EXECUTIVE SUMMARY:
Multiple high-severity vulnerabilities were found in the BIND 9 DNS software, affecting recursive resolver components. These flaws can allow remote attackers to perform cache poisoning or cause denial-of-service (DoS) conditions. The identified issues — CVE-2025-8677, CVE-2025-40778, and CVE-2025-40780 — carry CVSS scores between 7.5 and 8.6, indicating significant risk. Attackers can exploit ,without authentication to disrupt DNS resolution or redirect traffic to malicious destinations. While authoritative DNS servers are not directly impacted, recursive resolvers used by organizations remain highly exposed, putting critical internet and enterprise services at risk.
CVE-2025-8677: This vulnerability occurs when specially crafted DNSKEY records in specific zones cause excessive CPU usage on affected resolvers. Attackers can exploit this weakness remotely without authentication, triggering performance degradation or complete service interruption. This condition can lead to extended downtime and loss of service availability, particularly in environments relying on recursive DNS lookups.
CVE-2025-40778: This flaw is linked to BIND’s permissive handling of unsolicited resource records in DNS responses. Attackers can inject forged data into the resolver cache, corrupting legitimate entries. Once poisoned, subsequent DNS queries may resolve to attacker-controlled IP addresses, enabling traffic redirection, phishing, or malware delivery through spoofed domains. This mirrors classic cache poisoning attacks that compromise DNS integrity.
CVE-2025-40780: This vulnerability arises from weak pseudo-random number generation, which makes query IDs and source ports predictable. Attackers can exploit this predictability to craft malicious replies that match legitimate DNS requests, successfully inserting forged responses into the cache. Compromised caches can redirect users to unsafe destinations, enabling man-in-the-middle attacks or credential theft across networked environments.
RECOMMENDATION:
We strongly recommend you upgrade to BIND versions 9.18.41, 9.20.15, or 9.21.14.
REFERENCES:
The following reports contain further technical details: