Network Security ‘Underminr’ exploitation poses similar risks to domain fronting, researchers say May 22, 2026 Share By Laura French A weakness in the way many large-scale hosting providers implement internet-bound connections, dubbed Underminr , could be exploited to mask malicious connections in a manner reminiscent of domain fronting, ADAMnetworks reported Thursday . Domain fronting is a technique in which a connection to a disallowed domain can be disguised as a connection to an allowed domain that uses the same content delivery network (CDN). This is achieved by sending an HTTPS request including the allowed domain name in the Server Name Indication (SNI) field of the TLS header, while the real destination is indicated in the encrypted HTTP Host header. The techniques makes the disallowed domain invisible to network monitors, yet the request ultimately resolves to this domain, delivering the disallowed content to the user from the shared CDN. Most major CDNs now prevent domain fronting, which has historically been used to both bypass censors and facilitate cyberattacks. In 2017, Mandiant, which is now part of Google Cloud, found that domain fronting was used by APT29, also known as "Cozy Bear," to make connections from its backdoors appear as traffic to legitimate websites. ADAMnetworks researchers say Underminr has the same impact as domain fronting but uses a different method that has not been resolved by a large number of CDNs. In Underminr, like in domain fronting, an initial DNS query resolves to the allowed domain, while with Underminr, the disallowed target domain is presented in both the SNI field and HTTP Host header. Because the SNI and HTTP Host header match, the domain fronting defenses implemented by CDNs do not activate and the content is allowed to be delivered, ADAMnetworks explained. However, network defenses designed to block specific domains still only “see” the allowed domain resolved by DNS to the CDN’s IP address, according to the Underminr report . ADAMnetworks said it has already seen exploitation of the Underminr technique by “Insider threats” to “circumvent protections” but has not yet seen its widespread use by external threat actors. The researchers found, based on an analysis of nearly 5 million top-ranking websites from the Tranco dataset and 73 CDN providers, that about 42% of domains and 33 providers were susceptible to Underminr exploitation. “ADAMnetworks communicated directly with many of the largest CDNs. The short answer we got so far was that they did not really see this as a problem because it does not affect their bottom line yet. This is a repeat of the legacy Domain Fronting history, before enough abuse took place for them to resolve that,” an ADAMnetworks spokesperson told SC Media. Quad9, a cybersecurity-focused DNS service provider that analyzed the Underminr report, told SC Media that Underminr is not technically a “bug” but can be “a security problem for many networks.” “We see this issue as an outcome of increased centralization of CDN and hosting infrastructure, where many thousands (or hundreds of thousands) of domains are hosted on the same IP address. This creates the potential for installed malware to look up one name in the DNS, but then connect to a different resource on the resolved IP address via a different protocol indicator,” Quad9 Chief Technology Officer John Todd said in an email. “This is of course quite concerning, but to our knowledge does not violate any standards. It is obviously unexpected use of the protocols which we see as primarily useful to transport content that is not authorized by the local network operator, who may be using the DNS to provide basic filter against connections to sites that are disallowed by local policy,” Todd continued. ADAMnetworks’ report noted that techniques like Underminr and domain fronting can be used to disguise attacker command-and-control traffic , mask data exfiltration destinations and hide when users are being directed to malicious websites, for example, via a malicious application, though the technique differs from a traditional malicious redirect. While Underminr does not enable threat actors to directly compromise vulnerable domains, the researchers said it can potentially lead to reputational damage and blocking of legitimate domain names that are used to mask malicious ones. For network defenders, the technique can make it more difficult to detect and block malicious traffic without blocking legitimate traffic from abused CDNs. The Underminr website includes a lookup tool for domain owners to check whether their domain may be susceptible to Underminr and whether abuse has already been detected using their domain. ADAMnetworks also released an open-source tool called Outminr that can be used to monitor networks for attempts to exploit the Underminr technique. The researchers say domain owners can defend themselves from Underminr impersonation by choosing a CDN provider that is not susceptible, or by requesting solutions from their current provider to prevent the cross-tenant routing issue that enables Underminr. “CDNs can ‘Bucketize’ different tenants to prevent cross contamination between specific kinds of tenants. Or change their infrastructure to be similar to CDNs that are not vulnerable to Underminr tunneling,” an ADAMnetworks spokesperson told SC Media. An In-Depth Guide to Network Security Get essential knowledge and practical strategies to fortify your network security. Learn More Laura French Related Network Security Terra Security expands platform to include network infrastructure exploitation validation SC Staff May 20, 2026 Terra's platform now allows security teams to validate vulnerabilities across web applications, AI systems, and network infrastructure from a single console. SASE Next-generation enterprise defense: Managing risk in the age of agentic AI Paul Wagenseil May 20, 2026 The advent of agentic AI demands re-engineered AI-powered SASE architectures. Network Security Huawei zero-day flaw reportedly caused Luxembourg telecom outage SC Staff May 20, 2026 The outage was triggered by specially crafted network traffic that exploited a previously unknown vulnerability in Huawei enterprise routers, forcing them into continuous reboot loops. Related Events Cybercast How to transform your SOC through XDR and MDR On-Demand Event Cybercast AI for network security: Problems and solutions On-Demand Event Virtual Conference Fortifying the Foundation: Tackling Evolving Challenges in Network Security On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Address Resolution Protocol (ARP) Border Gateway Protocol (BGP) Bridge Broadcast Address Cache Poisoning Circuit Switched Network Crossover Cable Decapsulation Domain Domain Name You can skip this ad in 5 seconds