A critical vulnerability affecting more than 706,000 BIND 9 DNS resolvers worldwide has been disclosed with proof-of-concept exploit code now publicly available.
The security flaw enables attackers to perform cache poisoning attacks by injecting malicious DNS records into vulnerable resolver caches, potentially redirecting users to attacker-controlled infrastructure.
The vulnerability, tracked as CVE-2025-40778, was disclosed by the Internet Systems Consortium on October 22, 2025, carrying a CVSS severity score of 8.6.
| Field | Description |
| CVE-ID | CVE-2025-40778 |
| CVSS Score | 8.6 (High) |
| Date of Disclosure | October 22, 2025 |
Security researchers at Censys have identified 706,477 vulnerable instances exposed on the internet at the time of disclosure, raising significant concerns about widespread exploitation risk.
How the Cache Poisoning Attack Works
The vulnerability exists in the way BIND 9 resolvers process DNS responses. Under normal circumstances, resolvers should only accept and cache DNS records that were explicitly requested in the original query.
However, affected versions of BIND 9 fail to properly validate whether answer-section resource records match the question being resolved.
This validation failure allows off-path attackers who can race or spoof DNS responses to inject forged address information into the resolver cache.
Once poisoned, the resolver serves these malicious records to downstream clients without triggering fresh DNS lookups.
Attackers can exploit this to redirect any domain reachable through the vulnerable resolver, enabling credential theft, malware distribution, or man-in-the-middle attacks against unsuspecting users.
The vulnerability affects multiple version branches of BIND 9 resolver software spanning several years of releases.
Organizations running versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, or 9.21.0 through 9.21.12 are at risk.
ISC has released patched versions including 9.18.41, 9.20.15, and 9.21.14 that address the vulnerability by adding stricter filtering to discard mismatched resource record sets before caching.
A proof-of-concept exploit demonstrating the cache poisoning technique has been published on GitHub, making it easier for both security researchers and malicious actors to understand and potentially exploit the flaw.
While no active exploitation has been reported at the time of disclosure, the availability of working exploit code significantly increases the risk.
Organizations should prioritize upgrading their BIND 9 resolvers immediately and implement interim mitigations including restricting recursion to trusted clients and enabling DNSSEC validation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
