The Internet Systems Consortium (ISC) disclosed three high-severity vulnerabilities in BIND 9 on October 22, 2025, potentially allowing remote attackers to conduct cache poisoning attacks or cause denial-of-service (DoS) conditions on affected DNS resolvers.
These flaws, tracked as CVE-2025-8677, CVE-2025-40778, and CVE-2025-40780, primarily impact recursive resolvers used by organizations for domain name resolution, leaving authoritative DNS servers largely unaffected.
With BIND powering a significant portion of the internet’s DNS infrastructure, administrators are urged to apply patches immediately to mitigate risks of service disruptions and malicious redirections.
Flaws Exposed In Resolver Logic
CVE-2025-8677 involves resource exhaustion triggered by malformed DNSKEY records in specially crafted zones, leading to CPU overload on resolvers during queries.
Rated at a CVSS score of 7.5, this vulnerability enables attackers to remotely overwhelm servers without authentication, severely degrading performance for legitimate users.
ISC notes that while authoritative setups remain safe, resolvers in recursive mode are prime targets, echoing concerns from their knowledge base on unintended query behaviors.
The other two issues center on cache poisoning, a technique reminiscent of the 2008 Dan Kaminsky attack that once threatened global DNS integrity.
CVE-2025-40778 (CVSS 8.6) stems from BIND’s overly permissive handling of unsolicited resource records in responses, allowing forged data to infiltrate the cache and corrupt future resolutions.
Similarly, CVE-2025-40780 (CVSS 8.6) exploits a weak pseudo-random number generator (PRNG), making source ports and query IDs predictable for spoofing malicious replies into the cache.
Both flaws elevate the attack surface by enabling scope changes in impact, as tainted caches could redirect traffic across networks.
Researchers from Nankai University, Tsinghua University, and Hebrew University of Jerusalem identified these issues, crediting their work in ISC’s advisories.
No active exploits are known yet, but the remote, unauthenticated nature heightens urgency given BIND’s widespread deployment.
Successful exploitation could lead to phishing, malware distribution, or man-in-the-middle attacks by diverting users to attacker-controlled sites.
For instance, poisoned caches might replace legitimate IP addresses with malicious ones, mimicking trusted domains and eroding user trust in online services.
DoS from CVE-2025-8677 risks operational downtime, financial losses, and reduced productivity for businesses reliant on stable DNS.
Organizations using vulnerable versions spanning BIND 9.11.0 to 9.21.12 and Supported Preview Editions face elevated threats, especially in cloud and enterprise environments.
ISC emphasizes that these vulnerabilities underscore ongoing DNS resilience challenges, even post-Kaminsky mitigations like randomized query IDs.
Distributions like Ubuntu and Red Hat have begun issuing updates, with package maintainers encouraged to release patches swiftly.
Mitigations
No workarounds exist, so upgrading to fixed releases is essential: BIND 9.18.41, 9.20.15, or 9.21.14 for standard branches, and corresponding Supported Preview versions.
Selective patches are available in release directories for those preferring minimal changes. Administrators should review ISC’s advisories and monitor for distribution updates to safeguard against these DNS threats.
As BIND evolves, such disclosures highlight the need for proactive patching in critical infrastructure.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
