ctipilot.ch

Underminr - multi-tenant-CDN domain-fronting variant defeating DNS-layer filtering (ADAMnetworks)

vulnerability-trend · item:underminr-multitenant-cdn-domain-fronting-variant

Coverage timeline
1
first 2026-05-25 → last 2026-05-25
Briefs
1
1 distinct
Sources cited
4
4 hosts
Sections touched
1
research
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-25CTI Daily Brief — 2026-05-25
    researchAllow-listed SNI/Host + shared-edge tenant routing reaches attacker origin; blinds DNS filtering/edge TLS inspection; T1090.004

Where this entity is cited

  • research1

Source distribution

  • securityweek.com1 (25%)
  • support.adamnet.works1 (25%)
  • attack.mitre.org1 (25%)
  • github.com1 (25%)

All cited sources (4)

Items in briefs about Underminr - multi-tenant-CDN domain-fronting variant defeating DNS-layer filtering (ADAMnetworks) (1)

"Underminr": a multi-tenant-CDN domain-fronting variant that blinds DNS-layer filtering

From CTI Daily Brief — 2026-05-25 · published 2026-05-25 · view item permalink →

ADAMnetworks disclosed Underminr, a structural evolution of domain fronting that abuses the shared-IP, multi-tenant architecture of modern CDN edges rather than a single-CDN misconfiguration (ADAMnetworks, 2026-05-21). Classic domain fronting — overriding the HTTP Host header behind a permitted SNI — was largely closed by the major CDNs in 2021–2022 by enforcing SNI/Host consistency. Underminr instead presents the SNI and HTTP Host of a legitimate, allow-listed domain hosted on a shared edge while forcing the request to the IP of a different tenant — the attacker's origin — on the same edge, exploiting the fact that the CDN's internal tenant routing is decoupled from the network-visible Host/SNI (SecurityWeek, 2026-05-23). As SecurityWeek frames it, "the detection gap appears when DNS decisions, edge IPs, SNI, Host headers, and CDN tenant routing are not correlated." No CVE was assigned — this is an architectural property of shared-edge multi-tenancy, not a software bug. SecurityWeek reports roughly 88 million domains on shared infrastructure are potentially in scope, with US, UK and Canadian infrastructure most affected; the technique does not require compromising the legitimate domain, only co-tenancy on the same edge IP range.

Why it matters to us: this maps to ATT&CK T1090.004 (Proxy: Domain Fronting) and is squarely a C2 / exfiltration-evasion concern for the many CH/EU public-sector networks whose egress control leans on DNS-layer filtering (DNS RPZ, recursive-resolver allow-lists) or that treat a CDN's published IP range as a proxy for the actual destination — both of which Underminr defeats, because the FQDN legitimately resolves to the shared edge IP and edge-terminated TLS inspection never sees the origin-routing decision. Defenders should stop treating DNS/domain allow-listing as a sufficient egress control on its own; correlate SNI, Host, the resolved edge IP and (where available) CDN tenant identity per flow, and prefer per-flow identity verification (ZTNA) over perimeter-DNS-filter trust. Specific vulnerable CDN providers are not named in the public reporting.