{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/nlnet-labs/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Unbound"],"_cs_severities":["medium"],"_cs_tags":["unbound","dns","cache poisoning","domain hijacking","defense-evasion"],"_cs_type":"threat","_cs_vendors":["NLnet Labs"],"content_html":"\u003cp\u003eA vulnerability exists within NLnet Labs Unbound DNS resolver that could be exploited by a threat actor positioned on an adjacent network. Successful exploitation allows the attacker to manipulate the DNS cache. This manipulation could redirect users to malicious servers when they attempt to access legitimate domains. This can lead to various malicious outcomes, including credential theft, malware distribution, or disinformation campaigns. This vulnerability poses a significant risk to organizations relying on Unbound for DNS resolution as it can undermine the integrity of their network traffic. Defenders should implement detection and mitigation strategies to protect against potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to an adjacent network or performs on-path attack.\u003c/li\u003e\n\u003cli\u003eThe attacker sends malicious DNS responses to the Unbound resolver.\u003c/li\u003e\n\u003cli\u003eThe malicious responses contain false information about the IP addresses of legitimate domains.\u003c/li\u003e\n\u003cli\u003eUnbound resolver caches the false DNS information.\u003c/li\u003e\n\u003cli\u003eA user on the network queries the Unbound resolver for a legitimate domain.\u003c/li\u003e\n\u003cli\u003eUnbound returns the attacker-controlled IP address from its poisoned cache.\u003c/li\u003e\n\u003cli\u003eThe user is redirected to a malicious server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform malicious activities, such as serving malware or stealing credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to widespread domain hijacking within the affected network. Users attempting to access legitimate websites would be redirected to attacker-controlled servers, potentially exposing them to malware infections or phishing attacks. The impact could range from credential theft and financial loss to the spread of misinformation. The number of affected victims depends on the size of the network relying on the vulnerable Unbound resolver.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Unbound DNS Cache Poisoning\u003c/code\u003e to identify suspicious DNS responses indicative of cache poisoning attempts (log source: \u003ccode\u003edns_query\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for DNS queries resolving to unusual or unexpected IP addresses, especially those originating from the adjacent network (log source: \u003ccode\u003enetwork_connection\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T12:15:00Z","date_published":"2026-05-19T12:15:00Z","id":"https://feed.craftedsignal.io/briefs/2026-05-unbound-cache-poisoning/","summary":"A vulnerability in Unbound allows an attacker from an adjacent network to manipulate the cache, potentially leading to domain hijacking.","title":"Unbound Cache Poisoning Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-unbound-cache-poisoning/"}],"language":"en","title":"CraftedSignal Threat Feed — NLnet Labs","version":"https://jsonfeed.org/version/1.1"}