Cyber Resilience

CVE-2025-59023

High

Published: 09 February 2026

Published
09 February 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.0027 18.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-59023 is a high-severity Authentication Bypass by Capture-replay (CWE-294) vulnerability in Powerdns Recursor. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-21 (Secure Name/Address Resolution Service (Recursive or Caching Resolver)) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-59023 affects PowerDNS Recursor, where crafted delegations or IP fragments can poison cached delegations. Published on 2026-02-09, this vulnerability is rated 8.2 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L) and is associated with CWE-294.

Remote attackers require no privileges or user interaction and can exploit it over the network with low complexity. Successful exploitation poisons the cached delegations, resulting in high integrity impact by potentially directing DNS queries to attacker-controlled servers, alongside low availability impact.

The PowerDNS security advisory (https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html) provides further details on mitigation and patches.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Crafted delegations or IP fragments can poison cached delegations in Recursor.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1557.001 Name Resolution Poisoning and SMB Relay Credential Access
By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system.
Why these techniques?

Vuln enables remote exploitation of public-facing DNS recursor (T1190) to achieve name resolution poisoning via cache manipulation (T1557.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33258Same product: Powerdns Recursor
CVE-2026-33256Same product: Powerdns Recursor
CVE-2026-33260Same product: Powerdns Recursor
CVE-2026-33257Same product: Powerdns Recursor
CVE-2026-24028Same vendor: Powerdns
CVE-2026-24030Same vendor: Powerdns
CVE-2026-33608Same vendor: Powerdns
CVE-2026-33598Same vendor: Powerdns
CVE-2026-27854Same vendor: Powerdns
CVE-2026-33610Same vendor: Powerdns

Affected Assets

powerdns
recursor
5.1.0 — 5.1.8 · 5.2.0 — 5.2.6 · 5.3.0 — 5.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-21 mandates data origin authentication and integrity verification for recursive or caching DNS resolvers, directly preventing cache poisoning from crafted delegations or IP fragments.

prevent

SI-2 requires timely identification, testing, and installation of flaw remediation patches, directly addressing the specific vulnerability in PowerDNS Recursor.

detect

SI-7 provides for monitoring and integrity verification of software and information, enabling detection of poisoned cached delegations.

References