🛡️ Live on Oct. 29: Why legacy vuln management tools can’t keep up Register Now
runZero CAASM

On This Page:

  1. Latest BIND vulnerabilities
  2. What is BIND?
  3. What is the impact?
  4. Are updates or workarounds available?
  5. How to find potentially vulnerable systems with runZero
  6. December 2024: BIND 9.20 defect in QPzone implementation

How to find BIND services on your network

runZero Team
Matthew Kienow
|
Updated

Latest BIND vulnerabilities #

Internet Systems Consortium (ISC) has disclosed multiple vulnerabilities affecting certain versions of ISC BIND:

  • A cache poisoning vulnerability related to unsolicited resource records (RRs) - records in a DNS response that were not directly requested by a query - is possible under certain circumstances. This vulnerability exists because BIND is too lenient when accepting such records from answers. Successful exploitation allows a remote, unauthenticated adversary to inject forged records into the cache during a query. This can affect the resolution of future queries, potentially hijacking traffic. This vulnerability has been designated CVE-2025-40778 and has been rated high with a CVSS score of 8.6.
  • A cache poisoning vulnerability exists due to a weakness in the pseudo-random number generator (PRNG). This weakness allows a remote, unauthenticated adversary to predict the source port and query ID that BIND will use. In specific circumstances, BIND can be tricked into caching spoofed responses from an adversary. This vulnerability has been designated CVE-2025-40780 and has been rated high with a CVSS score of 8.6.
  • A resource exhaustion vulnerability exists due to flaws in handling malformed DNSKEY records. Successful exploitation allows a remote, unauthenticated adversary to query for records within a specially crafted zone containing such records. This causes the server to consume excessive CPU resources, overwhelming it and significantly impacting performance, which leads to a denial-of-service (DoS) for legitimate clients. This vulnerability has been designated CVE-2025-8677 and has been rated high with a CVSS score of 7.5.

Authoritative services are believed to be unaffected by these vulnerabilities; however, resolvers are affected.

The following versions are affected:

  • BIND versions 9.11.0 through 9.16.50
    • Note: This range is only affected by CVE-2025-40778 and CVE-2025-40780. The latter (CVE-2025-40780) only affects versions 9.16.0 through 9.16.50.
  • BIND versions 9.18.0 through 9.18.39
  • BIND versions 9.20.0 through 9.20.13
  • BIND versions 9.21.0 through 9.21.12
  • BIND Supported Preview Edition versions 9.11.3-S1 through 9.16.50-S1
    • Note: This range is only affected by CVE-2025-40778 and CVE-2025-40780. The latter (CVE-2025-40780) only affects versions 9.16.8-S1 through 9.16.50-S1.
  • BIND Supported Preview Edition versions 9.18.11-S1 through 9.18.39-S1
  • BIND Supported Preview Edition versions 9.20.9-S1 through 9.20.13-S1

Note: BIND versions prior to 9.11.0 were not specifically assessed, but are also believed to be affected.

What is BIND? #

ISC BIND is open-source software, maintained by the Internet Systems Consortium (ISC), that implements the Domain Name System (DNS), which is the foundational protocol for translating human-readable domain names into IP addresses.

What is the impact? #

Successful exploitation of the vulnerabilities would allow an adversary to affect the resolution of future queries, thereby potentially hijacking traffic, and disrupt service operation for legitimate clients.

Are updates or workarounds available? #

Users are encouraged to update to the latest version as quickly as possible:

  • BIND versions 9.11.x through 9.18.x upgrade to version 9.18.41 or later
  • BIND versions 9.20.x upgrade to version 9.20.15 or later
  • BIND versions 9.21.x upgrade to version 9.21.14 or later
  • BIND Supported Preview Edition versions 9.11.3-S1 through 9.18.39-S1 upgrade to version 9.18.41-S1 or later
  • BIND Supported Preview Edition versions 9.20.9-S1 through 9.20.13-S1 upgrade to version 9.20.15-S1 or later

How to find potentially vulnerable systems with runZero #

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=ISC AND product:=BIND AND (version:>0 AND (
  (version:>=9 AND version:<9.11.0) OR
  (version:>=9.11.0 AND version:<=9.16.50) OR
  (version:>=9.18.0 AND version:<=9.18.39) OR
  (version:>=9.20.0 AND version:<=9.20.13) OR
  (version:>=9.21.0 AND version:<=9.21.12) OR
  (version:>="9.11.3-S1" AND version:<="9.16.50-S1") OR
  (version:>="9.18.11-S1" AND version:<="9.18.39-S1") OR
  (version:>="9.20.9-S1" AND version:<="9.20.13-S1")))

December 2024: BIND 9.20 defect in QPzone implementation #

ISC disclosed that authoritative servers might experience assertion failures or other unexpected events when using DNSSEC-signed zones using NSEC3 in the QPzone implementation which utilizes the QPDB in-memory database. This could potentially lead to a denial-of-service. There was no CVE attached to this notice.

What was the impact? #

This issue affected all BIND versions from 9.20.0 to 9.20.4.  

Were updates or workarounds available? #

ISC stated they were not updating or withdrawing the 9.20 distributions. They did recommend the following either:

  • Recompiling BIND 9.20 with --with-zonedb=RBTDB
  • Installing the latest BIND 9.20.4 packages provided by ISC

How runZero users found potentially vulnerable systems #

From the Services Inventory, use the following query to locate systems running potentially vulnerable software:

product:bind and (_service.product:="%BIND:9.20.0%" or _service.product:="%BIND:9.20.1%" or _service.product:="%BIND:9.20.3%" or _service.product:="%BIND:9.20.4%")

Written by runZero Team

Great research and development is a team effort! Multiple runZero team members collaborated on this post. Go team!

More about runZero Team

Written by Matthew Kienow

Matthew Kienow is a software engineer and security researcher. Matthew previously worked on the Recog recognition framework, AttackerKB as well as Metasploit's MSF 5 APIs. He has also designed, built, and successfully deployed many secure software solutions; however, often he enjoys breaking them instead. He has presented his research at various security conferences including DerbyCon, Hack In Paris, and CarolinaCon. His research has been cited by CSO, Threatpost and SC Magazine.

More about Matthew Kienow
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Explore more

Watch Now • On Demand
Vulnerability management is broken: what's the fix?

HD Moore and Omdia analyst Rik Turner discuss why traditional vulnerability management is struggling in modern IT infrastructures, why CVEs don’t tell the full story, and why prioritization alone isn’t enough to close critical security gaps.

Watch Now
runZero Hour, Episode 17
The State of Vuln Management, Our Approach, and a Deep Dive into New Risk Findings
On this special edition of runZero Hour, join VP of Security Research Tod Beardsley and Security Research Director Rob King for a deep dive into the future of exposure management.
Watch Now
Product Release
Tackling the New Era of Exposure Management
Fixing what’s broken with legacy tools and overcoming decades-old problems requires a new approach. Dive into how we do it at runZero.
Read More
Webcast
The Unreasonable Effectiveness of Inside Out Attack Surface Management
HD Moore, founder of runZero (and previously Metasploit), presents new research that will forever redefine how you approach attack surface management.
Watch Now

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.

Try runZero for Free
© Copyright 2025 runZero, Inc. All Rights Reserved