Tracked as CVE-2025-40778, the vulnerability affects over 706,000 exposed instances worldwide, according to internet scanning firm Censys.
The vulnerability carries a CVSS score of 8.6 and stems from BIND’s overly permissive handling of unsolicited resource records in DNS responses.
This design flaw enables off-path attackers to inject forged data without requiring direct network access.
The Internet Systems Consortium (ISC), which maintains BIND software, released details on October 22, 2025, urging administrators to apply patches immediately.
BIND 9 powers a substantial portion of the internet’s domain name resolution infrastructure, making this vulnerability particularly concerning for enterprises, internet service providers, and government agencies that rely on recursive resolvers.
While no active exploitation has been reported, the public release of a proof-of-concept exploit on GitHub significantly heightens the urgency, as it provides attackers with a blueprint for crafting targeted assaults.
CVE-2025-40778 exploits a logic flaw in BIND 9’s resolver that accepts and caches resource records not part of the original query.
During normal DNS operations, recursive resolvers send queries to authoritative nameservers and expect responses containing only relevant data.
However, affected versions fail to strictly enforce bailiwick principles, which limit records to the queried domain’s authority zone.
This weakness allows attackers to race or spoof responses, injecting fake address records like A or AAAA entries pointing to attacker-controlled infrastructure.
The vulnerability impacts BIND 9 versions from 9.11.0 through 9.16.50, 9.18.0 to 9.18.39, 9.20.0 to 9.20.13, and 9.21.0 to 9.21.12, including Supported Preview Editions.
Earlier versions prior to 9.11.0 may also be vulnerable but remain unassessed.
Only recursive resolver configurations are at risk, while authoritative-only servers remain unaffected unless recursion is enabled.
Once poisoned, caches can misdirect downstream clients for hours or days, depending on TTL values, leading to phishing attacks, data interception, or service disruptions.
ISC recommends upgrading to patched versions, including 9.18.41, 9.20.15, 9.21.14, or later releases.
Organizations unable to update immediately should restrict recursion to trusted clients via access control lists, enable DNSSEC validation to cryptographically verify responses, and monitor cache contents for anomalies using BIND’s statistics channel.
Disabling additional section caching or implementing rate limiting on queries can further reduce exposure.
Organizations should scan their networks for vulnerable BIND instances using tools from Censys or Shodan and prioritize high-traffic resolvers.
The proof-of-concept published by researcher N3mes1s demonstrates the injection technique in controlled environments, highlighting how attackers can monitor query patterns and respond faster than legitimate servers.
Security experts warn that this code could be adapted for real-world exploitation against unpatched systems.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
The post Over 706,000 BIND 9 Resolvers Exposed to Cache Poisoning Attacks – PoC Released appeared first on Cyber Security News.
Efficiency experts would love to be able to double their work output. Blood donation centers…
When it comes to potholes, there’s a bit of wisdom from Jim Major, Concord’s former,…
At $155 million, a new middle school in Concord, with construction set to begin next…
Warning: this article contains major spoilers for Superman Unlimited #11!DC Comics has made its fair…
Spacelift has launched Spacelift Intelligence to help infrastructure teams escape drowning in provisioning requests. Developers…
Reco has released Reco AI Agent Security to fill the visibility gap for AI agents…
This website uses cookies.