Security researchers have identified a class of vulnerability inherent in global internet infrastructure that currently leaves nearly half of all websites exposed to reputation misuse. The issue arises from how different layers of internet routing interact, and it requires infrastructure-level changes to fully remediate.
The exposure operates as a conceptual successor to "domain fronting," a routing discrepancy common in the mid-2010s. Domain fronting allowed users to bypass network controls by presenting one website to a domain name system (DNS) provider and content delivery network (CDN), while routing to another simply by altering the HTTP Host header in their web requests. After drawing significant attention in 2018, CDNs largely mitigated this exposure.
The newly identified issue, designated "Underminr," circumvents those previous mitigations to achieve a similar outcome. Analysts at ADAMnetworks emphasize that threat actors use this technique to conceal unauthorized activity by misdirecting the brand reputations of legitimate websites. Threat actors are actively leveraging this technique, and data from ADAMnetworks indicates that 42% of websites globally are vulnerable to this exposure, with the figure rising to 51% in the US.
Understanding the Underminr vulnerability
The traditional model of internet routing is straightforward: when a user requests a domain, a DNS server resolves that human-readable name to an IP address associated with the website's server. Today, the architecture is more complex. Many established websites sit behind massive CDNs, which group numerous domains behind shared edge IP addresses.
If a user navigates to a protected domain, the request hits a shared edge IP. The CDN then determines the intended destination using two specific fields: the Server Name Identification (SNI) established during the Transport Layer Security (TLS) handshake, robustly followed by the HTTP Host header located inside the encrypted portion of the request.
The Underminr vulnerability stems from two structural weaknesses in this workflow. First, DNS and CDN systems operate independently without cross-referencing their routing decisions. Second, CDNs frequently group established, trusted domains alongside newer, unverified domains behind the exact same edge IP addresses.
This architecture allows a malicious actor to perform a DNS lookup for a highly trusted domain at a specific edge IP. A Protective DNS filter will evaluate the trusted domain, classify the request as legitimate, and allow it to proceed. Within the SNI and HTTP Host fields read by the CDN, the actor can then request an entirely different, unauthorized site hosted on that same edge IP. Because neither provider cross-references the discrepancy, the traffic flows through the trusted domain's reputation shield.
By filtering traffic to an unauthorized site through a trusted domain, threat actors can conduct command-and-control (C2) operations or exfiltrate data while evading DNS-, signature-, and behavior-based detection. The affected organization, in turn, risks brand degradation and operational disruption due to the unauthorized association with malicious activity.
Infrastructure design and mitigation strategies
To measure the impact scope of Underminr, ADAMnetworks scanned the top five million domains on the web. While nearly half of all websites globally are exposed, the distribution varies significantly by region. In the US, approximately 51% of sites are at risk, compared to 33% in Eastern Europe and less than 9% in China's highly regulated internet environment. This disparity indicates that the vulnerability is a correctable design flaw rather than an inescapable reality of web hosting.
Mitigating this exposure requires careful evaluation of CDN architecture. Security-focused providers that enforce strict tenant separation inherently eliminate the risk. For a model of how larger providers can protect their users, David Redekop, CEO of ADAMnetworks, points to the approach taken by Fastly.
Fastly implemented reputation-based grouping, a practice Redekop refers to as "bucketizing." By intentionally grouping high-reputation domains together and separating new or unverified domains into different IP pools, Fastly significantly reduced the risk of a single edge IP hosting both a trusted site and an unauthorized server. While domain fronting relied on a discrepancy between SNI and HTTP Host headers, Underminr leverages a mismatch between SNI and DNS. Because the underlying mechanism of shared edge IP abuse is nearly identical, reputation-based grouping effectively mitigates the risk for both.
Organizations evaluating their risk exposure have clear paths forward. The primary remediation strategy is ensuring your domain utilizes a CDN that provides strict tenant separation. If current providers do not offer this, organizations should consider migrating to a CDN that utilizes reputation-based grouping or dedicated edge capacity that prevents cross-tenant routing.
Security teams can also implement protective monitoring on their own networks. Administrators relying on protective DNS can deploy open-source monitoring tools like Outminr, which hooks into eBPF to monitor local DNS and SNI traffic, flagging any discrepancies that indicate an Underminr routing attempt. Combining DNS, SNI, and HTTPS host header checks across the security stack ensures that unauthorized routing attempts are identified and blocked before they can misuse organizational trust.