CVE Alert: CVE-2025-8677 – ISC – BIND 9
CVE-2025-8677
Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.
AI Summary Analysis
Risk verdict
High risk of remote, unauthenticated CPU exhaustion causing denial of service on vulnerable BIND 9 servers; exploitation is not currently observed, but the vector is feasible.
Why this matters
Attacker gains no privileges or user interaction, yet can trigger a resource exhaustion once targeted at internet-facing DNS services. The result is degraded or unavailable DNS resolution for legitimate clients, with potential ripple effects across applications, monitoring, and customer-facing services reliant on timely name resolution.
Most likely attack path
An attacker sends crafted DNSKEY queries to an exposed BIND 9 instance, exploiting malformed records to force excessive CPU usage. No preconditions or user interaction are required, and the impact scope remains unchanged, concentrating on availability rather than data compromise. With no active exploits published, opportunistic, mass-scan attempts are plausible but not confirmed.
Who is most exposed
Organisations operating public-facing or resolver DNS servers running affected BIND 9 versions (9.18.x, 9.20.x, 9.21.x with listed sub-versions) in DMZ or internet-facing segments are most at risk; service providers and large enterprises with central DNS infrastructure are especially relevant.
Detection ideas
- Sudden, sustained CPU/memory spikes on DNS servers
- Increased DNSKEY-related query traffic or error logs indicating malformed records
- DNS service slowdown or timeouts correlated with query bursts
- Anomalous zone-transfer or recursion requests appearing at scale
- Alerts from DNS dashboard showing elevated resource usage without corresponding config changes
Mitigation and prioritisation
- Patch up to closest fixed release: 9.18.41, 9.20.15, 9.21.14 (or corresponding S1 patches)
- If patching is delayed, implement network-level access controls and rate-limiting to exposed DNS servers
- Enable strict resource limits and monitor DNSKEY query patterns for anomalies
- Schedule targeted testing in staging before production roll-out; prepare rollback plan
- Treat as priority 2 unless active exploitation or KEV/EPSS indicators change status
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.