{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-71058", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-09T14:09:09.327Z", "dateReserved": "2026-01-09T00:00:00.000Z", "datePublished": "2026-04-07T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-07T18:41:54.036Z"}, "descriptions": [{"lang": "en", "value": "Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses without validating that the response originates from a legitimate configured upstream DNS server. The implementation matches responses primarily by TXID and inserts results into the cache, enabling a remote attacker to inject forged responses and poison the DNS cache, potentially redirecting victims to attacker-controlled destinations."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://sourceforge.net/projects/dhcp-dns-server/"}, {"url": "https://github.com/FPokerFace/Security-Advisory/tree/main/CVE-2025-71058"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:08:11.699406Z", "id": "CVE-2025-71058", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:09:09.327Z"}}]}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses without validating that the response originates from a legitimate configured upstream DNS server. The implementation matches responses primarily by TXID and inserts results into the cache, enabling a remote attacker to inject forged responses and poison the DNS cache, potentially redirecting victims to attacker-controlled destinations."}], "id": "CVE-2025-71058", "lastModified": "2026-04-08T21:27:00.663", "metrics": {}, "published": "2026-04-07T19:16:43.220", "references": [{"source": "cve@mitre.org", "url": "https://github.com/FPokerFace/Security-Advisory/tree/main/CVE-2025-71058"}, {"source": "cve@mitre.org", "url": "https://sourceforge.net/projects/dhcp-dns-server/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "8.01"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 91.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "dual_dhcp_dns_server", "vendor": "dual_dhcp_dns_server_project"}], "analysis": {"en": {"generated_at": "2026-04-07T22:11:45.884319+00:00", "value": {"mitigation_remediation": ["Upgrade Dual DHCP DNS Server to a version that validates upstream DNS responses", "Configure firewall rules to allow incoming UDP traffic on port 53 only from known authoritative upstream DNS servers", "Monitor DNS cache entries for unexpected changes and review logs for unauthorized updates"], "summary": {"action": "Apply patch", "impact": "DNS cache poisoning"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Dual DHCP DNS Server version 8.01. Installations deployed from the project\u2019s GitHub repository or the SourceForge distribution are impacted. No other versions are explicitly mentioned as affected.", "description_and_impact": "Dual DHCP DNS Server 8.01 accepts UDP DNS responses without verifying that the response comes from a trusted upstream server. The implementation only matches responses by transaction ID and then stores the result in the cache. This flaw allows an attacker to inject forged replies and poison the server\u2019s DNS cache, resulting in the resolution of domain names to attacker\u2011controlled IP addresses. The effect is a loss of integrity for DNS resolution on any host that relies on this server.", "risk_and_exploitability": "The impact is significant because compromised DNS resolution can redirect all clients to malicious destinations. The EPSS score is not provided, and the flaw is not listed in CISA\u2019s KEV catalog. The likely attack vector is a malicious actor with network visibility on the same broadcast domain or the ability to send spoofed UDP packets to port 53 to inject forged responses. Exploitation requires no privileged access to the server, only the ability to generate crafted DNS replies over the network."}}}}, "created": "2026-04-08T19:50:24.900145+00:00", "title": "Unvalidated DNS Responses Enable Cache Poisoning in Dual DHCP DNS Server 8.01", "updated": "2026-04-09T08:24:34.535264+00:00", "vendors": ["dual_dhcp_dns_server_project", "dual_dhcp_dns_server_project$PRODUCT$dual_dhcp_dns_server"], "weaknesses": ["CWE-20"]}