Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Technitium DNS Server aggressively tries to fetch missing RRSIG records or mismatched DNSKEY records. An attacker in control of a domain can cause a vulnerable system to generate excessive network traffic. Fixed in 15.0.
AnalysisAI
Technitium DNS Server performs amplified outbound DNS traffic when processing domains with missing RRSIG records or mismatched DNSKEY records - an attacker who controls any domain can exploit this behavior to force the resolver into generating excessive network queries against third-party infrastructure. All versions prior to 15.0 are affected per the vendor CPE listing (cpe:2.3:a:technitium:dns_server:*:*:*:*:*:*:*:*). The CVSS Changed Scope (S:C) confirms that impact extends beyond the vulnerable server itself, affecting downstream network resources and other systems. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.
Technical ContextAI
CWE-405 (Asymmetric Resource Consumption / Amplification) describes the root cause: the server expends disproportionately more resources - outbound DNS queries - than the cost to trigger them. The vulnerability is rooted in DNSSEC validation logic. RRSIG records are cryptographic signatures over DNS resource record sets, and DNSKEY records hold the public keys used to verify those signatures. Technitium DNS Server's resolver, when encountering an authoritative zone with absent or mismatched DNSSEC records, aggressively re-fetches rather than failing gracefully or capping retry attempts. This design flaw transforms any attacker-controlled zone into a traffic amplification lever, directing disproportionate query load from the resolver outward. The CPE cpe:2.3:a:technitium:dns_server:*:*:*:*:*:*:*:* indicates all versions of the Technitium DNS Server application are in scope, without version-range exclusions prior to the fix.
RemediationAI
Upgrade Technitium DNS Server to version 15.0 or later, which contains the vendor-confirmed fix per the official changelog at https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#version-150. If immediate upgrade is not possible, consider rate-limiting outbound DNSSEC-related query retries at the network perimeter using firewall egress policies or DNS firewall rules to cap per-domain retry volume - this reduces amplification potential but may cause DNSSEC validation failures for legitimate zones with transient record issues, which is a notable trade-off. Restricting recursive resolution to trusted client IP ranges (disabling open resolver behavior) limits the attack surface by preventing arbitrary external actors from inducing resolution of attacker-controlled domains, though this does not eliminate the risk if internal clients can be manipulated. Monitoring for anomalous outbound DNS query spikes toward unfamiliar authoritative nameservers can serve as a detection compensating control.
More in Dns Server
View allAn issue was discovered in Technitium DNS Server through 8.0.2 that allows variant V2 of unintended domain name resoluti
An issue was discovered in Technitium DNS Server through 8.0.2 that allows variant V1 of unintended domain name resoluti
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in cgi component in Synolog
In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 Suppor
In BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3, If a server is configured with both QNAME minimization and 'forward first' t
Directory traversal vulnerability in the SYNO.DNSServer.Zone.MasterZoneConf in Synology DNS Server before 2.2.1-3042 all
In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supporte
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30938
GHSA-vpfg-gc96-vg45