CVE-2025-40778 and CVE-2025-40780: Cache Poisoning Vulnerabilities in BIND 9 Expose DNS Servers to the Risk of Attacks

Just days after the disclosure of CVE-2025-59230 and CVE-2025-24990 zero-day vulnerabilities in Windows, a new set of critical flaws has emerged, this time targeting the backbone of the Internet’s domain name system. The Internet Systems Consortium (ISC), maintainers of BIND 9, the world’s most widely used DNS software, has revealed three high-severity vulnerabilities that could put users and organizations at risk.

Two of these flaws, CVE-2025-40778 and CVE-2025-40780, allow attackers to poison DNS caches, potentially redirecting users to malicious sites that appear legitimate. These issues arise from a logic error and weaknesses in pseudo-random number generation, undermining the trustworthiness of DNS responses.

The third vulnerability, CVE-2025-8677, could be exploited to trigger denial-of-service (DoS) conditions on affected DNS resolvers, disrupting critical domain resolution services. 

More than 35,000 vulnerabilities have been reported globally so far in 2025, and the year-end total could surpass 50,000. Alarmingly, more than one-third of these vulnerabilities are rated as High Severity or Critical, highlighting an increased risk of exploitation and underscoring the urgent need for robust cybersecurity measures.

Sign up for the SOC Prime Platform to access the global active threats feed, which offers real-time cyber threat intelligence and curated detection algorithms to address emerging threats. All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context. Press the Explore Detections button to view the entire detection stack for proactive defense against critical vulnerabilities filtered by the “CVE” tag.

Explore Detections

Security engineers can also leverage Uncoder AI, an IDE and co-pilot for detection engineering. With Uncoder, defenders can instantly convert IOCs into custom hunting queries, craft detection code from raw threat reports, generate Attack Flow diagrams, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms.

CVE-2025-40778 and CVE-2025-40780 Analysis

BIND (Berkeley Internet Name Domain), managed by the nonprofit Internet Systems Consortium (ISC), is the world’s most widely used DNS server software, powering critical infrastructure for ISPs, businesses, and governments. Because of its extensive deployment, vulnerabilities in BIND can have far-reaching effects on the global internet.

On October 22, 2025, three critical vulnerabilities were publicly disclosed by ISC, potentially impacting millions of users worldwide. The flaws expose DNS infrastructure to multiple attack vectors that could compromise resolution integrity and availability. Two of the vulnerabilities, CVE-2025-40778 and CVE-2025-40780, carry a CVSS score of 8.6, while CVE-2025-8677 scores 7.5, still classified as high risk. All three can be exploited remotely over the network without authentication, allowing attackers to poison DNS caches, redirect users to malicious websites, intercept communications, or launch denial-of-service attacks. 

CVE-2025-40778 arises from BIND 9’s overly permissive handling of unsolicited resource records in DNS responses. Recursive resolvers may cache records that were not explicitly requested, violating bailiwick principles. An attacker able to influence responses or intercept traffic can inject forged records into the cache. Once poisoned, the resolver returns attacker-controlled data for subsequent queries, potentially redirecting users to malicious sites, intercepting sensitive information, or disrupting services.

CVE-2025-40780 exploits a weakness in BIND’s Pseudo Random Number Generator (PRNG), allowing attackers to predict source ports and query IDs. By anticipating these values, an attacker can inject malicious responses into resolver caches more easily, facilitating cache poisoning and enabling redirection of user traffic to attacker-controlled infrastructure.

The security holes described above echo a historic 2008 event, when researcher Dan Kaminsky exposed a severe DNS cache poisoning flaw that allowed attackers to flood resolvers with fake responses and redirect users en masse to malicious sites. The original vulnerability exploited DNS’s limited 16-bit transaction IDs and predictable UDP behavior, which was later fixed by dramatically increasing entropy through randomized ports and transaction numbers. Like Kaminsky’s discovery, the 2025 BIND vulnerabilities highlight the persistent risk of cache poisoning and underscore the ongoing need to secure DNS infrastructure against similar attacks.

CVE-2025-8677 involves malformed DNSKEY records in specially crafted zones that can overwhelm resolver CPU resources. Exploitation may severely degrade performance or cause denial-of-service conditions for legitimate users. While authoritative servers are largely unaffected, recursive resolvers remain at risk.

To fully mitigate all three vulnerabilities, organizations should upgrade to the patched BIND 9 versions: 9.18.41, 9.20.15, or 9.21.14, while Preview Edition users should use 9.18.41-S1 or 9.20.15-S1. Currently, no active exploits are known, and no workarounds exist, making timely patching the only effective defense. 

Given the growing threat of vulnerability exploitation in widely used software, organizations are seeking effective methods to strengthen their proactive security posture and stay one step ahead of adversaries. SOC Prime curates a complete product suite for enterprise-ready security backed by AI, automation, and real-time threat intelligence, helping global organizations outscale cyber threats they anticipate most.