A critical security flaw in BIND 9 resolvers has been disclosed, potentially allowing attackers to poison DNS caches and redirect internet traffic to malicious destinations.
Tracked as CVE-2025-40778, the vulnerability affects over 706,000 exposed instances worldwide, according to internet scanning firm Censys.
High-Severity DNS Cache Poisoning Flaw
The vulnerability carries a CVSS score of 8.6 and stems from BIND’s overly permissive handling of unsolicited resource records in DNS responses.
This design flaw enables off-path attackers to inject forged data without requiring direct network access.
The Internet Systems Consortium (ISC), which maintains BIND software, released details on October 22, 2025, urging administrators to apply patches immediately.
BIND 9 powers a substantial portion of the internet’s domain name resolution infrastructure, making this vulnerability particularly concerning for enterprises, internet service providers, and government agencies that rely on recursive resolvers.
While no active exploitation has been reported, the public release of a proof-of-concept exploit on GitHub significantly heightens the urgency, as it provides attackers with a blueprint for crafting targeted assaults.
Technical Details and Affected Versions
CVE-2025-40778 exploits a logic flaw in BIND 9’s resolver that accepts and caches resource records not part of the original query.
During normal DNS operations, recursive resolvers send queries to authoritative nameservers and expect responses containing only relevant data.
However, affected versions fail to strictly enforce bailiwick principles, which limit records to the queried domain’s authority zone.
This weakness allows attackers to race or spoof responses, injecting fake address records like A or AAAA entries pointing to attacker-controlled infrastructure.
The vulnerability impacts BIND 9 versions from 9.11.0 through 9.16.50, 9.18.0 to 9.18.39, 9.20.0 to 9.20.13, and 9.21.0 to 9.21.12, including Supported Preview Editions.
Earlier versions prior to 9.11.0 may also be vulnerable but remain unassessed.
Only recursive resolver configurations are at risk, while authoritative-only servers remain unaffected unless recursion is enabled.
Once poisoned, caches can misdirect downstream clients for hours or days, depending on TTL values, leading to phishing attacks, data interception, or service disruptions.
ISC recommends upgrading to patched versions, including 9.18.41, 9.20.15, 9.21.14, or later releases.
Organizations unable to update immediately should restrict recursion to trusted clients via access control lists, enable DNSSEC validation to cryptographically verify responses, and monitor cache contents for anomalies using BIND’s statistics channel.
Disabling additional section caching or implementing rate limiting on queries can further reduce exposure.
Organizations should scan their networks for vulnerable BIND instances using tools from Censys or Shodan and prioritize high-traffic resolvers.
The proof-of-concept published by researcher N3mes1s demonstrates the injection technique in controlled environments, highlighting how attackers can monitor query patterns and respond faster than legitimate servers.
Security experts warn that this code could be adapted for real-world exploitation against unpatched systems.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1)%20(1).webp?resize=1600,900&ssl=1&description=Tracked as CVE-2025-40778, the vulnerability affects over 706,000 exposed instances worldwide, according to internet scanning firm Censys.){kind=link}