Internet Systems Consortium (ISC) on Wednesday announced BIND 9 updates that resolve high-severity vulnerabilities, including cache poisoning flaws.
The first issue is a weakness in the Pseudo Random Number Generator (PRNG) used by the popular DNS server software that, in certain circumstances, could allow an attacker to predict the source port and query ID that will be used.
Attackers could abuse the security defect, tracked as CVE-2025-40780 (CVSS score of 8.6), in spoofing attacks that, if successful, could result in BIND caching attacker responses, ISC explains.
The second bug, tracked as CVE-2025-40778 (CVSS score of 8.6), exists because, “under certain circumstances, BIND is too lenient when accepting records from answers.”
This allows attackers to inject forged records into the cache, potentially impacting the resolution of future queries.
The third vulnerability, CVE-2025-8677 (CVSS score of 7.5), is described as a denial-of-service (DoS) issue that can be triggered when “querying for records within a specially crafted zone containing certain malformed DNSKEY records”.
An attacker could exploit the bug to overwhelm the server, impacting the performance and service availability by exhausting CPU resources.
According to ISC, all three flaws affect resolvers but are believed to have no impact on authoritative servers. No workaround is available for any of them, but none appears to have been exploited in the wild.
The security defects have been addressed with the release of BIND versions 9.18.41, 9.20.15, and 9.21.14, and BIND Supported Preview Edition versions 9.18.41-S1 and 9.20.15-S1.
ISC recommends updating to a patched version of BIND as soon as possible. Organizations relying on discontinued iterations of the DNS server should transition to a supported version.
Related: Oracle Releases October 2025 Patches
Related: BIND Updates Resolve High-Severity DoS Vulnerabilities
Related: Critical Vulnerabilities Patched in TP-Link’s Omada Gateways
Related: ConnectWise Patches Critical Flaw in Automate RMM Tool
