Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

BIND 9 DNSSEC malformed DNSKEY CPU exhaustion DoS

IdentifiersCVE-2025-8677CWE-400

CVE-2025-8677 is a remote resource-exhaustion vulnerability in BIND 9 affecting DNSSEC validation on recursive resolvers. When a vulnerable resolver queries records in a specially crafted DNS zone containing certain malformed DNSKEY records, the resolver can enter excessive CPU-consuming processing, leading to resource exhaustion. The issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1. The available content attributes the flaw to malformed DNSKEY handling in BIND’s DNSSEC validation logic. Authoritative-only BIND servers are not affected.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation causes excessive CPU consumption on the affected BIND resolver, degrading or denying DNS resolution service for clients that depend on it. The practical impact is denial of service and loss of availability rather than integrity compromise or code execution. Recursive resolvers handling end-user queries are the primary exposure point.

Mitigation

If you can’t patch tonight, do this now.

No general workaround is available according to the provided ISC-related content. Where operationally feasible, reducing exposure by disabling recursion or ensuring the server is not used as a recursive DNSSEC-validating resolver can mitigate risk; authoritative-only deployments are not affected. Product-specific downstream guidance also notes disabling BIND entirely if not required. These measures may materially affect DNS service functionality, so the preferred mitigation is prompt upgrade to a fixed version.

Remediation

Patch, then assume compromise.

Upgrade BIND 9 to a fixed release. The content identifies patched versions as 9.18.41, 9.20.15, and 9.21.14, with Supported Preview Edition fixes in 9.18.41-S1 and 9.20.15-S1. Organizations on unsupported or discontinued branches should migrate to a supported fixed branch. No workaround is identified in the primary vulnerability content; patching is the required remediation.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
CanonicalJammy-Stemcell-Azureoperating_system
Internet Systems ConsortiumBindapplication
Rocky LinuxRocky Linuxoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

27 SOURCESView more in app
the hacker newsNews
Oct 27, 2025
⚡ Weekly Recap: WSUS Exploited, LockBit 5.0 Returns, Telegram Backdoor, F5 Breach Widens

A vulnerability listed as trending; no technical details provided in the content.

Read more
gbhackersNews
Oct 23, 2025
BIND 9 Vulnerabilities Expose DNS Servers to Cache Poisoning and DoS

A BIND 9 resource-exhaustion (CPU overload) vulnerability triggered by malformed DNSKEY handling, leading to denial of service against DNS resolvers (especially recursive resolvers).

Read more
ca ccsNews
Oct 22, 2025
ISC BIND security advisory (AV25-693)

A vulnerability in ISC BIND 9 affecting multiple versions, details unspecified in the content, but significant enough to warrant a security advisory and patch.

Read more
zeropath blogNews
Oct 22, 2025
BIND 9 Malformed DNSKEY CPU Exhaustion (CVE-2025-8677) - Technical Summary and Impact Review - ZeroPath Blog | ZeroPath

A remote CPU/resource exhaustion vulnerability in BIND 9 DNSSEC validation logic that can be triggered via specially crafted malformed DNSKEY records, causing recursive resolvers to become unresponsive or deny DNS resolution.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity17

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-8677
NVD
nvd.nist.gov/vuln/detail/CVE-2025-8677
MITRE CWE · CWE-400
cwe.mitre.org
openwall.com
openwall.com/lists/oss-security/2025/10/22/1
kb.isc.org
kb.isc.org/docs/cve-2025-8677