A critical vulnerability has been identified in BIND 9 Domain Name System (DNS) resolvers, potentially allowing attackers to poison caches and redirect internet traffic to malicious destinations. This flaw, designated as CVE-2025-40778, affects more than 706,000 publicly accessible instances worldwide, as reported by internet scanning firm Censys.
The vulnerability arises from BIND’s overly permissive acceptance of unsolicited resource records in DNS responses. This weakness enables off-path attackers—those without direct access to the network—to inject forged data into the resolver’s cache. Consequently, users can be misdirected to harmful websites without their knowledge.
The Internet Systems Consortium (ISC), which maintains BIND software, disclosed details of this issue on October 22, 2025, urging immediate action from administrators. Given that BIND 9 underpins a significant portion of the internet’s domain name resolution infrastructure, this vulnerability poses a substantial risk to enterprises, internet service providers (ISPs), and governmental bodies that rely on recursive resolvers.
Although there have been no reports of active exploitation to date, the public release of a proof-of-concept (PoC) exploit on GitHub increases the urgency for remediation. This PoC provides a clear method for potential attackers to execute targeted assaults.
Understanding the Vulnerability
CVE-2025-40778 exploits a logic flaw within BIND 9’s resolver component, which improperly accepts and caches resource records that were not part of the original DNS query. Under normal circumstances, a recursive resolver queries authoritative nameservers and expects responses containing only pertinent answers, authority data, and additional sections.
However, affected versions of BIND 9 fail to enforce strict bailiwick checking—a security measure that confines records to the authority zone of the queried domain. This oversight allows attackers to inject fraudulent address records (such as A or AAAA records) that redirect users to attacker-controlled infrastructure.
The vulnerability impacts BIND 9 versions from 9.11.0 through 9.16.50, 9.18.0 to 9.18.39, 9.20.0 to 9.20.13, and 9.21.0 to 9.21.12, including Supported Preview Editions. Earlier versions prior to 9.11.0 are also believed to be vulnerable but have not been assessed.
Only configurations operating as recursive resolvers are at risk; authoritative-only servers remain unaffected unless recursion is enabled. Once a cache is poisoned, it can misdirect downstream clients for extended periods—ranging from hours to days—depending on the time-to-live (TTL) values of the records. This misdirection can lead to phishing attacks, data interception, or service disruptions without triggering new DNS lookups.
Censys’s scan, conducted around the time of disclosure, identified over 706,000 vulnerable BIND instances openly accessible on the internet, highlighting the extensive exposure. This figure likely underrepresents the total number of vulnerable instances, as it does not account for those behind firewalls or within internal networks.
The flaw’s remote exploitability over networks, combined with its low complexity and lack of required privileges, classifies it under CWE-349 for accepting extraneous untrusted data. While primarily a threat to data integrity, this vulnerability could also facilitate broader attacks, such as man-in-the-middle scenarios or amplified denial-of-service (DoS) attacks through redirected traffic.
Proof-of-Concept and Exploitation Risks
A PoC exploit, published on GitHub by researcher N3mes1s, demonstrates the technique for injecting malicious data into the cache by spoofing DNS responses. This PoC illustrates how an off-path attacker can monitor query patterns and respond more quickly than legitimate servers, potentially bypassing traditional protections like source port randomization.
While the PoC is intended for educational purposes, security experts caution that it could be adapted for real-world exploitation, especially against unpatched systems. As of October 25, 2025, there have been no confirmed instances of this vulnerability being exploited in the wild.
The disclosure of CVE-2025-40778 coincides with an increase in DNS-related threats, including similar vulnerabilities like CVE-2025-40780, which also enables cache poisoning through predictable query IDs. Although DNSSEC (Domain Name System Security Extensions) can mitigate some risks, incomplete implementations may still be susceptible. Historically, threat actors, including state-sponsored groups, have targeted DNS infrastructure to establish persistence, making prompt patching essential.
Mitigation Strategies
To address CVE-2025-40778, ISC recommends upgrading to the patched versions: 9.18.41, 9.20.15, 9.21.14, or later. For organizations unable to update immediately, the following measures are advised:
– Restrict Recursion: Limit recursive query capabilities to trusted clients by configuring Access Control Lists (ACLs).
– Enable DNSSEC Validation: Implement DNSSEC to cryptographically verify the authenticity of DNS responses, reducing the risk of cache poisoning.
– Monitor Cache Contents: Regularly inspect the resolver’s cache for anomalies using tools like BIND’s statistics channel to detect and address unauthorized entries.
– Disable Additional Section Caching: Configure BIND to disregard and not cache unsolicited additional section data in DNS responses.
– Implement Query Rate Limiting: Set limits on the rate of incoming queries to reduce the likelihood of successful cache poisoning attempts.
Organizations should also scan their networks for vulnerable BIND instances using tools from Censys or Shodan and prioritize securing high-traffic resolvers.
As BIND remains a cornerstone of internet stability, this incident underscores the ongoing challenges in DNS security. The ISC has committed to enhancing validation mechanisms in future releases to prevent similar vulnerabilities.
