On October 22, 2025, the Internet Systems Consortium (ISC) disclosed multiple vulnerabilities in BIND 9, the world’s most widely used DNS software. Among these, CVE-2025-40778 and CVE-2025-40780 present high-severity cache poisoning risks, while CVE-2025-8677 introduces a high-severity denial-of-service threat. Exploitation of these flaws could allow attackers to manipulate DNS responses, redirect users to malicious sites, or disrupt critical services. Immediate patching is essential for organizations relying on affected BIND 9 versions.
Critical DNS Infrastructure Threats
DNS serves as the backbone of the internet, translating domain names into IP addresses. Vulnerabilities in BIND 9 create significant risks for:
- Enterprise networks
- Internet service providers
- Any organization dependent on accurate domain resolution
Exploitation could enable attackers to:
- Redirect users to malicious domains
- Intercept sensitive communications
- Launch denial-of-service attacks (T1499) against critical systems
All three vulnerabilities can be exploited remotely without authentication, increasing the ease of potential attacks.
Vulnerability Breakdown
CVE-2025-40778
- CVSS Score: 8.6 (High)
- Impact: Exploits lenient record acceptance policies to inject forged DNS records into a resolver’s cache.
- EPSS Score: 0.01%
- Affected Product: BIND 9 versions: 9.11.0 -> 9.16.50, 9.18.0 -> 9.18.39, 9.20.0 -> 9.20.13, 9.21.0 -> 9.21.12
CVE-2025-40780
- CVSS Score: 8.6 (High)
- Impact: Predictable source ports and query IDs due to a weak pseudo-random number generator allow attackers to poison DNS caches.
- EPSS Score: 0.01%
- Affected Product: BIND 9 versions: 9.16.0 -> 9.16.50, 9.18.0 -> 9.18.39, 9.20.0 -> 9.20.13, 9.21.0 -> 9.21.12
CVE-2025-8677
- CVSS Score: 7.5 (High)
- Impact: Malformed DNSKEY records can overwhelm a DNS resolver, causing denial-of-service for legitimate queries.
- EPSS Score:0.03%
- Affected Product: BIND 9 versions: 9.18.0 -> 9.18.39, 9.20.0 -> 9.20.13, 9.21.0 -> 9.21.12
Affected Products
- BIND 9 versions: 9.11.0 -> 9.16.50, 9.18.0 -> 9.18.39, 9.20.0 -> 9.20.13, 9.21.0 -> 9.21.12, including Supported Preview Editions.
Mitigation & Recommendations
The only effective mitigation is to immediately upgrade to patched versions:
- BIND 9.18.41, 9.20.15, or 9.21.14
- Preview Editions: 9.18.41-S1 or 9.20.15-S1
Currently, there are no known active exploits and no workarounds; patching is the sole protection. Major distributions like Ubuntu and Red Hat have released updates.
Tactics, Techniques, and Procedures (TTPs)
The exploitation of these vulnerabilities aligns with MITRE ATT&CK tactics and techniques:
- TA0006 – Reconnaissance: Identify vulnerable DNS infrastructure
- TA0001 – Initial Access: Exploit public-facing DNS services
- TA0003 – Persistence: Maintain long-term access
- TA0005 – Defense Evasion: Avoid detection while injecting malicious records
- TA0011 – Command and Control: Control compromised DNS servers
- TA0008 – Lateral Movement: Access additional network systems
- TA0042 – Resource Development: Prepare infrastructure for attacks
- TA0007 – Discovery: Locate vulnerable systems
- TA0002 – Execution: Execute malicious code
- TA0009 – Collection: Gather sensitive information
- TA0010 – Exfiltration: Steal data from compromised systems
- TA0040 – Impact: Disrupt services or redirect users
- T1188 – Cache Poisoning: Inject false DNS records
- T1190 – Exploit Public-Facing Application: Target exposed DNS services
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.