CVE Alert: CVE-2025-40780 – ISC – BIND 9

Risk verdict

High risk of remote DNS cache poisoning due to a weak PRNG, with no known active exploits but substantial potential impact; patching is strongly advised.

Why this matters

If an attacker can poison the cache, they can redirect or mislead clients on name lookups, enabling MITM, phishing, or data tampering at scale. The integrity impact is high, and exploitation could affect any resolver serving affected domains, including internet-facing and internal gateways.

Most likely attack path

A network attacker, without privileges or user interaction, can predict source ports and query IDs and spoof responses to beat legitimate replies. Successful poisoning changes cached results for queried domains and can persist while caches refresh, potentially enabling subsequent follow-on attacks.

Who is most exposed

Public-facing and internal recursive DNS resolvers running the affected software are at greatest risk, particularly in organisations with Linux/cloud deployments and DNS-heavy infrastructures.

Detection ideas

• spikes of spoofed DNS responses with improbable IDs or ports
• sudden, unexplained cache poisoning events or persistent misrouted lookups
• DNSSEC validation failures or increased resolver errors
• logs showing rapid succession of spoofed responses arriving after legitimate queries

Mitigation and prioritisation

• Apply vendor-patched builds as soon as feasible; follow the advisory guidance for upgrade paths.
• Enable DNSSEC validation on resolvers to mitigate spoofed responses and enforce trust anchors.
• Implement network controls: restrict who can send DNS responses to your resolvers, and ensure robust port randomisation at the OS level.
• Establish monitoring and alerting for anomalous DNS response patterns and cache inconsistencies; plan a staged patch window with testing.