BIND 9 Vulnerability in DNSKEY Record Processing by ISC
CVE-2025-8677

7.5HIGH

Key Information:

Vendor

Isc
Status
Bind 9
Vendor
CVE Published:
22 October 2025

Badges

๐Ÿ‘พ Exploit Exists๐Ÿ“ฐ News Worthy

What is CVE-2025-8677?

CVE-2025-8677 is a critical vulnerability found in BIND 9, a widely-used domain name system (DNS) software developed by the Internet Systems Consortium (ISC). BIND 9 serves as a vital component in resolving domain names to IP addresses, enabling users to access websites and services seamlessly. This vulnerability arises from the processing of malformed DNSKEY records within specially crafted zones, which can lead to excessive CPU utilization, potentially exhausting system resources. Such a condition would significantly impair the DNS service, resulting in downtime and disrupted access for users relying on the affected infrastructure. Organizations utilizing BIND 9 versions spanning 9.18.0 to 9.21.12 are particularly at risk, as these versions are susceptible to this severe flaw.

Potential impact of CVE-2025-8677

  1. Service Disruption: The most immediate impact of this vulnerability is the potential for service outages caused by CPU exhaustion. A successful exploit could incapacitate DNS services, leading to significant interruptions in internet connectivity and services for end-users.

  2. Resource Exhaustion: As the vulnerability facilitates excessive utilization of CPU resources, organizations may encounter performance degradation across their systems. This could hinder not only DNS functions but also impact other dependent services, leading to a broader systemic slowdown.

  3. Increased Attack Surface: With the risk of this vulnerability being actively exploited, organizations may find their systems more attractive targets for further malicious activities, including attacks from ransomware groups. The disruption caused by this vulnerability may create opportunities for additional exploits or security breaches, exacerbating the overall risk landscape.

Affected Version(s)

BIND 9 9.18.0 <= 9.18.39

BIND 9 9.20.0 <= 9.20.13

BIND 9 9.21.0 <= 9.21.12

News Articles

favicon imageCybersecurityNews

Multiple BIND 9 DNS Vulnerabilities Enable Cache Poisoning and Denial of Service Attacks

The Internet Systems Consortium (ISC) disclosed three high-severity vulnerabilities in BIND 9 on October 22, 2025, potentially allowing remote attackers to conduct cache poisoning attacks or cause denial-of-service (DoS) conditions on affected DNS resolvers.

References

https://kb.isc.org/docs/cve-2025-8677
vendor-advisory

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐Ÿ“ฐ

    First article discovered by CybersecurityNews

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One Security and Privacy Laboratory at Nankai University for bringing this vulnerability to our attention.
JSON
.
CVE-2025-8677 : BIND 9 Vulnerability in DNSKEY Record Processing by ISC