Security researchers warn that two bugs in BIND could let attackers poison caches and redirect users to malicious destinations. The flaws, identified as CVE-2025-40778 (a logic error) and CVE-2025-40780 (a weakness in generating pseudo-random numbers), carry a high severity rating of 8.6. Separately, developers of the Unbound DNS resolver flagged similar vulnerabilities disclosed by the same researchers, with CVE-2025-11411 and a separate severity score of 5.6.
If exploited, these issues could cause resolvers across thousands of organizations to substitute legitimate domain lookups with forged results, pointing users to attacker-controlled IPs. Patches for BIND and Unbound were released on Wednesday to mitigate the risk.
The Kaminsky-era cache poisoning concept remains a touchstone for DNS security. The bugs arise from how DNS answers are matched and validated, threatening the integrity of cached mappings and enabling widespread redirection under certain conditions.
Details from the disclosure note that CVE-2025-40780 undermines entropy defenses that previously helped protect DNS responses, while CVE-2025-40778 allows forged data to be cached during a query. DNSSEC, rate limiting, and network-level protections remain important countermeasures, and patching is strongly advised.
Administrators should apply the patches promptly, as exploitation requires spoofed traffic and precise timing. While authoritative servers themselves are not directly compromised, the risk to cache integrity warrants urgent remediation and best-practice defenses to minimize impact.
