BIND 9 DNS Cache Poisoning Flaws Expose Global Infrastructure
ISC disclosed multiple high-severity vulnerabilities in BIND 9, including CVE-2025-40778 and CVE-2025-40780, which enable DNS cache poisoning, and CVE-2025-8677, which can cause denial-of-service through malformed DNSKEY records. The issues arise from overly permissive handling of unsolicited resource records and weaknesses in the resolver's pseudo-random number generator, allowing attackers to inject forged responses or predict transaction parameters. Successful exploitation could redirect users to attacker-controlled hosts, intercept traffic, or degrade resolver availability at scale. ISC released patched versions (9.18.41, 9.20.15, 9.21.14). Defenders should prioritize upgrading recursive resolvers, enable DNSSEC validation, and apply strict bailiwick checking. Monitoring should look for anomalous spikes in negative caching, unexpected authority changes, and sudden shifts in resolved IPs for high-value names. Given BIND's wide deployment among ISPs and enterprises, timely patching is essential to preserve DNS integrity.
CORTEX Protocol Intelligence Assessment
Business Impact: High — cache poisoning of resolvers can enable large-scale redirection and interception. Technical Context: PRNG predictability and unsolicited record acceptance undermine resolver trust.
Strategic Intelligence Guidance
- Upgrade BIND 9 instances to the patched versions (9.18.41, 9.20.15, 9.21.14) immediately.
- Enable DNSSEC validation and strict bailiwick checking on recursive resolvers.
- Monitor resolver logs for anomalous authority changes and sudden IP mappings.
- Segment DNS infrastructure and implement diverse resolver implementations to reduce blast radius.
CVEs
Vendors
Targets
Intelligence Source: CVE-2025-40778 and CVE-2025-40780: Cache Poisoning Vulnerabilities in BIND 9 Expose DNS Servers to the Risk of Attacks | SOC Prime | Oct 24, 2025