New Security Flaw Threatens Over 706,000 BIND 9 DNS Resolvers
A significant security vulnerability has been unveiled, impacting more than 706,000 BIND 9 DNS resolvers globally. The Internet Systems Consortium (ISC) released an advisory on October 22, 2025, detailing this critical flaw dubbed CVE-2025-40778. Rated with a high severity score of 8.6 on the CVSS v3.1 scale, the issue permits remote attackers to introduce forged DNS records into resolver caches, potentially leading to cache poisoning attacks.
Understanding the Cache Poisoning Risk
This vulnerability, identified as “Cache poisoning attacks with unsolicited RRs,” affects various supported and preview versions of BIND 9, an essential open-source DNS software that underpins much of the global internet name resolution infrastructure. The ISC’s documentation explains that the flaw arises from BIND’s excessively permissive handling of specific DNS records in responses. This leniency allows malicious actors to manipulate the resolver’s cache, opening up a pathway for potential abuse.
“In certain scenarios, BIND accepts records too readily from responses, enabling an attacker to inject fraudulent data into the cache,” the advisory notes, emphasizing the importance of addressing this vulnerability swiftly.
Impacted BIND 9 Versions
The ISC has outlined specific versions of BIND 9 that are vulnerable to CVE-2025-40778:
- BIND 9.11.0 through 9.16.50
- BIND 9.18.0 through 9.18.39
- BIND 9.20.0 through 9.20.13
- BIND 9.21.0 through 9.21.12
For users of the BIND Supported Preview Edition—targeted at ISC support customers—the following versions are equally affected:
- 9.11.3-S1 through 9.16.50-S1
- 9.18.11-S1 through 9.18.39-S1
- 9.20.9-S1 through 9.20.13-S1
While earlier versions, specifically those preceding 9.11.0, were not directly tested, ISC indicated that they are also likely compromised.
The Mechanism of Exploitation
The CVE-2025-40778 vulnerability enables remote exploitation, allowing attackers to inject invalid DNS records into a resolver’s cache during the query process. Once this cache is poisoned, future DNS requests could yield dangerous results, potentially diverting users to malicious domains or servers controlled by attackers. While authoritative DNS servers appear unaffected, the ISC has alerted that resolvers are particularly vulnerable.
Moreover, there are instances where authoritative servers might still engage in recursive queries, thereby creating unintended exposure paths that could be exploited.
Addressing the Flaw: Current Options
According to the ISC’s advisory, there are currently no known workarounds for this vulnerability. The only reliable solution is to upgrade to a patched version of BIND 9. The updated releases addressing this flaw include:
- 9.18.41
- 9.20.15
- 9.21.14
For those using the supported preview versions, the patched builds available are:
- 9.18.41-S1
- 9.20.15-S1
Origin of the Security Flaw
This vulnerability was brought to ISC’s attention by researchers Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin Duan from Tsinghua University, who have been acknowledged in the official advisory. The timeline of the disclosure is as follows:
- Initial notification: October 8, 2025
- Revised disclosure date: October 14, 2025
- Updated fixes made available: October 15, 2025
- Public advisory release: October 22, 2025
Next Steps for DNS Administrators
The ISC encourages DNS resolver administrators running BIND 9 to urgently evaluate their systems and upgrade to the latest patched release. With the number of exposed servers exceeding 706,000, this vulnerability poses a significant risk across many enterprise and ISP environments.
Organizations can consult ISC’s complete security advisory and the BIND 9 vulnerability matrix for details regarding all affected versions. Additional technical resources and guidance can be accessed through the ISC knowledge base at https://kb.isc.org/docs/cve-2025-40778.
The ongoing challenges associated with the DNS infrastructure underscore the importance of maintaining security and trust at the foundational levels of the internet.
