CVE-2025-40778
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-22

Last updated on: 2025-11-04

Assigner: Internet Systems Consortium (ISC)

Description
Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-22
Last Modified
2025-11-04
Generated
2026-06-16
AI Q&A
2025-10-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-40778
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
isc bind 9.18.41
isc bind 9.18.0
isc bind 9.21.12
isc bind 9.11.3-s1
isc bind 9.16.50
isc bind 9.21.0
isc bind 9.20.0
isc bind 9.20.15
isc bind 9.21.14
isc bind 9.16.0
isc bind 9.11.0
isc bind 9.18.39
isc bind 9.20.13
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-349 The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-40778 is a high-severity vulnerability in multiple versions of BIND 9 where the software is too lenient in accepting unsolicited resource records from DNS answers. This allows an attacker to inject forged data into the DNS cache, causing cache poisoning. As a result, future DNS queries may return manipulated responses. The issue affects recursive DNS resolvers but not authoritative DNS services. [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to poison the DNS cache of your recursive DNS resolver. This means that DNS queries made by your systems could be answered with forged data, potentially redirecting users to malicious sites or disrupting normal network operations. This can lead to security risks such as phishing, malware distribution, or denial of service. [1]

Detection Guidance

There are no specific detection commands or methods provided for this vulnerability. The issue involves BIND accepting forged DNS records, which may not be easily detectable via simple commands. Monitoring DNS cache for unexpected or suspicious entries might help, but no explicit detection commands are documented. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade BIND to the patched versions: 9.18.41, 9.20.15, 9.21.14, or their Supported Preview Edition counterparts (9.18.41-S1, 9.20.15-S1). No workarounds are currently known, so upgrading is the recommended action to prevent exploitation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-40778. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart