A critical DNS cache poisoning vulnerability (CVE-2025-40778, CVSS 8.6) was disclosed in BIND 9, the widely used DNS resolver software maintained by ISC. The flaw, stemming from improper handling of unsolicited DNS resource records, allows off-path attackers to inject forged entries into DNS caches without direct network access. Over 706,000 exposed BIND 9 instances worldwide are affected, including versions 9.11.0–9.16.50, 9.18.0–9.18.39, 9.20.0–9.20.13, and 9.21.0–9.21.12. While no active exploitation has been reported, a public proof-of-concept exploit on GitHub escalates risks, enabling attackers to redirect traffic to malicious destinations, facilitating phishing, data interception, or service disruptions. Poisoned caches could misroute clients for extended periods (hours/days), depending on TTL values. ISC urges immediate patching to versions 9.18.41, 9.20.15, or 9.21.14+, alongside mitigations like DNSSEC validation, recursion restrictions, and cache monitoring. Unpatched systems—especially high-traffic resolvers used by enterprises, ISPs, and governments—face severe exposure, risking widespread internet infrastructure compromise.
Source: https://cyberpress.org/706000-bind-9-poc-released/
TPRM report: https://www.rankiteo.com/company/internet-systems-consortium
"id": "int3932739102725",
"linkid": "internet-systems-consortium",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Enterprises, ISPs, and '
'government agencies relying on '
'BIND 9 recursive resolvers',
'industry': 'Internet Infrastructure',
'location': 'Global',
'name': 'Internet Systems Consortium (ISC)',
'type': 'Non-profit Organization'},
{'industry': ['Technology',
'Telecommunications',
'Public Sector'],
'location': 'Global',
'name': 'Organizations using BIND 9 (versions '
'9.11.0–9.16.50, 9.18.0–9.18.39, '
'9.20.0–9.20.13, 9.21.0–9.21.12)',
'type': ['Enterprises',
'Internet Service Providers (ISPs)',
'Government Agencies']}],
'attack_vector': ['Network', 'Off-path Spoofing', 'Race Condition'],
'customer_advisories': ['Organizations advised to scan for vulnerable '
'instances and apply mitigations'],
'date_publicly_disclosed': '2025-10-22',
'description': 'A critical security flaw in BIND 9 resolvers (CVE-2025-40778) '
'allows attackers to poison DNS caches and redirect internet '
'traffic to malicious destinations. The vulnerability, with a '
'CVSS score of 8.6, stems from BIND’s overly permissive '
'handling of unsolicited resource records in DNS responses, '
'enabling off-path attackers to inject forged data without '
'direct network access. Over 706,000 exposed instances '
'worldwide are affected. While no active exploitation has been '
'reported, a proof-of-concept exploit published on GitHub '
'increases the risk of targeted attacks. The vulnerability '
'impacts BIND 9 versions 9.11.0–9.16.50, 9.18.0–9.18.39, '
'9.20.0–9.20.13, and 9.21.0–9.21.12 (Supported Preview '
'Editions included).',
'impact': {'brand_reputation_impact': ['Potential loss of trust in DNS '
'infrastructure'],
'identity_theft_risk': ['High (if traffic redirected to phishing '
'sites)'],
'operational_impact': ['Traffic redirection to malicious '
'destinations',
'Phishing attacks',
'Data interception',
'Service disruptions'],
'payment_information_risk': ['High (if traffic intercepted or '
'redirected)'],
'systems_affected': '706,000+ exposed BIND 9 resolver instances '
'worldwide'},
'initial_access_broker': {'high_value_targets': ['Recursive BIND 9 resolvers '
'in '
'enterprises/ISPs/government '
'agencies']},
'investigation_status': 'Ongoing (no active exploitation reported as of '
'disclosure)',
'lessons_learned': ['Importance of strict bailiwick enforcement in DNS '
'resolvers',
'Risks of off-path attacks in DNS infrastructure',
'Need for proactive patching of critical internet '
'infrastructure components',
'Value of DNSSEC in mitigating cache poisoning risks'],
'post_incident_analysis': {'corrective_actions': ['Patch BIND 9 to versions '
'9.18.41+, 9.20.15+, or '
'9.21.14+',
'Enforce DNSSEC validation',
'Restrict recursive '
'resolver access to trusted '
'clients',
'Enhance monitoring for '
'cache poisoning '
'indicators'],
'root_causes': ['Overly permissive handling of '
'unsolicited resource records in '
'BIND 9',
'Failure to enforce bailiwick '
'principles strictly',
'Acceptance of non-query-related '
'records in DNS responses']},
'recommendations': ['Upgrade BIND 9 to patched versions immediately',
'Implement DNSSEC validation to cryptographically verify '
'responses',
'Restrict recursion to trusted clients only',
'Monitor DNS traffic for anomalies (e.g., unexpected '
'cache entries)',
'Disable caching of additional sections in DNS responses '
'if not required',
'Conduct regular scans for exposed/vulnerable BIND '
'instances',
'Prioritize security hardening for high-traffic recursive '
'resolvers'],
'references': [{'date_accessed': '2025-10-22',
'source': 'Internet Systems Consortium (ISC) Advisory'},
{'source': 'Censys Report on Exposed BIND Instances'},
{'source': 'Proof-of-Concept Exploit by Researcher N3mes1s '
'(GitHub)'}],
'response': {'communication_strategy': ['ISC public advisory (2025-10-22) '
'urging immediate patching'],
'containment_measures': ['Restrict recursion to trusted clients '
'via access control lists',
'Enable DNSSEC validation',
'Monitor cache contents for anomalies '
'using BIND’s statistics channel',
'Disable additional section caching',
'Implement rate limiting on queries'],
'enhanced_monitoring': ['Monitor for cache poisoning attempts '
'via BIND’s statistics channel'],
'remediation_measures': ['Upgrade to patched BIND versions '
'(9.18.41, 9.20.15, 9.21.14, or later)',
'Scan networks for vulnerable instances '
'(using Censys/Shodan)',
'Prioritize patching high-traffic '
'resolvers']},
'stakeholder_advisories': ['ISC urges immediate patching; no exploitation '
'detected yet'],
'title': 'Critical DNS Cache Poisoning Vulnerability in BIND 9 '
'(CVE-2025-40778)',
'type': ['Vulnerability', 'DNS Cache Poisoning'],
'vulnerability_exploited': 'CVE-2025-40778 (Logic Flaw in BIND 9’s Resolver - '
'Bailiwick Principle Violation)'}