Initiatives pour
En tant qu'autorité nationale en matière de cybersécurité, le CCB a développé plusieurs initiatives destinées à des publics spécifiques, qui sont présentées ici.
Warning: Multiple BIND 9 DNS Vulnerabilities could lead to Cache Poisoning or Denial-of-Service (DoS) Attacks, Patch Immediately!
Image
Publié : 23/10/2025
* Last update: 23/10/2025
* Affected products:
→ BIND 9 versions 9.11.0 to 9.21.12
→ BIND Supported Preview Edition versions 9.16.8-S1 to 9.20.13-S1* Type: Cache Poisoning & Denial-of-Service (DoS)
* CVE/CVSS:
- CVE-2025-8677: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
- CVE-2025-40778: CVSS 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N)
- CVE-2025-40780: CVSS 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N)
Sources
- https://kb.isc.org/docs/cve-2025-8677
- https://kb.isc.org/docs/cve-2025-40780
- https://kb.isc.org/docs/cve-2025-40778
Risks
The Internet Systems Consortium (ISC) has addressed 3 high-severity vulnerabilities (CVE-2025-8677, CVE-2025-40778, CVE-2025-40780) in BIND 9. Successful exploitation of these vulnerabilities could allow a remote attacker to conduct cache poisoning or denial-of-service (DoS) attacks against affected DNS resolvers.
Although no exploits are currently known in the wild, these vulnerabilities poses a significant risk due to the critical role of DNS in the operation and security of networks.
Description
CVE-2025-8677 is a vulnerability that occurs when the DNS server processes queries for records within specially crafted zones containing malformed DNSKEY records, leading to CPU overload. Successful exploitation of this vulnerability could allow a remote attacker to overwhelm the server, which would significantly impact its performance, resulting to denial of service for legitimate clients.
CVE-2025-40778 arises because BIND 9 is too lenient when accepting records from answers, enabling an attacker to inject forged DNS records into the cache. This cache poisoning can cause DNS resolvers to return malicious IP addresses or other manipulated DNS data, affecting the integrity of DNS responses.
CVE-2025-40780 is a vulnerability identified in ISC BIND 9. This vulnerability stems from a weakness in the Pseudo Random Number Generator (PRNG) responsible for generating source ports and query IDs for DNS queries.
However, due to the predictable state of the PRNG in affected BIND versions an attacker can anticipate these values, in order to craft malicious DNS responses that appear legitimate, thereby poisoning the DNS cache of the server.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
GbHackers - https://gbhackers.com/bind-9-vulnerabilities-expose-dns-servers/