CVE-2025-11411 | Possible domain hijacking via promiscuous records in the authority section

NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect. Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS RRSets (and their respective address records) from YXDOMAIN and non-referral nodata replies, further mitigating the possible poison effect.

Published: 2025-10-22 Last update: 2026-06-17 Assigner: [email protected] Source: [email protected]
NVD Status:DeferredCVE State: published
View at NVD, CVE.org, EUVD

CVE-2025-11411 is rated Low Risk (30.1/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.29%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-11411

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.06% 0.29% +0.23%
2 2025-11-19 0.01% 0.06% +0.05%
3 2025-10-23 0.01%

Full EPSS history (3 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-11411

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.7 4.0 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Click to expand
Attack vector (AV:A)
Attacker has to be on an adjacent/local network segment.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:P)
Additional preconditions must be present for exploitation.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:N)
No confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:H)
High integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:H)
High integrity impact on subsequent systems.
Subsequent system availability impact (SA:H)
High availability impact on subsequent systems.
Exploit maturity (threat) (E:P)
Proof-of-concept: public PoC exists; no reported exploitation and no known simplification tools.
Confidentiality requirement (CR:X)
Not defined: insufficient information; scoring treats this like High (worst case).
Integrity requirement (IR:X)
Not defined: insufficient information; scoring treats this like High (worst case).
Availability requirement (AR:X)
Not defined: insufficient information; scoring treats this like High (worst case).
Modified attack vector (MAV:X)
Not defined: scoring uses the Base Attack Vector (AV).
Modified attack complexity (MAC:X)
Not defined: scoring uses the Base Attack Complexity (AC).
Modified attack requirements (MAT:X)
Not defined: scoring uses the Base Attack Requirements (AT).
Modified privileges required (MPR:X)
Not defined: scoring uses the Base Privileges Required (PR).
Modified user interaction (MUI:X)
Not defined: scoring uses the Base User Interaction (UI).
Modified vulnerable system confidentiality impact (MVC:X)
Not defined: scoring uses the Base VC metric.
Modified vulnerable system integrity impact (MVI:X)
Not defined: scoring uses the Base VI metric.
Modified vulnerable system availability impact (MVA:X)
Not defined: scoring uses the Base VA metric.
Modified subsequent system confidentiality impact (MSC:X)
Not defined: scoring uses the Base SC metric.
Modified subsequent system integrity impact (MSI:X)
Not defined: scoring uses the Base SI metric.
Modified subsequent system availability impact (MSA:X)
Not defined: scoring uses the Base SA metric.
Safety (supplemental) (S:X)
Not evaluated.
Automatable (supplemental) (AU:X)
Not evaluated.
Recovery (supplemental) (R:X)
Not evaluated.
Value density (supplemental) (V:X)
Not evaluated.
Vulnerability response effort (supplemental) (RE:X)
Not evaluated.
Provider urgency (supplemental) (U:X)
Not evaluated.
 [email protected]

Weakness enumeration for CVE-2025-11411

OS Trackers for CVE-2025-11411

vendor priority summary link
alpine medium CVE-2025-11411: 1 source package rows (unbound); 60 state rows across 5 repos (3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 5, open 55. https://security.alpinelinux.org/vuln/CVE-2025-11411
debian not yet assigned CVE-2025-11411 not yet assigned priority: Debian including 1 source packages (unbound), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2025-11411
redhat medium https://access.redhat.com/security/cve/CVE-2025-11411
suse medium CVE-2025-11411 severity moderate: SUSE including 43 source package names (13.2-9.1:glibc-2.38-8.1, 13.2-9.1:glibc-locale-2.38-8.1, …), 99 product×package rows across 33 product lines (Container rancher/elemental-channel/sl-micro, Container suse/sl-micro/6.0/baremetal-iso-image, … (33 product lines)): Fixed 94, First Fixed 5. https://www.suse.com/security/cve/CVE-2025-11411/
ubuntu medium CVE-2025-11411 medium priority: Ubuntu including 1 source packages (unbound), 9 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): released 5, needs-triage 4. https://ubuntu.com/security/CVE-2025-11411

Affected software / configurations for CVE-2025-11411

Vendor Product Version Raw CPE
No affected products in dataset.

References for CVE-2025-11411

cvelogic Threat Intelligence