BIND 9 vulnerability reopens DNS poisoning threat: POC published

On October 28, 2025, proof-of-concept (POC) exploit code for CVE-2025-40778 was released, demonstrating how a remote, unauthenticated user could poison Domain Name System (DNS) caches in vulnerable BIND 9 (Berkeley Internet Name Domain version 9) resolvers. 

BIND is the most widely deployed DNS software suite, used globally by enterprises, service providers, and managed service providers to resolve domain names into IP addresses. 

According to Internet Systems Consortium (ISC), which disclosed the vulnerability on October 22, CVE-2025-40778 affects supported versions of BIND 9 from 9.11.0 through 9.21.12, including Supported Preview Editions. Authoritative-only servers are not impacted, but any resolver performing recursive queries is exposed.  

The flaw allows attackers to inject forged DNS records into resolver caches by exploiting BIND’s acceptance of unsolicited resource records. This enables redirection of user traffic to malicious infrastructure without requiring network access or user interaction. 

This type of attack, known as DNS cache poisoning, became a major concern in 2008 following the Kaminsky vulnerability. This led to the introduction of defenses such as randomized query IDs and source ports.  

CVE-2025-40778 bypasses those protections by targeting how BIND handles unexpected records. The vulnerability carries a CVSS v3.1 score of 8.6, indicating high severity. In the worst-case scenario, all DNS traffic could be redirected to attacker-controlled endpoints, enabling phishing, malware delivery, or traffic interception. 

The vulnerability was responsibly disclosed by researchers from Tsinghua University in China. ISC issued early notifications on October 8, revised patch details on October 15, and finalized disclosure on October 22.  

The following patched versions are now available: 

• 9.18.41 

• 9.20.15 

• 9.21.14  

There are no known workarounds. ISC recommends upgrading to the patched release that matches the deployed version. 

Analyst insight

This issue affects millions of systems and reopens a critical attack surface. Recursive resolvers remain a high-value target due to their role in directing internet traffic. BIND has previously been exploited through cache poisoning and denial-of-service vulnerabilities, often resulting in traffic redirection and service disruption.

As of October 28, no active exploitation has been confirmed, but the release of exploit code and the scale of exposed instances increase the likelihood of opportunistic attacks.

Administrators should prioritize patching internet-facing resolvers and confirm that recursive queries are disabled on authoritative-only servers. Monitoring for anomalous DNS behavior and implementing Domain Name System Security Extensions, where possible, may reduce exposure. Patch deployment and resolver configuration audits are recommended to mitigate risk.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up