ZeroFox’s Proactive Defense: DNS Cache Poisoning Threats

DNS Cache Poisoning Vulnerability: What You Need to Know

Criminals are constantly innovating, and the latest DNS cache poisoning vulnerability proves it. Tracked as CVE-2025-40778, this high-severity flaw allows attackers to silently redirect traffic to malicious sites by injecting forged data into the DNS caches. 

ZeroFox is actively monitoring the DNS to protect its clients across the entire internet, including the global Domain Name System, ensuring their security against such evolving threats. Our intelligence and disruption teams are tracking exposed BIND 9 recursive resolvers, working to ensure that customers remain protected against this new wave of DNS manipulation.

Organizations globally relying on BIND 9 recursive DNS resolvers are strongly advised to take immediate action regarding this high-severity vulnerability that permits DNS cache poisoning. If threat actors begin exploiting unpatched instances, ZeroFox will take decisive action to protect our customers—from identifying malicious infrastructure to coordinating global takedowns. 

What is CVE-2025-40778?

CVE-2025-40778 is a high severity vulnerability carrying a CVSS v3.1 base score of 8.6. This issue affects the BIND 9 recursive resolver.

At the time of writing, the number of unpatched DNS resolvers globally is as shown by The Shadowserver Project:

According to NIST’s National Vulnerability Database, BIND is "too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache". Specifically, the resolver fails to strictly validate that all Resource Record Sets (RRsets) in the answer section match the original query (QNAME, QTYPE, and QCLASS) being resolved.

This lax validation logic, tracked as CWE-349 (Acceptance of Extraneous Untrusted Data with Trusted Data) and CWE-345 (Insufficient Verification of Data Authenticity), allows for a crucial security bypass:

• An off-path attacker who successfully spoofs a response to a single DNS query can bundle arbitrary A (IP address) or CNAME (alias) records in the answer section.
• The vulnerable BIND 9 logic accepts and caches these unsolicited answer records even if they relate to a completely different domain name than the one originally requested.

This removes the security requirement that the attacker must win a "race on the exact tuple being asked" and instead enables the injection of arbitrary hostnames into the resolver's cache.

How Threat Actors Exploit Spoofed DNS Records

The primary impact of this flaw is the redirection of user traffic to malicious infrastructure. Since the attack is off-path and requires no authentication, widely deployed resolvers are at serious risk until they are patched.

Once the cache is poisoned, subsequent clients querying the affected resolver will be directed to attacker-controlled servers without triggering fresh DNS lookups. The poisoned data survives response processing and is cached with its full Time-To-Live (TTL).

The Danger of Arbitrary Hostname Injection

A key danger of CVE-2025-40778 is the attacker’s ability to define addresses for arbitrary hostnames.

• Redirection: Attackers can inject forged address data into the cache, allowing them to redirect lookups for legitimate domains. This can lead to serious attacks such as credential theft, malware distribution, and on-path attacks against downstream clients who trust the resolver.
• Use of Unregistered Domains: A query for www.victim.test can trigger a reply from a malicious authoritative server that includes a completely unsolicited A record for www.target.example.. The resolver caches this unsolicited record, proving successful poisoning. Since the attacker can inject arbitrary A or CNAME records, the status of the injected domain name in the global Domain Name System is irrelevant; the vulnerable local resolver will serve the fake record from its cache, directing clients to the attacker's IP address (e.g., 203.0.113.5).

Why Immediate Updates Are Mandatory

The affected component is the BIND 9 recursive resolver. While authoritative services are believed to be unaffected, resolvers must be secured immediately.

Affected Versions (Must Update):

According to ISC, the vulnerability affects numerous BIND 9 versions:

• BIND 9: 9.11.0 – 9.16.50
• BIND 9: 9.18.0 – 9.18.39 (Version 9.18.39 was tested and confirmed affected)
• BIND 9: 9.20.0 – 9.20.13
• BIND 9: 9.21.0 – 9.21.12
• Also affected are corresponding versions of the BIND Supported Preview Edition.

Solution:

There are no known workarounds that eliminate the risk of CVE-2025-40778. The primary solution is to upgrade to a patched release provided by ISC. Organizations must upgrade to one of the following maintenance builds (or newer):

• 9.18.41
• 9.20.15
• 9.21.14

These patched versions incorporate stricter filtering that discards mismatched RRsets before they can be cached.

Mitigation Measures

While patching is the only complete solution, organizations can implement additional defense-in-depth measures to reduce risk until upgrades are complete:

1. Restrict Recursion: Limit recursion services only to trusted clients.
2. Employ DNSSEC Validation: Utilize DNS Security Extensions (DNSSEC) validation.
3. Monitor Caches: Actively monitor resolver caches for unexpected Resource Record Sets (RRsets).

Safeguard Against DNS Cache Poisoning

The high-severity DNS cache poisoning vulnerability, CVE-2025-40778, poses a critical threat to organizations relying on BIND 9 recursive DNS resolvers. Threat actors can exploit this flaw to spoof DNS records and redirect users to malicious sites, even for non-existent domains, leading to severe consequences such as credential theft and malware distribution. 

ZeroFox is actively monitoring the global Domain Name System and is prepared to take decisive action to identify and disrupt malicious activity.  Through continuous threat intelligence collection, global takedown capabilities, and close collaboration with internet infrastructure partners and law enforcement, ZeroFox ensures customers stay protected from this evolving threat.

For ongoing protection against DNS abuse, phishing, domain-based attacks, and more explore ZeroFox solutions through a personalized demo.