CVE-2025-11411 is a vulnerability classified under CWE-349, indicating acceptance of extraneous untrusted data alongside trusted data within the NLnet Labs Unbound DNS resolver up to version 1.24.2. The issue arises because Unbound processes NS RRSets found in the authority section of DNS responses, which are typically used to update the resolver's knowledge of zone delegation (i.e., the authoritative name servers for a domain). However, Unbound does not sufficiently validate whether these NS RRSets were solicited or trustworthy, allowing an attacker to inject malicious NS RRSets and associated address records. This injection can be performed through spoofed DNS packets or fragmentation attacks that evade standard validation. Once injected, Unbound updates its delegation information with attacker-controlled name servers, effectively enabling domain hijacking by redirecting DNS queries to malicious servers. This compromises the integrity of DNS resolution and can facilitate further attacks such as phishing, man-in-the-middle, or data interception. Unbound versions 1.24.1 and 1.24.2 introduced mitigations that scrub unsolicited NS RRSets from standard replies and from YXDOMAIN and non-referral nodata replies, respectively, reducing the attack surface. The vulnerability does not require authentication or user interaction but does require the attacker to be able to inject or spoof network packets to the resolver. The CVSS 4.0 score is 5.7 (medium severity), reflecting the moderate complexity of exploitation and significant impact on integrity but no direct impact on confidentiality or availability.

For European organizations, this vulnerability poses a risk to the integrity of DNS resolution, which is foundational to internet and intranet operations. Successful exploitation can lead to domain hijacking, redirecting users and services to attacker-controlled infrastructure. This can facilitate credential theft, data interception, malware distribution, or disruption of critical services. Organizations in sectors such as finance, government, telecommunications, and critical infrastructure are particularly at risk due to the high value of their domains and services. Additionally, the attack can undermine trust in digital services and cause reputational damage. Since Unbound is widely used as a recursive DNS resolver in many European networks, especially in academic, governmental, and ISP environments, the scope of impact can be broad. The vulnerability could also be leveraged in targeted attacks against specific domains or regions, amplifying geopolitical risks. However, the absence of known exploits in the wild and the availability of patches reduce immediate risk if mitigations are applied promptly.

European organizations should immediately verify their use of NLnet Labs Unbound and upgrade to version 1.24.2 or later, which includes fixes that scrub unsolicited NS RRSets from DNS replies. Network administrators should implement DNS response validation and monitoring to detect anomalous NS RRSet injections or unexpected delegation changes. Deploying DNSSEC validation where possible can provide an additional layer of protection by cryptographically verifying DNS data authenticity. Network-level protections such as ingress filtering (BCP 38) and anti-spoofing measures can reduce the risk of packet spoofing and fragmentation attacks used to exploit this vulnerability. Organizations should also audit DNS resolver configurations to ensure they do not accept or cache unsolicited authority data. Regularly reviewing DNS logs for suspicious delegation updates and employing anomaly detection tools can help identify exploitation attempts early. Collaboration with ISPs and upstream providers to enforce secure DNS practices is recommended. Finally, educating security teams about this specific threat and its indicators will improve incident response readiness.