Impact
A malicious authoritative server can send a crafted zone via the ZoneToCache function in PowerDNS Recursor, causing the recursor to cache incorrect DNS records. This leads to cache poisoning, potentially redirecting client queries to attacker‑controlled IP addresses, enabling traffic interception, phishing attempts, or denial‑of‑service events. The underlying weakness is improper validation of zone data, consistent with CWE‑349.
Affected Systems
The affected product is PowerDNS Recursor. No specific version information is disclosed in the advisory, so any installation that has not yet applied the vendor’s patch remains at risk. Administrators should identify the running recursor version and determine whether the fix has been applied.
Risk and Exploitability
With a CVSS score of 7.5, the vulnerability is deemed high severity. No EPSS score is available and it is not listed in the CISA KEV catalog, suggesting uncertainty about current exploitation activity. The likely attack path involves a compromised authoritative zone server that can be reached by the Recursor, allowing the attacker to inject a crafted zone and poison the cache. The recursor must process the zone, so the attacker needs network access to send zone data to the recursor but does not require direct access to the Recursor itself.
OpenCVE Enrichment
Debian DSA