CVE-2025-40778 and CVE-2025-40780: Cache Poisoning Vulnerabilities in BIND 9

Analysis

CVE-2025-40778 and CVE-2025-40780 are high-severity cache-poisoning vulnerabilities in BIND 9, the world’s most widely deployed DNS server used by ISPs, enterprises, and government networks. On October 22, 2025, ISC disclosed three remotely exploitable BIND 9 flaws: CVE-2025-40778, CVE-2025-40780 (both CVSS 8.6), and CVE-2025-8677 (CVSS 7.5), all reachable over the network without authentication. CVE-2025-40778 arises from overly permissive handling of unsolicited resource records, allowing recursive resolvers to cache data that violates bailiwick rules and enabling cache poisoning that redirects users to attacker-controlled infrastructure. CVE-2025-40780 weakens source-port and query-ID randomization, making it easier for attackers to predict values and “win” spoofed responses in transit. CVE-2025-8677 complements these issues by abusing malformed DNSKEY records to push CPU usage to 100%, creating DoS conditions that amplify cache-poisoning campaigns.

Investigation

Investigation of CVE-2025-40778, CVE-2025-40780, and CVE-2025-8677 should start with a full inventory of your DNS infrastructure. Identify every BIND 9 recursive resolver, including internal, lab, and “forgotten” instances, and map each server to its exact BIND version and role (recursive, authoritative, forwarder, validating). According to ISC, affected deployments should upgrade to 9.18.41, 9.20.15, or 9.21.14 (or Preview 9.18.41-S1 / 9.20.15-S1). For CVE-2025-40778, hunt for cache-poisoning signals: cached records for names never queried, unexpected additional records, or sudden IP changes for high-value domains without planned DNS updates. For CVE-2025-40780, look for entropy abuse: bursts of spoofed or repeated responses from untrusted IPs, high volumes of similar queries, and client-side TLS or browser warnings. Because CVE-2025-8677 can trigger DoS, monitor for repeated SERVFAIL/timeouts, odd DNSSEC zones, and CPU or latency spikes tied to specific queries.

Mitigation

For CVE-2025-40778, CVE-2025-40780, and CVE-2025-8677, ISC lists no workarounds — patching BIND 9 is the primary defense. Recursive resolvers should be upgraded to 9.18.41, 9.20.15, or 9.21.14, or to Preview builds 9.18.41-S1 / 9.20.15-S1, verifying that distro packages match ISC guidance. At the same time, harden resolver configuration by restricting recursion to trusted clients and internal networks, avoiding open resolvers on the internet, and enforcing strict bailiwick checking with minimal acceptance of additional records. Enable DNSSEC validation on recursive resolvers, monitor failure rates for signs of tampering, and add network-level controls to filter and rate-limit suspicious DNS traffic or rogue resolver activity. Finally, enhance monitoring with alerts on sudden IP changes for critical domains, spikes in SERVFAIL/timeouts, repeated queries, or anomalies in DNSKEY handling that may indicate CVE-2025-8677 exploitation.

Response

If you suspect your DNS infrastructure has been targeted or compromised, possibly via CVE-2025-40778, CVE-2025-40780, or CVE-2025-8677, start by stabilizing and protecting DNS services. Where possible, fail over to patched secondary resolvers and restrict external access to vulnerable ones while keeping them reachable internally for analysis. Flush resolver caches to remove poisoned entries and verify records for high-value internal zones with authoritative sources before reusing them. Validate DNS integrity by checking IP resolutions and DNSSEC status for critical domains (IdPs, email, VPN, admin portals, payments) against registrars and change logs. Preserve BIND logs, system logs, and packet captures for forensic review, hunting for evidence of redirection to phishing sites, fake SSO portals, or rogue mail servers. After patching, redeploy with hardened configs, updated SIEM detections, and brief your teams on DNS cache poisoning risks and new safeguards.