CVE-2025-2783
published 2025-03-26CVE-2025-2783: Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a…
PriorityP182high8.3CVSS 3.1
AVNACHPRNUIRSCCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-04-17
Exploited in the wild
EPSS
8.40%
94.3th percentile
Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High)
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | chromium | — | — |
| debian | firefox | — | — |
| debian | firefox-esr | — | — |
| chrome | < 134.0.6998.177 | 134.0.6998.177 | |
| chrome_chrome | — | — | |
| mozilla | firefox | < 136.0.4 | 136.0.4 |
| mozilla | firefox | < 115.21.1 | 115.21.1 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 128.1.0 < 128.8.1 | 128.8.1 |
| msrc | microsoft_edge | — | — |
| paloalto | prisma_access | — | — |
| paloalto | prisma_browser | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Sandbox escape is triggered via a JavaScript call to console.debug(0x42, shellcode) — monitor for this pattern in browser process telemetry or JS engine hooks. ↗
- →The exploit relays a GetCurrentThread pseudo-handle (-2) via ipcz RelayMessage to obtain a real browser-process thread handle — monitor for DuplicateHandle calls where the source handle value is -2 (0xFFFFFFFFFFFFFFFE) originating from a renderer process. ↗
- →Post-exploitation persistence uses COM hijacking: a malicious DLL is written to %localappdata%\Microsoft\Windows\Explorer\iconcache_.dll and registered under HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32. ↗
- →The exploit hooks ipcz::NodeLink::OnAcceptRelayedMessage and v8_inspector::V8Console::Debug — presence of statically compiled Mojo/ipcz libraries in a renderer process is a strong indicator of exploitation. ↗
- →The malicious site fingerprints the OS and only serves the payload to Windows users — non-Windows requests receive a message prompting the user to retry from Windows. Detect server-side OS filtering in HTTP responses as an evasion indicator. ↗
- →The validator uses the WebGPU API to compute SHA-256 of server-supplied random data before delivering the exploit — anomalous WebGPU usage in a browser tab loading external JS (bootstrap.bundle.min.js, .woff2 font files) may indicate exploit staging. ↗
- →The exploit payload is hidden inside requests to bootstrap.bundle.min.js and .woff2 font files, decrypted with an AES-GCM key exchanged via ECDH — inspect anomalous font/JS responses for encrypted binary content. ↗
- ·Malicious links were personalized and extremely short-lived; by the time of analysis the exploit was no longer served at the URL — only artifacts from the first infection wave were available for analysis. ↗
CVSS provenance
nvdv3.18.3HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
ghsa8.3HIGH
osv8.3HIGH
vulncheck8.3HIGH
cisa8.3HIGH
vendor_debian8.3LOW
vendor_msrc8.3HIGH
vendor_redhat8.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens COMOS
cisa_ics·2026-02-12·CVSS 3.4
[LOW] Siemens COMOS
ICS Advisory
##
Siemens COMOS
Release DateFebruary 12, 2026
Alert CodeICSA-26-043-03
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
COMOS is affected by multiple vulnerabilities that could allow an attacker to execute arbitrary code or cause denial of service condition, data infiltration or perform access control violations. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.
The following versions of Siemens COMOS are affected:
- COMOS V10.4 vers:intdot/<10.4.5, vers:intdot/<10.4.5 (CVE-2024-47875, CVE-2025-278
Palo Alto
PAN-SA-2025-0008 Chromium and Prisma Browser: Monthly Vulnerability Update (April 2025)
vendor_paloalto·2025-04-09·CVSS 9.3
[CRITICAL] PAN-SA-2025-0008 Chromium and Prisma Browser: Monthly Vulnerability Update (April 2025)
PAN-SA-2025-0008 Chromium and Prisma Browser: Monthly Vulnerability Update (April 2025)
Palo Alto Networks incorporated the following security fixes into Prisma® Access Browser: https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_21.html https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_19.html https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_10.html https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_25.html In addition to the above, we also fixed a vulnerability in the Prisma Access browser. CVE Summary CVE-2025-1920 Type Confusion in V8 CVE-2025-2135 Type Confusion in V8 CVE-2025-2136
CISA
Google Chromium Mojo Sandbox Escape Vulnerability
cisa·2025-03-27·CVSS 8.3
CVE-2025-2783 [HIGH] Google Chromium Mojo Sandbox Escape Vulnerability
Vulnerability: Google Chromium Mojo Sandbox Escape Vulnerability
Affected: Google Chromium Mojo
Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being provided in unspecified circumstances. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-2783
Remediation Due Date: 2025-04-17
Red Hat
firefox: Firefox IPC sandbox escape on windows
vendor_redhat·2025-03-27·CVSS 8.3
CVE-2025-2857 [HIGH] firefox: Firefox IPC sandbox escape on windows
firefox: Firefox IPC sandbox escape on windows
Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape.
