How to fix CVE-2025-71058?

Within 24 hours: Inventory all systems running Dual DHCP DNS Server 8.01 and isolate affected instances from untrusted networks where possible; document current version and deployment scope. Within 7 days: Implement network segmentation to restrict DNS responses to only legitimate upstream DNS servers; enable DNS response validation and transaction ID randomization at the firewall or DNS proxy layer if available. Within 30 days: Monitor vendor advisories for patch release; evaluate alternative DNS solutions with stronger source validation; conduct DNS cache poisoning detection monitoring to identify any exploitation attempts.

CVE-2025-71058

EUVD-2025-209280 CRITICAL

2026-04-07 [email protected]

GHSA-xxc5-5ggq-v5qj

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Apr 07, 2026 - 19:22 euvd

EUVD-2025-209280

Analysis Generated

Apr 07, 2026 - 19:22 vuln.today

CVE Published

Apr 07, 2026 - 19:16 nvd

CRITICAL 9.1

Description

Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses without validating that the response originates from a legitimate configured upstream DNS server. The implementation matches responses primarily by TXID and inserts results into the cache, enabling a remote attacker to inject forged responses and poison the DNS cache, potentially redirecting victims to attacker-controlled destinations.

Analysis

DNS cache poisoning vulnerability in Dual DHCP DNS Server 8.01 allows unauthenticated remote attackers to inject forged DNS responses by exploiting improper source validation. The server accepts UDP responses matched only by transaction ID without verifying originating upstream DNS server, enabling attackers to poison the cache and redirect victims to malicious destinations. No public exploit identified at time of analysis. CVSS 9.1 (Critical) reflects network-accessible attack requiring no privileges or user interaction.

Technical Context

Implementation fails to validate UDP DNS response source addresses per RFC requirements, relying solely on TXID matching for cache insertion. CWE-94 classification indicates code injection context, though mechanism is DNS protocol abuse rather than traditional code execution. Weakness enables off-path cache poisoning attacks exploiting predictable transaction IDs and lack of cryptographic response authentication (DNSSEC absent).

Affected Products

Dual DHCP DNS Server version 8.01, vendor SourceForge project dhcp-dns-server. No CPE enumeration available. Affected component: DNS caching resolver module handling upstream query responses.

Remediation

No vendor-released patch identified at time of analysis. Primary mitigation: discontinue use of Dual DHCP DNS Server 8.01 until patched release addressing source validation is available. Immediate workarounds: deploy alternative DNS resolver with cryptographic validation (BIND with DNSSEC, Unbound, systemd-resolved), implement network-level source address verification via firewall rules restricting DNS responses to configured upstream resolver IPs only, enable DNSSEC validation on downstream clients if replacement not feasible. Monitor vendor project page at https://sourceforge.net/projects/dhcp-dns-server/ for security updates. Reference security advisory: https://github.com/FPokerFace/Security-Advisory/tree/main/CVE-2025-71058

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +46

POC: 0

CVE-2025-71058 vulnerability details – vuln.today

Back

CVE-2025-71058

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-71058

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code