CVE-2025-40778

HIGH

BIND 9.11.0-9.16.50, 9.18.0-9.18.39, 9.20.0-9.20.13, 9.21.0-9.21.12 - Cache Poisoning

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-40778. PoCs published by nehkark, nicholasC03, sirbuvladste.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2025-40778, a DNS cache poisoning vulnerability in BIND 9. It includes a comprehensive writeup with attack scenarios, proof-of-concept setup instructions, and mitigation strategies.

Description

Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.

Exploits (3)

github WRITEUP 4 stars
by nehkark · pythonpoc
https://github.com/nehkark/CVE-2025-40778

This repository provides a detailed technical analysis of CVE-2025-40778, a DNS cache poisoning vulnerability in BIND 9. It includes a comprehensive writeup with attack scenarios, proof-of-concept setup instructions, and mitigation strategies.

Classification
Writeup 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: BIND 9
No auth needed
Prerequisites: Compromised or malicious authoritative nameserver · Vulnerable recursive resolver without strict bailiwick checking
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WRITEUP 1 stars
by nicholasC03 · poc
https://github.com/nicholasC03/DNS-Poisoning-Triage-Lab

This repository documents a forensic investigation into DNS poisoning and ARP spoofing, including a triage script to detect DNS discrepancies. It does not contain exploit code but provides analysis and remediation steps for a network incident.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: DNS resolvers and ARP caching mechanisms
No auth needed
Prerequisites: Network access to the target environment · Presence of rogue hardware or malicious actor
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by sirbuvladste · poc
https://github.com/sirbuvladste/BIND-9-Cache-Poisoning-PoC---CVE-2025-40778

This PoC demonstrates a DNS cache poisoning vulnerability in BIND 9 (CVE-2025-40778) by injecting unsolicited records into the ADDITIONAL section of DNS responses, allowing an attacker to redirect victims to malicious IPs.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: BIND 9 (versions 9.11.0–9.16.50, 9.18.0–9.18.39, 9.20.0–9.20.13, 9.21.0–9.21.12)
No auth needed
Prerequisites: Control over a malicious DNS server · Victim resolver using vulnerable BIND version · Ability to trigger DNS queries to attacker-controlled domain
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.6
EPSS 0.0051
EPSS Percentile 39.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-349
Status published
Products (7)
ISC/BIND 9 9.11.0 - 9.16.50
ISC/BIND 9 9.11.3-S1 - 9.16.50-S1
ISC/BIND 9 9.18.0 - 9.18.39
ISC/BIND 9 9.18.11-S1 - 9.18.39-S1
ISC/BIND 9 9.20.0 - 9.20.13
ISC/BIND 9 9.20.9-S1 - 9.20.13-S1
ISC/BIND 9 9.21.0 - 9.21.12
Published Oct 22, 2025
Tracked Since Feb 18, 2026