The Internet Systems Consortium (ISC) has disclosed three critical vulnerabilities in BIND 9, the most widely deployed DNS software globally, posing significant risks to DNS infrastructure worldwide.
All three vulnerabilities were publicly disclosed on October 22, 2025, affecting DNS resolvers and potentially impacting millions of users worldwide.
Organizations running affected BIND 9 versions should prioritize immediate patching to prevent exploitation.
Critical DNS Infrastructure Threats
DNS serves as the foundational infrastructure for internet functionality, making these vulnerabilities particularly concerning for enterprise networks, internet service providers, and anyone relying on accurate domain name resolution.
The three vulnerabilities expose DNS infrastructure to distinct attack vectors that could compromise DNS resolution integrity and availability.
An attacker exploiting these flaws could redirect users to malicious websites, intercept communications, or launch denial-of-service attacks against critical services.
Two of the vulnerabilities achieve a CVSS score of 8.6, indicating critical severity, while the third scores 7.5, still classified as high risk.
All three require network-based remote exploitation without requiring authentication, making them relatively straightforward to attack under the right conditions.
Vulnerability Breakdown
| CVE ID | Title | CVSS 3.1 | Severity |
|---|---|---|---|
| CVE-2025-8677 | Resource exhaustion via malformed DNSKEY handling | 7.5 | High |
| CVE-2025-40778 | Cache poisoning attacks with unsolicited RRs | 8.6 | Critical |
| CVE-2025-40780 | Cache poisoning due to weak PRNG | 8.6 | Critical |
CVE-2025-8677 exploits malformed DNSKEY records to cause resource exhaustion through CPU overload. When a DNS resolver queries specially crafted zones containing these malformed records, the server becomes overwhelmed, leading to denial of service for legitimate clients.
This vulnerability particularly threatens recursive resolvers, which handle DNS queries from end users.
CVE-2025-40778 and CVE-2025-40780 both enable cache poisoning attacks, allowing attackers to inject forged DNS records into a resolver’s cache.
CVE-2025-40778 exploits lenient record acceptance policies, while CVE-2025-40780 abuses a weakness in BIND’s pseudo-random number generator, enabling attackers to predict source ports and query IDs.
Successfully poisoned caches affect subsequent DNS queries, potentially redirecting users to attacker-controlled infrastructure indefinitely.
Organizations should upgrade to patched BIND 9 versions immediately: 9.18.41, 9.20.15, or 9.21.14. Preview Edition users should upgrade to versions 9.18.41-S1 or 9.20.15-S1.
Currently, no known active exploits exist, and no workarounds are available, making patching the only mitigation strategy.
The vulnerability research team from Tsinghua University and Nankai University discovered these issues, demonstrating a continued security research focus on DNS infrastructure.
With widespread BIND 9 adoption across the internet, rapid deployment of patches is essential to prevent large-scale exploitation campaigns targeting DNS resolution systems globally.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
.webp?resize=1600,900&ssl=1&description=All three vulnerabilities were publicly disclosed on October 22, 2025, affecting DNS resolvers and potentially impacting millions of users worldwide.){kind=link}