PoC code drops for remotely exploitable BIND 9 DNS flaw (CVE-2025-40778)

A high-severity vulnerability (CVE-2025-40778) affecting BIND 9 DNS resolvers could be leveraged by remote, unauthenticated attackers to manipulate DNS entries via cache poisoning, allowing them to redirect Internet traffic to potentially malicious sites, distribute malware, or intercept network traffic.

While attackers have yet to be spotted exploiting the flaw, a proof-of-concept (PoC) exploit code has been published, making it critical for administrators to patch internet-facing resolvers.

What is BIND 9?

BIND (v)9 is the latest and the only actively maintained version of Berkeley Internet Name Domain, the DNS software suite developed by the Internet Systems Consortium (ISC).

The suite allows systems – primarily running Linux and Unix-like distributions – to act as:

• Advertising (authoritative) DNS servers, which store and serve the official DNS records for domains, and/or
• Recursive (resolving) servers, which perform DNS lookups on behalf of clients by querying other DNS servers and can cache responses to speed up future lookups

Resolvers are typically set up by ISPs, organizations, or private networks to handle DNS requests for their users.

About CVE-2025-40778

CVE-2025-40778 can lead to cache poisoning because, as the ISC explains, “under certain circumstances, BIND is too lenient when accepting records from answers”.

Attackers can use it to inject forged records (i.e., IP – domain mappings) into the resolver’s cache during a query, and thus potentially affect resolution of future queries and redirect users to attacker-controlled assets.

The vulnerability affects various BIND 9 and BIND Supported Preview Edition versions, and has been fixed in BIND 9 versions 9.18.41, 9.20.15, and 9.21.14, and BIND Supported Preview Edition versions 9.18.41-S1 and 9.20.15-S1. These fixed versions also contain patches for an additional cache poisoning vulnerability and an issue that can lead to denial of service.

All three fixed vulnerabilities affect recursive DNS servers and, according to the German Federal Office for Information Security (BSI), authoritative DNS servers on which recursive functionality is mistakenly or intentionally enabled.

The vulnerabilities have no known workarounds, so admins are advised to upgrade to the patched release most closely related to their current version of BIND 9 as soon as possible.

Many Linux distributions have already integrated the fix or will soon release patches.

In general, the BSI advises operators of recursive DNS servers to:

• Restrict recursion to trusted clients
• Enable DNSSEC validation
• Monitor cache activity for unexpected records, and
• Reduce maximum caching time to 24 hours of less (so that eventual poisoned entries don’t persist for days).

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!