CVE-2025-71058
Received Received - Intake
DNS Cache Poisoning in Dual DHCP DNS Server 8.01 via UDP Response Validation Flaw

Publication date: 2026-04-07

Last updated on: 2026-04-21

Assigner: MITRE

Description
Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses without validating that the response originates from a legitimate configured upstream DNS server. The implementation matches responses primarily by TXID and inserts results into the cache, enabling a remote attacker to inject forged responses and poison the DNS cache, potentially redirecting victims to attacker-controlled destinations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-21
Generated
2026-05-07
AI Q&A
2026-04-07
EPSS Evaluated
2026-05-05
NVD
CVE-2025-71058
EUVD
EUVD-2025-209280
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability in Dual DHCP DNS Server 8.01 is a DNS cache poisoning flaw caused by improper validation of DNS responses. The server uses the DNS transaction ID (TXID) to track queries but reuses the client's original TXID for upstream queries without generating a new random one. It accepts and caches any DNS response matching a TXID without verifying the source IP address or performing legitimacy checks.

Because of this, a remote attacker can inject forged DNS responses before the legitimate response arrives, poisoning the DNS cache. This can redirect users to attacker-controlled destinations.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in Dual DHCP DNS Server 8.01 allows remote attackers to poison the DNS cache by injecting forged DNS responses. This can lead to users being redirected to attacker-controlled destinations, potentially exposing sensitive data or enabling further attacks.

Such DNS cache poisoning can undermine the integrity and confidentiality of network communications, which are critical aspects of compliance with standards like GDPR and HIPAA. For example, GDPR requires organizations to protect personal data against unauthorized access and ensure data integrity, while HIPAA mandates safeguards to protect electronic protected health information (ePHI).

If exploited, this vulnerability could facilitate data interception or redirection to malicious sites, potentially resulting in unauthorized access or disclosure of sensitive information, thereby impacting compliance with these regulations.


How can this vulnerability impact me? :

This vulnerability allows an attacker to perform DNS cache poisoning remotely without authentication. By injecting forged DNS responses, the attacker can redirect users to malicious websites or servers controlled by the attacker.

  • Users may be redirected to phishing sites or malware distribution points.
  • Legitimate DNS queries may be tampered with, causing loss of trust in network services.
  • It can lead to data interception, credential theft, or further network compromise.
  • The attack can cause denial of service or disruption of normal DNS resolution.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves monitoring DNS traffic for signs of cache poisoning attempts or unexpected DNS responses that do not originate from legitimate upstream DNS servers.

Since the vulnerability arises from the server accepting DNS responses based solely on matching TXID without validating source IP addresses, one detection approach is to capture and analyze DNS traffic to identify forged or suspicious DNS responses.

Commands that can help detect suspicious DNS activity include using packet capture tools like tcpdump or Wireshark to filter DNS traffic and inspect DNS response source IPs and TXIDs.

  • Use tcpdump to capture DNS traffic: tcpdump -i <interface> udp port 53 -w dns_traffic.pcap
  • Analyze captured traffic with Wireshark to check for DNS responses from unexpected IP addresses or multiple responses with the same TXID.
  • Use tshark to filter DNS responses and check for anomalies: tshark -r dns_traffic.pcap -Y 'dns.flags.response == 1'
  • Monitor DNS cache entries on the Dual DHCP DNS Server for unexpected or suspicious entries that could indicate cache poisoning.

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting exposure of the vulnerable Dual DHCP DNS Server to untrusted networks and upstream DNS servers.

Since the vulnerability stems from the server accepting DNS responses without validating source IP addresses or performing bailiwick checks, network-level controls such as firewall rules can help block unauthorized DNS responses.

  • Limit DNS server access to trusted clients and upstream DNS servers only.
  • Implement firewall rules to block DNS responses from IP addresses not belonging to legitimate upstream DNS servers.
  • Monitor DNS traffic for suspicious activity and unusual DNS cache entries.

Additionally, consider upgrading or patching the Dual DHCP DNS Server software once a fix is available, as the vulnerability is due to insufficient randomization and validation in the server's DNS request/response handling.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart