CVE-2025-40778
BaseFortify
Publication date: 2025-10-22
Last updated on: 2025-11-04
Assigner: Internet Systems Consortium (ISC)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| isc | bind | 9.18.41 |
| isc | bind | 9.18.0 |
| isc | bind | 9.21.12 |
| isc | bind | 9.11.3-s1 |
| isc | bind | 9.16.50 |
| isc | bind | 9.21.0 |
| isc | bind | 9.20.0 |
| isc | bind | 9.20.15 |
| isc | bind | 9.21.14 |
| isc | bind | 9.16.0 |
| isc | bind | 9.11.0 |
| isc | bind | 9.18.39 |
| isc | bind | 9.20.13 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-349 | The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-40778 is a high-severity vulnerability in multiple versions of BIND 9 where the software is too lenient in accepting unsolicited resource records from DNS answers. This allows an attacker to inject forged data into the DNS cache, causing cache poisoning. As a result, future DNS queries may return manipulated responses. The issue affects recursive DNS resolvers but not authoritative DNS services. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to poison the DNS cache of your recursive DNS resolver. This means that DNS queries made by your systems could be answered with forged data, potentially redirecting users to malicious sites or disrupting normal network operations. This can lead to security risks such as phishing, malware distribution, or denial of service. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or methods provided for this vulnerability. The issue involves BIND accepting forged DNS records, which may not be easily detectable via simple commands. Monitoring DNS cache for unexpected or suspicious entries might help, but no explicit detection commands are documented. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade BIND to the patched versions: 9.18.41, 9.20.15, 9.21.14, or their Supported Preview Edition counterparts (9.18.41-S1, 9.20.15-S1). No workarounds are currently known, so upgrading is the recommended action to prevent exploitation. [1]