A newly disclosed security flaw has put more than 706,000 BIND 9 DNS resolvers worldwide at risk of cache poisoning attacks, according to an advisory published by the Internet Systems Consortium (ISC) on October 22, 2025. The vulnerability, identified as CVE-2025-40778, carries a CVSS v3.1 severity score of 8.6 (High) and could enable remote attackers to inject forged DNS records into resolver caches.
The issue, officially titled “Cache poisoning attacks with unsolicited RRs”, affects multiple supported and preview versions of BIND 9, the widely used open-source DNS software that powers much of the global internet name resolution infrastructure.
According to ISC’s documentation, the flaw stems from BIND’s overly permissive behavior when accepting certain DNS records in responses, making it possible for malicious actors to manipulate the resolver’s cache.
“Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache,” the advisory explains.
Decoding the CVE-2025-40778 Vulnerability
The ISC advisory lists the following BIND 9 versions as affected by CVE-2025-40778:
- BIND 9.11.0 → 9.16.50
- BIND 9.18.0 → 9.18.39
- BIND 9.20.0 → 9.20.13
- BIND 9.21.0 → 9.21.12
Additionally, the BIND Supported Preview Edition, a feature preview branch for ISC support customers, is also affected in the following versions:
- 9.11.3-S1 → 9.16.50-S1
- 9.18.11-S1 → 9.18.39-S1
- 9.20.9-S1 → 9.20.13-S1
While earlier versions (before 9.11.0) were not explicitly tested, ISC noted that they are likely impacted as well.
Nature of the Vulnerability
The CVE-2025-40778 flaw allows remote exploitation. Attackers could insert forged DNS records into a resolver’s cache during a query process. Once poisoned, these caches may respond with fraudulent results to future DNS requests, potentially redirecting users to malicious domains or attacker-controlled servers.
Although authoritative DNS servers are believed to be unaffected, the ISC warned that resolvers are particularly exposed. The organization also linked to guidance explaining why some authoritative servers might still make recursive queries, which could create unexpected exposure paths.
No Workarounds Available
ISC emphasized that there are currently no known workarounds for this vulnerability. The only effective mitigation is to upgrade to a patched version of BIND 9. The fixed releases include:
- 9.18.41
- 9.20.15
- 9.21.14
For ISC’s supported preview customers, the corresponding patched builds are:
- 9.18.41-S1
- 9.20.15-S1
Discovery and Acknowledgments
The vulnerability was reported to ISC by researchers Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin Duan from Tsinghua University, who were credited in the official advisory. ISC’s internal documentation traces the disclosure timeline as follows:
- Early notification: October 8, 2025
- Revised disclosure date: October 14, 2025
- Updated fixed versions: October 15, 2025
- Public release: October 22, 2025
Recommendations
ISC urges administrators of DNS resolvers running BIND 9 to immediately assess their deployments and upgrade to the nearest fixed release. Given the widespread use of BIND in both enterprise and ISP environments, the number of potentially exposed servers—over 706,000—represents a big portion of the internet’s recursive resolution layer.
Organizations can review ISC’s full security advisory and BIND 9 vulnerability matrix for details on all affected versions. Additional guidance and technical discussion are available through the ISC knowledge base at https://kb.isc.org/docs/cve-2025-40778.
As DNS remains one of the most critical components of online infrastructure, the exposure of hundreds of thousands of BIND 9 resolvers to CVE-2025-40778 highlights the ongoing challenges of maintaining trust and security at the foundational layers of the internet.
