CVE-2025-5994 identifies a critical vulnerability in NLnet Labs' Unbound DNS resolver version 1.6.2 when compiled with ECS support ('--enable-subnet') and configured to send ECS information upstream (via 'send-client-subnet', 'client-subnet-zone', or 'client-subnet-always-forward'). The vulnerability arises due to improper segregation of outgoing DNS queries based on ECS data, which reintroduces susceptibility to a birthday paradox-based cache poisoning attack dubbed the Rebirthday Attack. In this attack, an adversary exploits the limited entropy of DNS transaction IDs and the reuse of query parameters to inject malicious DNS responses into the resolver's cache. By matching transaction IDs, attackers can poison the cache with non-ECS malicious replies, effectively redirecting users or disrupting DNS resolution. The vulnerability is classified under CWE-349, indicating acceptance of extraneous untrusted data alongside trusted data, which undermines the integrity of DNS responses. The CVSS 4.0 score of 8.7 reflects the network attack vector, no required privileges or user interaction, and a high impact on integrity and availability. Although no public exploits are reported yet, the vulnerability affects any deployment of Unbound 1.6.2 with ECS enabled and configured to forward ECS data, making it a significant threat to DNS infrastructure relying on ECS for client subnet privacy or routing optimization.

For European organizations, this vulnerability threatens the integrity and availability of DNS resolution services, which are foundational to network operations and security. Successful exploitation can lead to DNS cache poisoning, redirecting users to malicious websites, enabling phishing, malware distribution, or interception of sensitive communications. This can compromise confidentiality by facilitating man-in-the-middle attacks and degrade service availability through DNS disruption. Organizations relying on Unbound with ECS enabled—common in ISPs, enterprises, and public DNS services—may experience widespread impact. Given the critical role of DNS in internet connectivity, exploitation could affect critical infrastructure, financial institutions, government agencies, and other sectors dependent on reliable DNS. The lack of authentication and user interaction requirements increases the risk of remote exploitation. Additionally, the multi-vendor nature of the Rebirthday Attack suggests that other ECS-supporting resolvers may also be vulnerable, amplifying the threat landscape in Europe.

European organizations should immediately audit their Unbound deployments to identify if ECS support is enabled and configured to send ECS data upstream. If ECS is not essential, disabling ECS support by recompiling Unbound without the '--enable-subnet' option or disabling ECS forwarding options ('send-client-subnet', 'client-subnet-zone', 'client-subnet-always-forward') can mitigate the risk. For environments requiring ECS, organizations should monitor NLnet Labs advisories for patches addressing this vulnerability and apply updates promptly once available. In the interim, implementing DNSSEC validation can help detect and reject forged DNS responses, reducing the impact of cache poisoning. Network-level protections such as rate limiting DNS responses, deploying DNS over TLS (DoT) or DNS over HTTPS (DoH) to secure DNS traffic, and monitoring DNS query patterns for anomalies can further reduce attack surface. Additionally, segregating ECS queries by subnet more robustly, if configurable, may mitigate the birthday paradox exploitation. Organizations should also consider deploying alternative resolvers with proven mitigations against ECS-related cache poisoning until patches are released.