is this: if a piece of malicious software is already running on someone's computer, it can ask its DNS server for the IP address of an innocent-looking domain (let's say whatismyipaddress.com), receive back a Cloudflare IP, and then connect to that IP while quietly telling Cloudflare that it actually wants evilsite.example. Because evilsite.example is also a Cloudflare customer on the same shared edge, Cloudflare serves it. A network monitor looking only at the DNS queries sees whatismyipaddress.com and assumes everything is fine.
That is the entire trick.
Why this is barely a "vulnerability"
Notice the precondition: malicious software must already be running on the victim's computer. That is not a footnote, that is the whole game. If an attacker can run code on your machine, they can do whatever they want. They can talk to any server on the internet through any of a hundred different methods: hardcoded IP addresses, encrypted DNS, messaging apps, GitHub, Google Docs, Discord webhooks. Singling out "shared CDN edge with a swapped hostname label" from that pile and christening it a brand-new vulnerability is disingenuous at best.
It is roughly equivalent to announcing the following discovery: "If an attacker is already inside your office building, they can use the shared lobby phone to call other companies in the building." Yes. That is true. It is also not a flaw in the building.
There is no patch coming, because there is nothing to patch. The CDN is doing exactly what it was designed to do. The Underminr report itself quietly admits, towards the end, that giving every customer their own dedicated IP address is not viable at internet scale. The only "fix" offered to website operators is "move to a CDN that does not do this" — but most large CDNs do, because that is simply how shared hosting at scale works as per the authors' own admission.
What this means for your Joomla or WordPress site
Nothing.
Your site is not under attack. Your visitors are not at risk. Nobody is gaining access to your admin panel through this. The "vulnerability check" tool on the Underminr site will probably show your domain in yellow or red, but all that really tells you is that you are hosted on the same shared infrastructure as roughly half of the web. That is not an actionable security problem — it is just a description of how the modern internet is built.
The hypothetical concern they raise for domain owners is purely reputational: in theory, some hyper-cautious corporate network somewhere might one day block your domain because some malware once used its name as misdirection. That is a remote and speculative scenario, and there is nothing sensible you can do about it today. Moreover, this is something that's always been happening to sites for random reasons, at least according to our experience these past 28 years we have been in this industry.
How to spot this kind of campaign in the future
Here is a short field guide. None of these in isolation is damning, but when most of them appear together, your scepticism should be on full alert:
- A vulnerability with a catchy brand name, custom logo, and dedicated marketing website
- A "Have I Been [X]?" style checker tool that flags an alarmingly large portion of the internet
- Heavy reliance on language like "AI-orchestrated", "scale worldwide", and "overwhelm defenses"
- No CVE number, no coordinated disclosure with the affected vendors, and proof-of-concept code that is "redacted for security reasons"
- A mitigation that conveniently resembles a product the disclosing company already sells
- A press release that spends more words on the threat landscape than on technical specifics
Real vulnerabilities are normally announced with boring titles, exact technical detail, a CVE identifier, and a clear list of affected vendors who were notified in advance. They rarely come with a supervillain mascot.
The one grain of truth worth taking away
Buried in all of this is a genuine, if very old, point: relying purely on DNS-based filtering to control what computers on a network can reach is not sufficient. Anyone running a serious enterprise security setup already knows this. It has been industry-standard guidance for years. This is not something you, a site owner or site integrator, can or need to do anything about. This is something corporate IT has to do on the company's network – that has nothing to do with you.
For a typical Joomla or WordPress site operator, this changes nothing about how you should run your site. Keep your software up to date, take regular backups, use strong passwords and two-factor authentication on your admin accounts, and ignore Underminr.
Bottom line
A vendor has dressed up a long-known property of shared CDN infrastructure as a brand-new vulnerability, attached a logo to it, and pushed it to the tech press. The press largely repeated the framing without scrutiny. Your site is fine. You do not need to do anything. You can confidently tell any client who panics about it that this one is not worth their time.