A critical cache poisoning vulnerability in NLnet Labs Unbound allows attackers to redirect traffic by injecting malicious DNS records into the resolver's cache.

This is a DNS cache poisoning vulnerability. An attacker can exploit this by crafting malicious DNS replies—via spoofing or fragmentation—that force the resolver to cache unauthorized address records.

Successful exploitation allows an adversary to redirect legitimate user traffic to malicious infrastructure, facilitating man-in-the-middle attacks, credential theft, and malware distribution. With a CVSS score of 10.0, this flaw poses a severe risk to the integrity of DNS resolution services across the enterprise.

Immediate Action: Upgrade to Unbound version 1.25.1 or later immediately.

Proactive Monitoring: Monitor DNS query traffic for unexpected resolution patterns or signs of cache poisoning attempts.

Compensating Controls: Use DNSSEC validation where possible and ensure the resolver is not reachable from untrusted networks to limit the scope of potential spoofing attacks.

Public Exploit Available: false

The risk of DNS cache poisoning is critical. Administrators must update to the patched version of Unbound to ensure that the resolver correctly validates additional section records and rejects malicious data.