Marlink Cyber exposes ISC BIND flaw that could knock critical infrastructure DNS offline

Marlink Cyber has discovered and responsibly disclosed a vulnerability in ISC BIND, a widely used Domain Name System service that provides name resolution for Internet and local network environments. The issue is a DoS (denial-of-service) vulnerability that can cause the ISC BIND service to crash. The disclosure reflects a coordinated research effort aimed at strengthening critical infrastructure security.

“Two malformed DNS resource record types – HHIT (type 67) and BRID (type 68) – trigger an assertion in BIND’s `  dns_rdata_towire()`   implementation when the RDATA length is less than three octets,” Marlink detailed in a blog post. “The assertion aborts the `  named`   daemon, causing an immediate denial‑of‑service (DoS) condition. HHIT and BRID are part of the IETF DRIP Entity Tags implementation in ISC BIND.”

It added that the flaw is exploitable remotely in both forwarding and recursive modes; the attacker only needs to cause the server to process a crafted DNS message containing an undersized HHIT or BRID RR. “The identified flaw allows a remote attacker to cause a denial-of-service (DoS) condition by crashing the BIND service. This disruption can have significant operational impact, as DNS resolution is a critical dependency for most Internet and enterprise services.”

The vulnerability is tracked as MCSAID-2025-015 and has been assigned CVE-2025-13878. It carries a CVSS score of 7.5, placing it in the high-severity category. 

The vendor has released a fix, and patches are now available. Exploitation is considered easy, although there is no evidence that the flaw has been exploited in the wild.

The vulnerability affects ISC BIND versions 9.18.43 and earlier, including 9.18.40 to 9.18.43 and 9.18.40-S1 to 9.18.43-S1. It also affects versions 9.20.17 and earlier, including 9.20.13 to 9.20.17 and 9.20.13-S1 to 9.20.17-S1, as well as versions 9.21.16 and earlier, including 9.21.12 to 9.21.16. The issue has been fixed in version 9.18.44, including 9.18.44-S1, in version 9.20.18, including 9.20.18-S1, and in version 9.21.17.

The Marlink post identified that exploitation is easy because an attacker only needs to cause the server to process a crafted DNS message. Current analysis indicates that arbitrary code execution is not feasible, and the vulnerability’s impact is limited to service interruption resulting from a crash. 

Users have been advised that if they are running affected versions of ISC BIND, they should upgrade to the fixed releases. The recommended versions are 9.18.44, 9.18.44-S1, 9.20.18, 9.20.18-S1, and 9.21.17.

Indicators of this vulnerability may include crashes of the BIND or DNS service and assert failures in BIND. On the network side, indicators may include DNS resource record types HHIT (type 67) and BRID (type 68) where the RDATA length is less than three octets.

In October, Marlink revealed that a significant portion of vessels in the maritime sector are still operating on Windows 10 as of Oct. 14. Windows 11 leads with 51.42% adoption, followed by Windows 10 at 40.36%. Windows Server versions make up 5.65 percent, Windows 7 remains in 2.15% of environments, and Windows 8.x accounts for 0.42%.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.