The BIND 9 software, for DNS resolution, is exposed to the vulnerability CVE-2025-40778, which allows modification of DNS records and redirection of internet traffic to malicious sites. The vulnerability impacts versions from 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, and 9.21.0 through 9.21.12.
The vulnerability score for CVE-2025-40778 is 8.6 and it is classified as a high-risk vulnerability.
A proof-of-concept (PoC) has been published on GitHub, which increases the risk of exploitation.
The Internet Systems Consortium (ISC), which maintains this software, recommends an immediate update to newer versions 9.18.41, 9.20.15, 9.21.14 or later.
For those who are unable to update immediately, the recommendation is to restrict recursion to trusted clients via ACLs, enable DNSSEC validation to cryptographically verify responses, and monitor cache contents for anomalies.
More about this vulnerability can be found at the following links: