ISC Patches Multiple High-Severity BIND Vulnerabilities Enabling Cache Poisoning and Denial of Service Attacks
Ddos 
The Internet Systems Consortium (ISC) has issued patches for three high-severity vulnerabilities impacting the BIND 9 DNS server, including two that could enable cache poisoning attacks (CVE-2025-40778, CVE-2025-40780) and another that can lead to CPU exhaustion (CVE-2025-8677).
All three flaws are remotely exploitable and primarily affect recursive resolvers, with authoritative servers believed to be unaffected.
The most severe of the three vulnerabilities, CVE-2025-40780 (CVSS 8.6), arises from a weakness in the pseudo-random number generator used by BIND to select source ports and query IDs.
This flaw makes it possible for attackers to predict DNS transaction identifiers, allowing them to inject malicious responses into the resolver’s cache — a classic cache poisoning attack.
“BIND can be tricked into caching attacker responses, if the spoofing is successful,” ISC wrote, warning that resolvers are affected while authoritative services are believed to be unaffected.
Affected versions:
- BIND 9.16.0 → 9.16.50
- BIND 9.18.0 → 9.18.39
- BIND 9.20.0 → 9.20.13
- BIND 9.21.0 → 9.21.12
The vulnerability can be exploited remotely without authentication, potentially allowing attackers to redirect users to malicious sites or tamper with DNS records.
Another cache poisoning flaw, CVE-2025-40778 (CVSS 8.6), affects the way BIND handles unsolicited resource records (RRs) in DNS responses. Under certain conditions, BIND’s resolver is too lenient when accepting records from DNS answers, which allows attackers to inject forged data into the cache during normal query operations.
“Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache,” the advisory explained. “Forged records can be injected into cache during a query, which can potentially affect resolution of future queries.”
Affected versions:
- BIND 9.11.0 → 9.16.50
- BIND 9.18.0 → 9.18.39
- BIND 9.20.0 → 9.20.13
- BIND 9.21.0 → 9.21.12
This flaw poses a similar threat to CVE-2025-40780 — allowing attackers to manipulate DNS answers and redirect users to phishing or malware distribution sites.
The third vulnerability, CVE-2025-8677 (CVSS 7.5), can cause CPU exhaustion when a BIND resolver queries malformed DNSKEY records within specially crafted zones. An attacker could exploit this remotely to degrade performance or cause a denial of service, preventing legitimate users from resolving domain names.
“Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion,” ISC wrote. “An attacker could overwhelm the server, significantly impacting performance and leading to denial of service for legitimate clients.”
Affected versions:
- BIND 9.18.0 → 9.18.39
- BIND 9.20.0 → 9.20.13
- BIND 9.21.0 → 9.21.12
Like the cache poisoning flaws, resolvers are vulnerable, while authoritative services are believed to be unaffected.
ISC strongly recommends upgrading to patched releases corresponding to the currently deployed major version:
| Branch | Fixed Version |
|---|---|
| BIND 9.18 | 9.18.41 |
| BIND 9.20 | 9.20.15 |
| BIND 9.21 | 9.21.14 |
| BIND Supported Preview Edition | 9.18.41-S1, 9.20.15-S1 |
Related Posts:
- BIND Security Updates: Patch Your DNS Servers Now
- Cloudflare’s 1.1.1.1 DNS Suffers Global Outage Due to Internal Configuration Error
- ISC releases the BIND security update to address the high-risk vulnerability
- PyPI’s New Rule: 2FA Verification for All Project Maintainers
- ISC Warns of Cache Poisoning and Crash Risks in BIND: What You Need to Know About CVE-2025-40776 and CVE-2025-40777
Donate