A critical flaw has been uncovered in BIND 9 resolvers, which could allow attackers to poison DNS caches and redirect users to malicious domains.
The vulnerability, tracked as CVE-2025-40778, affects more than 706,000 publicly exposed instances worldwide, according to data from internet scanning company Censys. With a CVSS score of 8.6, the bug arises from BIND’s lenient handling of unsolicited resource records in DNS replies, enabling off-path attackers to inject forged data even without direct network access.
The Internet Systems Consortium (ISC), developers of BIND, disclosed details on October 22, 2025, and urged system administrators to apply patches immediately.
How the Vulnerability Works
BIND 9 serves as a major component of the global DNS infrastructure, powering countless recursive resolvers used by enterprises, ISPs, and government networks.
At its core, CVE-2025-40778 takes advantage of a logic flaw in how BIND’s resolver processes DNS responses. During regular DNS resolution, a resolver queries authoritative nameservers and expects responses containing relevant information. However, affected BIND versions fail to enforce strict “bailiwick” validation, which ensures data belongs only to the queried domain’s authority zone.
Because of this relaxed validation, attackers can spoof or race legitimate responses, inserting fake A or AAAA records that redirect users to attacker-controlled servers. Once cached, this forged data can persist for hours or even days, depending on the Time-To-Live (TTL) value, potentially leading to phishing, data interception, or service outages.
Vulnerable Versions
The issue impacts:
- BIND 9 versions 9.11.0 through 9.16.50
- Versions 9.18.0 to 9.18.39
- Versions 9.20.0 to 9.20.13
- Versions 9.21.0 to 9.21.12, including Supported Preview Editions
Older builds before 9.11.0 are likely vulnerable as well, though not formally assessed. Only recursive resolvers are at risk, while authoritative-only configurations remain safe unless recursion is enabled.
Extent of Exposure
A global scan by Censys revealed over 706,000 vulnerable instances accessible on the internet. This figure may underestimate the total impact, as it excludes internal or firewalled deployments.
The vulnerability, classified under CWE-349 (accepting untrusted extraneous data), poses a significant integrity risk and could also serve as a launch point for man-in-the-middle or denial-of-service attacks.
Proof-of-Concept and Exploitation Risk
A proof-of-concept (PoC) exploit published on GitHub by researcher N3mes1s demonstrates how cache poisoning can occur through response spoofing. The PoC shows that an attacker can monitor DNS queries and respond faster than legitimate servers, bypassing protections like source port randomization in certain cases.
Although released for educational purposes, experts warn that threat actors could adapt it for malicious use. No active exploitation has been reported as of October 25, 2025, but the timing coincides with a spike in DNS-based attacks, including a related flaw, CVE-2025-40780, involving predictable query IDs.
Mitigation and Defense
The ISC advises upgrading immediately to patched versions:
- 9.18.41,
- 9.20.15,
- 9.21.14, or later.
If upgrading is not possible, organizations should:
- Limit recursion to trusted IP ranges using Access Control Lists (ACLs)
- Enable DNSSEC validation to ensure cryptographic verification of responses
- Monitor resolver cache activity via BIND’s statistics channel
- Disable caching of additional DNS sections or implement query rate limiting
Security teams are also encouraged to scan their networks using Censys or Shodan to identify and secure exposed BIND instances.
As BIND remains the foundation of global DNS infrastructure, this incident emphasizes the constant evolution of DNS security challenges and the importance of proactive patch management.
