CVE-2025-40778

Name of the Vulnerable Software and Affected Versions BIND versions 9.11.0 through 9.16.50 BIND versions 9.18.0 through 9.18.39 BIND versions 9.20.0 through 9.20.13 BIND versions 9.21.0 through 9.21.12 BIND Supported Preview Edition versions 9.11.3-S1 through 9.16.50-S1 BIND Supported Preview Edition versions 9.18.11-S1 through 9.18.39-S1 BIND Supported Preview Edition versions 9.20.9-S1 through 9.20.13-S1

Description BIND is susceptible to a cache poisoning issue where it improperly handles DNS responses, allowing attackers to inject forged data into the cache. This can lead to redirection of users to malicious sites without their knowledge, potentially enabling phishing attacks, credential theft, and malware distribution. A proof-of-concept exploit is publicly available. Over 706,000 systems and potentially up to 5,900 exposed instances are estimated to be vulnerable. The issue occurs when BIND accepts unsolicited resource records, violating standard DNS security principles. The vulnerability allows off-path attackers to manipulate DNS resolution, potentially redirecting traffic to attacker-controlled infrastructure. The forwarders component is involved in the vulnerability.

Recommendations Upgrade to BIND version 9.18.41 Upgrade to BIND version 9.20.15 Upgrade to BIND version 9.21.14 or later Upgrade to BIND Supported Preview Edition version 9.18.41-S1 Upgrade to BIND Supported Preview Edition version 9.20.15-S1 Restrict recursion to trusted clients Enable DNSSEC validation