New BIND 9 Vulnerabilities Put Organizations at Risk of Cache Poisoning and DoS Attacks

Two critical vulnerabilities in BIND 9, one of the most widely deployed DNS server software solutions globally.

Released on July 16, 2025, these security vulnerabilities pose significant risks to organizations running affected versions, potentially exposing them to cache poisoning attacks and denial-of-service incidents that could compromise network security and availability.

The first vulnerability, CVE-2025-40776, targets BIND 9’s EDNS Client Subnet (ECS) implementation with a severity rating of 8.6 out of 10.

This high-severity vulnerability affects only the BIND Subscription Edition (-S) versions, specifically impacting organizations using BIND Supported Preview Edition releases from 9.11.3-S1 through recent versions including 9.18.37-S1 and 9.20.10-S1.

The vulnerability exploits a weakness in how caching resolvers handle ECS options when communicating with authoritative servers.

Attackers can manipulate these interactions to increase their chances of successfully guessing source ports and other critical details needed to bypass traditional birthday attack protections.

This creates a pathway for cache poisoning attacks, where malicious actors can inject false DNS responses into resolver caches, potentially redirecting users to malicious websites or intercepting sensitive communications.

Xiang Li from AOSP Lab of Nankai University discovered this vulnerability, which leverages the ECS feature’s design to create additional attack vectors.

The ECS functionality, designed to improve content delivery network performance by providing geographic information about clients, inadvertently creates opportunities for attackers to gather information that facilitates cache poisoning attempts.

BIND 9 Vulnerabilities

The second vulnerability, CVE-2025-40777, presents a different but equally concerning threat with a CVSS score of 7.5.

This vulnerability affects both standard BIND versions (9.20.0 through 9.20.10 and 9.21.0 through 9.21.9) and the Subscription Edition, targeting servers configured with specific stale-answer settings.

The vulnerability triggers when a caching resolver encounters a particular combination of cached or authoritative records while processing CNAME chains, but only when configured with serve-stale-enable yes and stale-answer-client-timeout set to 0.

Under these conditions, the DNS daemon will terminate with an assertion failure, creating a denial-of-service condition that can render DNS services unavailable.

Unlike the cache poisoning vulnerability, this vulnerability was discovered during internal testing rather than through external research.

While ISC reports no active exploits for either vulnerability, the potential for service disruption makes this a critical concern for organizations relying on BIND for DNS resolution.

Mitigations

Organizations can implement several immediate workarounds while planning comprehensive updates.

For the cache poisoning vulnerability, administrators should disable ECS functionality by removing the ecs-zones option from their named.conf configuration files. This effectively eliminates the attack vector while maintaining basic DNS functionality.

For the denial-of-service vulnerability, administrators can prevent the assertion failure by either setting stale-answer-client-timeout off or stale-answer-enable no in their configuration files. These changes disable the problematic feature combination that triggers the vulnerability.

ISC has released patched versions including BIND 9.18.38-S1, 9.20.11-S1, 9.20.11, and 9.21.10. Organizations should prioritize updating to these versions to ensure complete protection against both vulnerabilities while maintaining full DNS functionality and security.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.