Cyber Posture

CVE-2025-59023

High

Published: 09 February 2026

Published
09 February 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.0001 0.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59023 is a high-severity Authentication Bypass by Capture-replay (CWE-294) vulnerability in Powerdns Recursor. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-21 (Secure Name/Address Resolution Service (Recursive or Caching Resolver)) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver) good match
prevent

SC-21 mandates data origin authentication and integrity verification for recursive or caching DNS resolvers, directly preventing cache poisoning from crafted delegations or IP fragments.

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely identification, testing, and installation of flaw remediation patches, directly addressing the specific vulnerability in PowerDNS Recursor.

SI-7 Software, Firmware, and Information Integrity partial match
detect

SI-7 provides for monitoring and integrity verification of software and information, enabling detection of poisoned cached delegations.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1557.001 Name Resolution Poisoning and SMB Relay Credential Access
By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system.
attack.mitre.org →
Why these techniques?

Vuln enables remote exploitation of public-facing DNS recursor (T1190) to achieve name resolution poisoning via cache manipulation (T1557.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Crafted delegations or IP fragments can poison cached delegations in Recursor.

Deeper analysisAI

CVE-2025-59023 affects PowerDNS Recursor, where crafted delegations or IP fragments can poison cached delegations. Published on 2026-02-09, this vulnerability is rated 8.2 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L) and is associated with CWE-294.

Remote attackers require no privileges or user interaction and can exploit it over the network with low complexity. Successful exploitation poisons the cached delegations, resulting in high integrity impact by potentially directing DNS queries to attacker-controlled servers, alongside low availability impact.

The PowerDNS security advisory (https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html) provides further details on mitigation and patches.

Details

CWE(s)
CWE-294

Affected Products

powerdns
recursor
5.1.0 — 5.1.8 · 5.2.0 — 5.2.6 · 5.3.0 — 5.3.1

CVEs Like This One

CVE-2026-33258Same product: Powerdns Recursor
CVE-2026-33256Same product: Powerdns Recursor
CVE-2026-33260Same product: Powerdns Recursor
CVE-2026-33257Same product: Powerdns Recursor
CVE-2026-24028Same vendor: Powerdns
CVE-2026-33608Same vendor: Powerdns
CVE-2026-27854Same vendor: Powerdns
CVE-2026-33598Same vendor: Powerdns
CVE-2026-24030Same vendor: Powerdns
CVE-2026-33254Same vendor: Powerdns

References