A high-severity vulnerability, CVE-2025-40778, has been identified in BIND 9 DNS resolvers, exposing over 706,000 servers worldwide to cache poisoning attacks. The flaw, which carries a CVSS v3.1 score of 8.6, allows remote, unauthenticated attackers to inject forged DNS records into resolver caches by exploiting BIND's overly permissive acceptance of certain DNS records in responses. This manipulation can redirect internet traffic to malicious sites, facilitate malware distribution, or enable interception of network communications, posing a significant risk to global DNS infrastructure.
The Internet Systems Consortium (ISC) has released advisories and patches addressing the vulnerability in multiple supported and preview versions of BIND 9, including versions 9.18.41, 9.20.15, and 9.21.14, as well as corresponding Supported Preview Edition releases. The publication of proof-of-concept exploit code has heightened the urgency for administrators to patch affected systems, particularly those running recursive DNS servers. While no active exploitation has been observed yet, the widespread use of BIND 9 and the critical nature of DNS services make prompt remediation essential to prevent large-scale attacks.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Germany's BSI published additional recommendations for securing recursive DNS servers, while multiple Linux distributions had already integrated or were preparing patches. These follow-on actions reflected broader ecosystem response to the vulnerability disclosure.
Proof-of-concept exploit code for CVE-2025-40778 was published, increasing the urgency of patching despite no active exploitation being observed at the time. The publication lowered the barrier for attackers to attempt DNS cache-poisoning attacks.
Reporting on the disclosure said the flaw threatened global DNS infrastructure and exposed roughly 706,000 internet-facing servers. The scale of exposure elevated concern over potential widespread abuse if exploitation began.
Fixes for CVE-2025-40778 were made available in BIND 9 versions 9.18.41, 9.20.15, 9.21.14 and corresponding Supported Preview Edition releases. Administrators were advised to upgrade immediately because no workaround was available.
A high-severity vulnerability, CVE-2025-40778, was disclosed in BIND 9 DNS resolvers that allows remote, unauthenticated attackers to poison DNS cache by injecting forged records. The issue also affects authoritative DNS servers when recursion is enabled.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.