Developers of the widely used BIND DNS software have warned of two high-severity vulnerabilities that could enable cache poisoning attacks, similar to those revealed in 2008. Unbound, another DNS resolver, faces a related flaw reported by the same researchers. Patches for all issues became available on October 22, 2025.
The Internet's most popular domain name resolution software, BIND, is vulnerable to two flaws tracked as CVE-2025-40778 and CVE-2025-40780, each with a severity rating of 8.6. These stem from a logic error and a weakness in pseudo-random number generation, respectively, allowing attackers to poison DNS caches and redirect users to malicious sites indistinguishable from legitimate ones.
Separately, Unbound's makers disclosed a similar vulnerability with a severity score of 5.6, also identified by the same researchers. All patches were released on Wednesday, October 22, 2025.
These issues revive concerns from Dan Kaminsky's 2008 discovery of DNS cache poisoning, which exploited UDP packets' one-way nature and spoofability. Attackers could flood resolvers with forged responses using varied transaction IDs—limited to 65,536 possibilities—to inject malicious IP addresses, such as replacing arstechnica.com's 3.15.119.63 with an attacker's control.
The industry responded by boosting entropy through random source ports beyond 53, combined with transaction IDs, raising possibilities to billions and thwarting attacks. However, CVE-2025-40780 weakens this: “In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use,” BIND developers stated. This could trick BIND into caching attacker responses if spoofing succeeds.
CVE-2025-40778 allows forged data injection: “Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache,” the developers explained. Exploitation requires network spoofing and precise timing, affecting only cache integrity, not server compromise.
Red Hat noted: “Because exploitation is non-trivial, requires network-level spoofing and precise timing, and only affects cache integrity without server compromise, the vulnerability is considered Important rather than Critical.” Countermeasures like DNSSEC, rate limiting, and firewalls remain effective, limiting impact compared to 2008. Authoritative servers are unaffected. Organizations should apply patches promptly.