HighPublic exploit

BIND 9 Recursive Resolver Cache Poisoning via Lenient Answer Record Acceptance

IdentifiersCVE-2025-40778CWE-349· Acceptance of Extraneous Untrusted…

CVE-2025-40778 is a high-severity cache poisoning vulnerability in BIND 9 affecting recursive resolver deployments. Under certain circumstances, BIND is too lenient when accepting records from DNS answers and may cache unsolicited or extraneous resource records that were not properly solicited by the original query. The issue is described as insufficiently strict acceptance of answer records and is associated with improper bailiwick enforcement, allowing forged data from untrusted responses to be mixed into trusted cache state. A remote attacker who can operate a malicious authoritative nameserver for a queried domain, or who can intercept and influence resolver traffic, can exploit this behavior to inject forged DNS records into the resolver cache. Affected versions are BIND 9 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1. The issue affects recursive resolvers; authoritative-only servers are not affected unless recursion is enabled.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote cache poisoning of an affected BIND 9 resolver. Once forged DNS records are inserted into cache, subsequent client queries may be answered with attacker-controlled data until the poisoned entries expire or are flushed. This can enable redirection of users or services to malicious infrastructure, interception or manipulation of traffic, delivery of malware via spoofed update or download endpoints, and disruption or denial of legitimate name resolution. Because BIND is widely deployed in ISP, enterprise, and government environments, compromise of a shared recursive resolver can affect many downstream users and systems.

Mitigation

If you can’t patch tonight, do this now.

ISC states no workaround is available, so patching is the primary mitigation. As risk-reduction measures, limit recursion to trusted clients, disable recursion on authoritative-only servers, and disable use of BIND where the product allows an alternative DNS implementation and BIND is not required. Additional defensive measures mentioned in the content include enabling DNSSEC validation, monitoring cache contents for unexpected records, and reducing maximum cache retention times to limit persistence of poisoned entries.

Remediation

Patch, then assume compromise.

Upgrade BIND 9 to a fixed release. The content indicates fixes are available in BIND 9.18.41, 9.20.15, and 9.21.14, and in Supported Preview Edition releases 9.18.41-S1 and 9.20.15-S1. If running an unsupported or discontinued branch, migrate to a supported fixed branch. Apply vendor and distribution-specific updates where BIND is packaged by the OS or appliance vendor.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).

VALID 1 / 2 TOTALView more in app

BIND-9-Cache-Poisoning-PoC---CVE-2025-40778MaturityPoCVerified exploit

Repository is a small proof-of-concept for BIND 9 DNS cache poisoning (CVE-2025-40778) based on injecting unrelated records via the DNS ADDITIONAL section. Structure: - README.md: Detailed lab setup and reproduction steps (compile/install BIND 9.21.12, configure recursion/forwarding, set a forward zone for poc.lab to the attacker at 192.168.174.130, victim resolver settings, and demonstration dig commands). Mentions affected version ranges. - attacker.py: Core PoC. Implements a UDP DNS server (dnslib) that answers only queries for www.poc.lab. with an A record (192.168.174.99) and simultaneously injects an unsolicited ADDITIONAL A record for www.hacker.com. -> 192.168.174.130. For other names it returns NXDOMAIN. This models a malicious authoritative server response intended to be cached by a vulnerable BIND resolver. - server.py: Optional Flask web server bound to 0.0.0.0:443 serving a static HTML page, intended to demonstrate the impact after poisoning (victims redirected to attacker-controlled web content). Exploit capabilities: - Network-based cache poisoning against a recursive BIND resolver by leveraging improper caching/processing of unsolicited ADDITIONAL-section data. - Redirects subsequent DNS lookups for the poisoned hostname to an attacker-chosen IP (traffic redirection / potential phishing / MITM staging). No reverse shell or code execution payload is included; impact is DNS integrity compromise.

sirbuvladsteDisclosed Jan 9, 2026pythonnetwork (DNS cache poisoning against recursive resolver via malicious authoritative response / ADDITIONAL section injection)

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

CanonicalJammy-Stemcell-Azureoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

58 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

58 SOURCESView more in app

scworldNews

Oct 30, 2025

Cybersecurity Is Dead – PSW #898

A cache poisoning vulnerability in BIND 9 via unsolicited answer records, potentially affecting devices that do not cryptographically validate updates.

help net securityNews

Oct 28, 2025

PoC code drops for remotely exploitable BIND 9 DNS flaw (CVE-2025-40778)

A high-severity cache poisoning vulnerability in BIND 9 DNS resolvers that allows remote, unauthenticated attackers to inject forged DNS records, potentially redirecting users to malicious sites or intercepting network traffic.

the hacker newsNews

Oct 27, 2025

⚡ Weekly Recap: WSUS Exploited, LockBit 5.0 Returns, Telegram Backdoor, F5 Breach Widens

A vulnerability listed as trending; no technical details provided in the content.

gbhackersNews

Oct 23, 2025

BIND 9 Vulnerabilities Expose DNS Servers to Cache Poisoning and DoS

A BIND 9 DNS cache-poisoning vulnerability enabling injection of forged DNS records into a resolver cache via acceptance of unsolicited/leniently accepted resource records.

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity47

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-40778

NVD

nvd.nist.gov/vuln/detail/CVE-2025-40778

MITRE CWE · CWE-349

Acceptance of Extraneous Untrusted Data With…

openwall.com

openwall.com/lists/oss-security/2025/10/22/1

gist.github.com

gist.github.com/N3mes1s/f76b4a606308937b0806a5256bc1f918

kb.isc.org

kb.isc.org/docs/cve-2025-40778