A high-severity vulnerability in BIND 9 resolvers has been disclosed, potentially allowing attackers to poison caches and redirect internet traffic to malicious sites.
Tracked as CVE-2025-40778, the flaw affects over 706,000 exposed instances worldwide, as identified by internet scanning firm Censys.
Assigned a CVSS score of 8.6, this issue stems from BIND’s overly permissive handling of unsolicited resource records in DNS responses, enabling off-path attackers to inject forged data without direct access to the network.
The Internet Systems Consortium (ISC), maintainers of the widely used BIND software, released details on October 22, 2025, urging administrators to patch immediately.
BIND 9 powers a substantial portion of the internet’s domain name resolution, making this vulnerability particularly alarming for enterprises, ISPs, and governments relying on recursive resolvers.
While no active exploitation has been reported, the public release of a proof-of-concept (PoC) exploit on GitHub heightens the urgency, as it provides a blueprint for potential attackers to craft targeted assaults.
BIND 9 Resolver Vulnerability
At its core, CVE-2025-40778 exploits a logic flaw in BIND 9’s resolver, where it accepts and caches resource records (RRs) that were not part of the original query.
During normal DNS operations, a recursive resolver sends queries to authoritative nameservers and expects responses containing only relevant answers, authority data, and additional sections.
However, the affected versions fail to strictly enforce bailiwick principles, which limit records to the queried domain’s authority zone. This leniency allows an attacker to race or spoof responses, injecting fake address records like A or AAAA entries that point to controlled infrastructure.
The vulnerability impacts BIND 9 versions from 9.11.0 through 9.16.50, 9.18.0 to 9.18.39, 9.20.0 to 9.20.13, and 9.21.0 to 9.21.12, including Supported Preview Editions. Earlier versions prior to 9.11.0 are also believed to be vulnerable but unassessed.
Only recursive resolver configurations are at risk; authoritative-only servers remain unaffected unless recursion is enabled. Once poisoned, the cache can misdirect downstream clients for hours or days, depending on TTL values, leading to phishing, data interception, or service disruptions without triggering new lookups.
Censys’s scan, conducted around the disclosure, revealed more than 706,000 vulnerable BIND instances openly accessible on the internet, underscoring the scale of exposure.
This number likely underrepresents the total, as it excludes firewalled or internal deployments. The flaw’s remote exploitability over networks, with low complexity and no privileges required, classifies it under CWE-349 for accepting extraneous untrusted data.
Although primarily an integrity threat, it could cascade into broader attacks, such as man-in-the-middle scenarios or amplifying denial-of-service via redirected traffic.
Proof-of-Concept and Exploitation Risks
The PoC, published on GitHub by researcher N3mes1s, demonstrates the injection technique using a controlled environment to spoof responses and verify cache poisoning.
It highlights how an off-path attacker can monitor query patterns and respond faster than legitimate servers, bypassing traditional protections like source port randomization in some cases.
While the code is for educational purposes, security experts warn it could be adapted for real-world use, especially against unpatched systems.
No confirmed exploits in the wild exist as of October 25, 2025, but the vulnerability’s disclosure coincides with a surge in DNS-related threats, including related flaws like CVE-2025-40780, which also enables cache poisoning through predictable query IDs.
ISC notes that the issue does not affect DNSSEC-validated zones directly, but incomplete implementations could still fall victim. Threat actors, including state-sponsored groups, have historically targeted DNS for persistence, making rapid patching critical.
To counter CVE-2025-40778, ISC recommends upgrading to patched versions: 9.18.41, 9.20.15, 9.21.14, or later. For those unable to update immediately, restrict recursion to trusted clients via ACLs, enable DNSSEC validation to cryptographically verify responses, and monitor cache contents for anomalies using tools like BIND’s statistics channel. Disabling additional section caching or implementing rate limiting on queries can further reduce exposure.
Organizations should scan their networks for vulnerable BIND instances using tools from Censys or Shodan and prioritize high-traffic resolvers.
As BIND remains foundational to internet stability, this incident serves as a reminder of the ongoing cat-and-mouse game in DNS security, with ISC committing to enhanced validation in future releases.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
