Underminr is a variant of domain fronting that exploits shared content delivery network (CDN) infrastructure to hide malicious connections behind trusted domains. Unlike traditional domain fronting, which uses a front domain in the SNI and TLS certificate validation fields and a different domain in the encrypted HTTP host header, Underminr forces a request to the IP address of another tenant on the same shared edge while presenting the SNI and HTTP Host of a legitimate domain. This mismatch allows attackers to bypass DNS filtering and Protective DNS (PDNS) monitoring by exploiting gaps in correlating DNS decisions, edge IPs, SNI, Host headers, and CDN tenant routing. The attack can be executed via multiple strategies and has been observed in attacks targeting large hosting providers that have mitigated domain fronting. It enables stealthy command-and-control and proxy connections, evading network security controls.

The vulnerability allows attackers to bypass DNS filtering and Protective DNS services, enabling stealthy connections to malicious domains that appear as trusted domains. This can facilitate command-and-control communications, VPN and proxy connections, and circumvention of network egress policies. Approximately 88 million domains are potentially affected, with significant impact on internet infrastructure in the US, UK, and Canada. There are no known exploits in the wild reported at this time. The increased use of AI by threat actors may lead to more frequent exploitation in the future.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since this vulnerability exploits CDN shared infrastructure and tenant routing, mitigation may require coordinated action by CDN providers and hosting services. Organizations should monitor vendor advisories for updates and consider network controls that correlate DNS, SNI, and HTTP Host headers to detect mismatches. No official fix or temporary workaround has been published at this time.