CVE-2025-5994 is a high-severity vulnerability affecting the NLnet Labs Unbound DNS resolver when compiled with EDNS Client Subnet (ECS) support enabled (using the '--enable-subnet' compile option) and configured to send ECS information upstream (via 'send-client-subnet', 'client-subnet-zone', or 'client-subnet-always-forward' settings). The vulnerability is a multi-vendor cache poisoning flaw known as the 'Rebirthday Attack', which exploits the birthday paradox to increase the probability of guessing DNS transaction IDs and injecting malicious DNS responses into the resolver's cache. ECS is a DNS extension designed to improve content delivery by including part of the client’s subnet in DNS queries, allowing upstream servers to tailor responses geographically. However, ECS requires resolvers to segregate outgoing queries based on ECS data to prevent cache poisoning. The vulnerability arises because some resolvers, including Unbound under the specified conditions, fail to properly segregate these queries, allowing attackers to match transaction IDs and inject non-ECS poisoned replies into the cache. This can lead to cache poisoning where malicious DNS responses are cached and served to clients, redirecting them to attacker-controlled IP addresses or disrupting DNS resolution. The CVSS 4.0 score is 8.7 (high), reflecting the network attack vector, no required privileges or user interaction, and a significant impact on confidentiality due to the ability to redirect traffic. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and requires prompt attention. The affected version is Unbound 1.6.2, and the issue was published on July 16, 2025.

For European organizations, the Rebirthday Attack vulnerability poses a significant risk to DNS infrastructure integrity and confidentiality. DNS cache poisoning can lead to widespread redirection of legitimate traffic to malicious sites, enabling phishing, malware distribution, data interception, and man-in-the-middle attacks. Organizations relying on Unbound with ECS enabled for DNS resolution—common in ISPs, enterprises, and content delivery networks—may experience compromised DNS responses, potentially affecting internal and external services. This can disrupt business operations, damage reputation, and expose sensitive data. Given the critical role of DNS in network operations, successful exploitation could also impact availability indirectly through service disruption or denial-of-service conditions caused by poisoned caches. The vulnerability’s exploitation does not require authentication or user interaction, increasing the attack surface. European entities in sectors such as finance, telecommunications, government, and critical infrastructure are particularly at risk due to their reliance on secure and reliable DNS resolution and the potential high impact of traffic redirection or interception.

To mitigate CVE-2025-5994, European organizations using Unbound should: 1) Immediately verify if their Unbound installations are compiled with ECS support and configured to send ECS data upstream. 2) Upgrade to a patched version of Unbound once available from NLnet Labs, as no patch links are currently provided but should be prioritized upon release. 3) Temporarily disable ECS support or the sending of ECS information upstream if upgrading is not immediately feasible, to prevent exposure to the birthday paradox attack. 4) Implement strict DNS query segregation based on ECS data to ensure that queries with different ECS values do not share cache entries, preventing poisoning. 5) Monitor DNS resolver logs for unusual cache poisoning indicators or anomalous DNS responses. 6) Employ DNSSEC validation where possible to cryptographically verify DNS responses and mitigate cache poisoning risks. 7) Coordinate with upstream DNS providers to ensure they handle ECS queries securely and support DNSSEC. 8) Conduct internal audits of DNS resolver configurations and network traffic to detect and respond to potential exploitation attempts. These steps go beyond generic advice by focusing on ECS-specific configurations and operational controls tailored to the nature of this vulnerability.