CVE Alert: CVE-2025-40780 – ISC – BIND 9

CVE-2025-40780

HIGHNo exploitation known

In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.

CVSS v3.1 (8.6)
AV NETWORK · AC LOW · PR NONE · UI NONE · S CHANGED
Vendor
ISC
Product
BIND 9
Versions
9.16.0 lte 9.16.50 | 9.18.0 lte 9.18.39 | 9.20.0 lte 9.20.13 | 9.21.0 lte 9.21.12 | 9.16.8-S1 lte 9.16.50-S1 | 9.18.11-S1 lte 9.18.39-S1 | 9.20.9-S1 lte 9.20.13-S1
CWE
CWE-341, CWE-341 Predictable from Observable State
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Published
2025-10-22T15:48:27.146Z
Updated
2025-10-22T17:27:49.476Z

AI Summary Analysis

Risk verdict

High risk of remote DNS cache poisoning due to a weak PRNG, with no known active exploits but substantial potential impact; patching is strongly advised.

Why this matters

If an attacker can poison the cache, they can redirect or mislead clients on name lookups, enabling MITM, phishing, or data tampering at scale. The integrity impact is high, and exploitation could affect any resolver serving affected domains, including internet-facing and internal gateways.

Most likely attack path

A network attacker, without privileges or user interaction, can predict source ports and query IDs and spoof responses to beat legitimate replies. Successful poisoning changes cached results for queried domains and can persist while caches refresh, potentially enabling subsequent follow-on attacks.

Who is most exposed

Public-facing and internal recursive DNS resolvers running the affected software are at greatest risk, particularly in organisations with Linux/cloud deployments and DNS-heavy infrastructures.

Detection ideas

  • spikes of spoofed DNS responses with improbable IDs or ports
  • sudden, unexplained cache poisoning events or persistent misrouted lookups
  • DNSSEC validation failures or increased resolver errors
  • logs showing rapid succession of spoofed responses arriving after legitimate queries

Mitigation and prioritisation

  • Apply vendor-patched builds as soon as feasible; follow the advisory guidance for upgrade paths.
  • Enable DNSSEC validation on resolvers to mitigate spoofed responses and enforce trust anchors.
  • Implement network controls: restrict who can send DNS responses to your resolvers, and ensure robust port randomisation at the OS level.
  • Establish monitoring and alerting for anomalous DNS response patterns and cache inconsistencies; plan a staged patch window with testing.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features