A high-severity vulnerability, CVE-2025-40778, affecting BIND 9 DNS resolvers could be leveraged by remote, unauthenticated attackers to manipulate DNS entries via cache poisoning, allowing them to redirect Internet traffic to malicious sites, distribute malware or intercept network traffic. A proof-of-concept exploit has been published, increasing urgency for administrators to patch internet-facing resolvers.
BIND 9 is the actively maintained version of the Berkeley Internet Name Domain DNS software produced by the Internet Systems Consortium; it can run as authoritative servers that store domain records and as recursive resolvers that perform lookups on behalf of clients and cache responses. Resolvers are commonly operated by ISPs, organizations and private networks to handle DNS requests.
The Internet Systems Consortium explains the vulnerability arises because “under certain circumstances, BIND is too lenient when accepting records from answers”, which can allow attackers to inject forged IP–domain mappings into a resolver’s cache during a query and affect subsequent resolutions.
The flaw affects various BIND 9 and BIND Supported Preview Edition versions and has been fixed in BIND 9 versions 9.18.41, 9.20.15 and 9.21.14, and in BIND Supported Preview Edition versions 9.18.41-S1 and 9.20.15-S1. The fixes also address an additional cache poisoning vulnerability and an issue that can lead to denial of service.
There are no known workarounds, so administrators have been advised to upgrade to the patched release closest to their current version; many Linux distributions have already integrated or will soon distribute fixes. The German Federal Office for Information Security advised operators of recursive DNS servers to restrict recursion to trusted clients, enable DNSSEC validation, monitor cache activity for unexpected records and reduce maximum caching time to 24 hours or less.
There have been no reported active exploitations of the flaw to date, but the availability of public proof-of-concept code has raised the risk to unpatched resolvers and prompted calls for immediate updates to internet-facing systems.