Cache-Poisoning Vulnerability in BIND 9 by ISC
CVE-2025-40776

8.6HIGH

Key Information:

Vendor

Isc
Status
Bind 9
Vendor
CVE Published:
16 July 2025

Badges

📈 Score: 322👾 Exploit Exists📰 News Worthy

What is CVE-2025-40776?

CVE-2025-40776 is a vulnerability identified within BIND 9, a widely used DNS (Domain Name System) software developed by the Internet Systems Consortium (ISC). BIND 9 serves as a caching resolver, responsible for translating human-readable domain names into IP addresses, thereby facilitating web traffic and various internet services. The vulnerability arises specifically in configurations where the caching resolver is set to send EDNS Client Subnet (ECS) options, potentially enabling attackers to perform cache-poisoning attacks. Such attacks can misdirect user traffic to malicious servers, jeopardizing data integrity and lead to unauthorized access. The versions affected include 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.37-S1, and 9.20.9-S1 through 9.20.10-S1.

Potential impact of CVE-2025-40776

  1. Data Manipulation and Misdirection: Exploitation of this vulnerability can allow attackers to inject false DNS responses into the cache, resulting in end-users being directed to fraudulent sites. This poses a significant risk for data theft and phishing attempts.

  2. Service Interruptions: By manipulating DNS caches, attackers can disrupt legitimate services, causing downtime or degradation of services used by businesses and individuals, impacting revenue and user trust.

  3. Broader Network Compromise: Once an attacker gains control through cache poisoning, they can potentially navigate further into the network, leading to widespread vulnerabilities, data breaches, and the installation of malware. This chain effect puts entire organizational infrastructures at risk.

Affected Version(s)

BIND 9 9.11.3-S1 <= 9.16.50-S1

BIND 9 9.18.11-S1 <= 9.18.37-S1

BIND 9 9.20.9-S1 <= 9.20.10-S1

News Articles

favicon imageIsc Kb

CVE-2025-40776: Birthday Attack against Resolvers supporting ECS

A resolver configured to send ECS options to authoritative servers can be compelled to make queries that slightly increase the odds of guessing the source port and other details necessary to bypass the original birthday cache poisoning attack mitigations. As a result of this weakness, a resolver wit...

2 days ago

References

https://kb.isc.org/docs/cve-2025-40776
vendor-advisory

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 📰

    First article discovered by Isc Kb

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

ISC would like to thank Xiang Li from AOSP Lab of Nankai University for bringing this vulnerability to our attention.
.