The Internet Systems Consortium (ISC) has disclosed three critical vulnerabilities in BIND 9, the most widely deployed DNS software globally.
All three vulnerabilities were publicly disclosed on October 22, 2025, affecting DNS resolvers and potentially impacting millions of users worldwide. Organizations running affected BIND 9 versions should prioritize immediate patching to prevent exploitation.
The three vulnerabilities expose DNS infrastructure to distinct attack vectors that could compromise DNS resolution integrity and availability.
DNS is foundational to internet functionality, making these vulnerabilities particularly concerning for enterprise networks, internet service providers, and anyone relying on accurate domain name resolution.
An attacker exploiting these flaws could redirect users to malicious websites, intercept communications, or launch denial-of-service attacks.
Two of the vulnerabilities achieve an 8.6 CVSS score, indicating critical severity, while the third scores 7.5, still classified as high risk.
All three require network-based remote exploitation without requiring authentication, making them relatively straightforward to attack under the right conditions.
Vulnerability Details
| CVE ID | Title | CVSS 3.1 | Severity |
| CVE-2025-8677 | Resource exhaustion via malformed DNSKEY handling | 7.5 | High |
| CVE-2025-40778 | Cache poisoning attacks with unsolicited RRs | 8.6 | High |
| CVE-2025-40780 | Cache poisoning due to weak PRNG | 8.6 | High |
CVE-2025-8677 exploits malformed DNSKEY records to cause resource exhaustion through CPU overload.
When a DNS resolver queries specially crafted zones containing these malformed records, the server becomes overwhelmed, leading to denial of service for legitimate clients.
This vulnerability particularly threatens recursive resolvers, which handle DNS queries from end users.
CVE-2025-40778 and CVE-2025-40780 both enable cache poisoning attacks, allowing attackers to inject forged DNS records into a resolver’s cache.
CVE-2025-40778 exploits lenient record acceptance policies, while CVE-2025-40780 abuses a weakness in BIND’s pseudo-random number generator, enabling attackers to predict source ports and query IDs.
Successfully poisoned caches affect subsequent DNS queries, potentially redirecting users to attacker-controlled infrastructure indefinitely.
Organizations should upgrade to patched BIND 9 versions immediately: 9.18.41, 9.20.15, or 9.21.14.
Preview Edition users should upgrade to versions 9.18.41-S1 or 9.20.15-S1. Currently, no known active exploits exist and no workarounds are available, making patching the only mitigation strategy.
The vulnerability research team from Tsinghua University and Nankai University discovered these issues, demonstrating continued security research focus on DNS infrastructure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
