High

BIND 9 DNS Cache Poisoning via Predictable Source Port and Query ID

IdentifiersCVE-2025-40780CWE-341· Predictable from Observable State

CVE-2025-40780 is a vulnerability in BIND 9 caused by a weakness in the pseudo-random number generator (PRNG) used to select the source port and DNS query ID for outgoing resolver queries. These values are key entropy sources used by recursive and forwarding resolvers to validate replies and resist spoofed DNS responses. Under specific circumstances, the PRNG output becomes predictable, allowing an attacker to anticipate the source port and query ID that BIND will use for an outstanding query. With those values predicted, an attacker can race the legitimate upstream response with a forged DNS reply that matches the expected tuple and cause the resolver to accept and cache malicious data. The issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1. Available context indicates resolver deployments are affected; there is no indication authoritative-only configurations are impacted.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation enables DNS cache poisoning on vulnerable BIND resolvers. An attacker can inject forged DNS records into cache, causing subsequent client lookups to resolve to attacker-controlled infrastructure until the poisoned entries expire or are flushed. This can enable traffic redirection, phishing, credential theft, man-in-the-middle opportunities, service disruption, and broader compromise of systems that trust the resolver’s answers. The vulnerability undermines the primary anti-spoofing entropy protections for DNS resolution integrity.

Mitigation

If you can’t patch tonight, do this now.

The provided context states there are no general workarounds for BIND itself and patching is the primary mitigation. Where applicable on F5 BIG-IP DNS, a documented product-specific mitigation is to disable the 'Use BIND Server on the BIG-IP' option in the DNS profile, understanding this may affect configurations that rely on BIND as fallback. More broadly, reducing exposure of recursive resolvers to untrusted clients and monitoring for anomalous cache behavior may reduce risk, but the available content does not present these as complete mitigations.

Remediation

Patch, then assume compromise.

Upgrade BIND 9 to a fixed release. The provided context states ISC released patched versions 9.18.41, 9.20.15, and 9.21.14, and Supported Preview Edition releases 9.18.41-S1 and 9.20.15-S1. Systems on affected or discontinued branches should be moved to a supported fixed version as soon as possible. For products embedding BIND, apply the vendor-provided update for the affected platform or appliance branch.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

CanonicalJammy-Stemcell-Azureoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

30 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

30 SOURCESView more in app

ctoatncsc substackNews

Nov 1, 2025

CTO at NCSC Summary: week ending November 2nd

A BIND DNS vulnerability where weak PRNG behavior can make DNS transaction parameters (source port and query ID) predictable, undermining DNS query randomness and enabling off-path attack scenarios in affected configurations.

the hacker newsNews

Oct 27, 2025

⚡ Weekly Recap: WSUS Exploited, LockBit 5.0 Returns, Telegram Backdoor, F5 Breach Widens

A vulnerability listed as trending; no technical details provided in the content.

gbhackersNews

Oct 23, 2025

BIND 9 Vulnerabilities Expose DNS Servers to Cache Poisoning and DoS

A BIND 9 DNS cache-poisoning vulnerability caused by weak PRNG behavior that can allow prediction of source ports and query IDs, enabling forged DNS responses to be accepted and cached.

ca ccsNews

Oct 22, 2025

ISC BIND security advisory (AV25-693)

A vulnerability in ISC BIND 9 affecting multiple versions, details unspecified in the content, but significant enough to warrant a security advisory and patch.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity19

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-40780

NVD

nvd.nist.gov/vuln/detail/CVE-2025-40780

MITRE CWE · CWE-341

Predictable from Observable State

openwall.com

openwall.com/lists/oss-security/2025/10/22/1

kb.isc.org

kb.isc.org/docs/cve-2025-40780