Dutch NCSC predicts abuse of DNS server software BIND 9

“It’s always DNS.” That was a popular online response to last week’s global AWS outage. The Dutch cybersecurity agency NCSC expects more trouble when it comes to DNS issues, but this time due to DNS server software BIND 9.

Two serious vulnerabilities in BIND 9 enable so-called cache poisoning. This causes the DNS server to provide incorrect responses to users’ DNS requests. Because the wrong IP address can be communicated to the endpoint, attackers are able to redirect victims to a malicious website.

The vulnerabilities, CVE-2025-40778 and CVE-2025-40780, score an 8.6. The NCSC is calling on organizations to install the available updates. The threat of abuse is real, now that proof-of-concept code is available. The updates were released last week, so organizations have the opportunity to protect themselves.

Proof-of-concept already available

Researchers have now developed proof-of-concept exploit code that can be used to exploit the security vulnerabilities in a laboratory setting. The NCSC expects that this code will soon be converted by attackers into working exploits for cache poisoning attacks.

“For the time being, it is unlikely that the BIND server itself can be compromised. The potential damage is cache poisoning. This causes the DNS to give incorrect answers, allowing malicious parties to direct victims to rogue servers,” according to the government agency.

Problems in popular DNS software

BIND 9 translates domain names to IP addresses and is by far the most widely used DNS server software on the internet. Last week, updates were released for two vulnerabilities: CVE-2025-40778 and CVE-2025-40780. Both allow attackers to cause the DNS server to return incorrect responses to user requests.

Instead of the correct IP address, the user receives an incorrect address, causing them to be redirected to the wrong location. This is called cache poisoning. CVE-2025-40780 concerns a weakness in the Pseudo Random Number Generator used by BIND 9. This allows an attacker to predict the source port and query ID that BIND will use. CVE-2025-40778 causes BIND 9 to accept response records too easily.