I am currently struggling with this as it creates random subdomains so far and i am not looking to upgrade to find out about the prod.

This is not vulnerable because of following reasons:

1. Acquia generates a generic unique IP address for customers when creating environment.
2. Since IP address is unique, you must either spam creating environments yet it's still unclear and each creation process takes around 30 minutes.
3. To enable adding custom domain feature, you must subscribe for it and it's way too much costly, while they do not directly charge you, it's still not worth because of unclear state of IP address is being used or not

Let me show you some information with screenshots

As we can see from below Acquia generates unique IP:

When adding custom domain Acquia verifies that domain is resolving into IP address they provided you:

I also used one of my own domains to verify the state:

So basically Acquia is not vulnerable or way over edge case.

Was digging into this lately and found https://docs.acquia.com/resource/definitions/realm/:

Some common realms include, but aren’t limited to the following:

• Cloud Platform Enterprise: prod
• Cloud Platform Professional: devcloud
• Site Factory: The value can vary for Site Factory subscribers. To identify the correct realm for an Site Factory subscription, contact Acquia support.

Cloud Platform will display the realm for your subscription in the default domain name included with your subscription. For example, a default domain name for a website in an Cloud Platform Professional subscription can be examplesite.devcloud.acquia-sites.com.

It seems that the aforementioned (randomly generated subdomains etc.) is true for "Cloud Platform Professional" customers. Enterprise customers seem to have predictably generated subdomains with a different "realm" — the devcloud vs. prod part in the provided URL.

tldr;

"So basically Acquia is not vulnerable or way over edge case."

What is the CNAME for this service?

how to get free trial on this service ?

Hi I have takeover the a acquia cloud subdomain of Starbucks where I get $640 because the domain was disconnected after free trial so only $640 it is a vulnerable subdomain you can use whatweb tool to see the vulnerable if the content has Acquia HTML install
something like this then it is 100% vulnerable one
Here is one hackerone disclosed report mine report was not published now but there is one

https://hackerone.com/reports/874482

Hi I have takeover the a acquia cloud subdomain of Starbucks where I get $640 because the domain was disconnected after free trial so only $640 it is a vulnerable subdomain you can use whatweb tool to see the vulnerable if the content has Acquia HTML install something like this then it is 100% vulnerable one Here is one hackerone disclosed report mine report was not published now but there is one

https://hackerone.com/reports/874482

This is just a dangling subdomain not a takeover.