CVE-2025-71058
Published: 07 April 2026
Summary
CVE-2025-71058 is a critical-severity Code Injection (CWE-94) vulnerability in Sourceforge (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-21 (Secure Name/Address Resolution Service (Recursive or Caching Resolver)) and SC-22 (Architecture and Provisioning for Name/Address Resolution Service).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-21 requires recursive or caching DNS resolvers to validate response authenticity and origin, directly preventing cache poisoning from forged UDP responses lacking source validation.
SC-22 mandates architectural provisioning of DNS services with cryptographic mechanisms, supporting validation of upstream responses to mitigate poisoning attacks.
SC-7 boundary protection restricts network communications to only legitimate upstream DNS server sources, blocking forged responses from unauthorized origins.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a DNS cache poisoning issue in a public-facing DNS server exploitable remotely without authentication (T1190), directly enabling adversary-in-the-middle attacks by forging DNS responses to redirect client traffic (T1557).
NVD Description
Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses without validating that the response originates from a legitimate configured upstream DNS server. The implementation matches responses primarily by TXID and inserts results into the cache, enabling a…
more
remote attacker to inject forged responses and poison the DNS cache, potentially redirecting victims to attacker-controlled destinations.
Deeper analysisAI
CVE-2025-71058 is a DNS cache poisoning vulnerability in Dual DHCP DNS Server version 8.01. The software improperly accepts and caches UDP DNS responses without validating that they originate from a legitimate configured upstream DNS server. It matches responses primarily by transaction ID (TXID) and inserts them into the cache, which enables the injection of forged responses. The issue is classified under CWE-94 (Improper Control of Generation of Code ('Code Injection')) and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).
A remote attacker with network access can exploit this vulnerability without privileges or user interaction by sending forged UDP DNS responses that match the TXID of legitimate queries. Successful exploitation poisons the DNS cache, allowing the attacker to redirect victims querying the server to attacker-controlled destinations, compromising traffic integrity and potentially disrupting availability through malicious insertions.
References include a proof-of-concept exploit code at https://github.com/FPokerFace/Security-Advisory/blob/main/CVE-2025-71058/poc.c and further details in the repository at https://github.com/FPokerFace/Security-Advisory/tree/main/CVE-2025-71058. The project page for Dual DHCP DNS Server is hosted at https://sourceforge.net/projects/dhcp-dns-server/. No vendor advisories or patches are specified in the available information.
Details
- CWE(s)