Cybersecurity

A high-severity vulnerability has been identified in BIND 9 resolvers, potentially allowing unauthorized cache poisoning and traffic redirection to malicious sites.

The vulnerability, tracked as CVE-2025-40778, affects over 706,000 instances globally, as reported by Censys. It has been assigned a CVSS score of 8.6 due to BIND’s permissive handling of unsolicited DNS resource records, which can be exploited by attackers to inject forged data remotely.

The Internet Systems Consortium (ISC) issued a statement on October 22, 2025, advising immediate patching due to the widespread use of BIND 9 in domain name resolution across enterprises, ISPs, and government networks.

BIND 9 Resolver Vulnerability

The CVE-2025-40778 vulnerability arises from a logic flaw in BIND 9’s resolver, which accepts and caches unsolicited resource records, allowing attackers to inject false address records. This affects BIND 9 versions from 9.11.0 through 9.16.50, 9.18.0 to 9.18.39, 9.20.0 to 9.20.13, and 9.21.0 to 9.21.12. Recursive resolver configurations are susceptible, with cache poisoning potentially leading to phishing and service disruptions.

Censys’s scan revealed over 706,000 vulnerable instances, highlighting the exposure risk. The flaw’s remote exploitability is categorized under CWE-349 for accepting extraneous untrusted data.

Proof-of-Concept and Exploitation Risks

A proof-of-concept (PoC) published on GitHub demonstrates the exploit technique, emphasizing potential real-world adaptation against unpatched systems. Although no confirmed exploits have been observed, the vulnerability coincides with increased DNS threats.

ISC advises upgrading to patched versions 9.18.41, 9.20.15, 9.21.14, or later. For those unable to update, ISC recommends restricting recursion to trusted clients, enabling DNSSEC validation, monitoring cache contents, and disabling additional section caching to mitigate risks.

Organizations are encouraged to scan for vulnerable BIND instances and prioritize patching of high-traffic resolvers. ISC commits to improving validation in future releases to enhance DNS security.