In October 2025, the Internet Systems Consortium (ISC) disclosed two high-severity cache poisoning vulnerabilities in BIND 9, the world’s most widely used DNS server software. Both scored CVSS 8.6 and affected an estimated 706,000+ instances.
The Vulnerabilities
CVE-2025-40778 exploits a logical flaw where BIND 9 improperly accepts unsolicited resource records that fall outside the legitimate authority of the responding DNS server. An attacker can inject poisoned DNS records with as few as one to two packets.
CVE-2025-40780 targets a weakness in BIND’s Pseudo Random Number Generator (PRNG), making it possible to predict the source port and query ID — the two main defenses against cache poisoning since the Kaminsky attack of 2008.
A third flaw, CVE-2025-8677 (CVSS 7.5), enables denial-of-service attacks.
The Impact
Cache poisoning lets attackers redirect users to malicious sites that appear completely legitimate — which is why choosing a DNS provider with DNSSEC support is critical:
- Users type
bank.combut land on the attacker’s phishing page - HTTPS certificates won’t save you if the attacker has their own cert for the phishing domain
- The attack is invisible to the end user
Patch Now
ISC released patches in BIND 9.18.41, 9.20.15, and 9.21.14. If you run BIND, update immediately. If you prefer not to manage your own DNS software, consider a managed DNS hosting service that handles patching and security for you. There are no workarounds — patching is the only fix.
Check your version: named -v
Sources: ISC Advisory CVE-2025-40778, ISC Advisory CVE-2025-40780, SecurityWeek