The original vulnerability was being exploited in the wild.
*This only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 136.0.4, Firefox ESR < 128.8.1, and Firefox ESR < 115.21.1.
Statement: This vulnerability is specific to the Windows operating system and therefore does not affect any currently supported Red Hat products.
Package: firefox (Red Hat Enterprise Linux 10) - Not affected
Package: firefox (Red Hat Enterprise
Red Hat
mojo: chromium: chromium Mojo on Windows
vendor_redhat·2025-03-25·CVSS 8.3
CVE-2025-2783 [HIGH] mojo: chromium: chromium Mojo on Windows
mojo: chromium: chromium Mojo on Windows
Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High)
Statement: This vulnerability is specific to the Windows operating system and therefore does not affect any currently supported Red Hat products.
Chrome
Stable Channel Update for Desktop: CVE-2025-2783
vendor_chrome·2025-03-25·CVSS 8.3
CVE-2025-2783 [HIGH] Stable Channel Update for Desktop: CVE-2025-2783
Stable Channel Update for Desktop
CVE-2025-2783: Incorrect handle provided in unspecified circumstances in Mojo on Windows. Reported by Boris Larin (@oct0xor) and Igor Kuznetsov (@2igosha) of Kaspersky on 2025-03-20 We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel
Severity: high
Microsoft
Chromium: CVE-2025-2783 Incorrect handle provided in unspecified circumstances in Mojo on Windows
vendor_msrc·2025-03-11·CVSS 8.3
CVE-2025-2783 [HIGH] Chromium: CVE-2025-2783 Incorrect handle provided in unspecified circumstances in Mojo on Windows
Chromium: CVE-2025-2783 Incorrect handle provided in unspecified circumstances in Mojo on Windows
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
134.0.3124.93
3/26/2025
134.0.6998.177/.178
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulner
Debian
CVE-2025-2857: firefox - Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox deve...
vendor_debian·2025·CVSS 8.3
CVE-2025-2857 [HIGH] CVE-2025-2857: firefox - Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox deve...
Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. The original vulnerability was being exploited in the wild. *This only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 136.0.4, Firefox ESR < 128.8.1, and Firefox ESR < 115.21.1.
Scope: local
sid: resolved
Debian
CVE-2025-2783: chromium - Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome ...
vendor_debian·2025·CVSS 8.3
CVE-2025-2783 [HIGH] CVE-2025-2783: chromium - Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome ...
Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High)
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
Mozilla
Mozilla Foundation Security Advisory 2025-19: CVE-2025-2783
vendor_mozilla·CVSS 8.3
CVE-2025-2783 [HIGH] Mozilla Foundation Security Advisory 2025-19: CVE-2025-2783
Mozilla Foundation Security Advisory 2025-19
CVE: CVE-2025-2783
Product: Firefox, Firefox ESR
Impact: critical
Fixed in: Firefox 136.0.4
Firefox ESR 115.21.1
Firefox ESR 128.8.1
GHSA
CefSharp affected by incorrect handle provided in unspecified circumstances in Mojo on Windows
ghsa·2025-04-12·CVSS 8.3
CVE-2025-2783 [HIGH] CefSharp affected by incorrect handle provided in unspecified circumstances in Mojo on Windows
CefSharp affected by incorrect handle provided in unspecified circumstances in Mojo on Windows
Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High)
https://nvd.nist.gov/vuln/detail/CVE-2025-2783
https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html
https://issues.chromium.org/issues/405143032
OSV
CefSharp affected by incorrect handle provided in unspecified circumstances in Mojo on Windows
osv·2025-04-12·CVSS 8.3
CVE-2025-2783 [HIGH] CefSharp affected by incorrect handle provided in unspecified circumstances in Mojo on Windows
CefSharp affected by incorrect handle provided in unspecified circumstances in Mojo on Windows
Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High)
https://nvd.nist.gov/vuln/detail/CVE-2025-2783
https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html
https://issues.chromium.org/issues/405143032
GHSA
GHSA-h8g5-2596-xjh9: Following the sandbox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code
ghsa_unreviewed·2025-03-27·CVSS 8.3
CVE-2025-2857 [HIGH] CWE-668 GHSA-h8g5-2596-xjh9: Following the sandbox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code
Following the sandbox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code. Attackers were able to confuse the parent process into leaking handles to unprivileged child processes leading to a sandbox escape.
The original vulnerability was being exploited in the wild.
*This only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 136.0.4, Firefox ESR < 128.8.1, and Firefox ESR < 115.21.1.
GHSA
GHSA-hfqm-jfc6-rh2f: Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134
ghsa_unreviewed·2025-03-26
CVE-2025-2783 [HIGH] GHSA-hfqm-jfc6-rh2f: Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134
Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High)
VulnCheck
Google Chromium Mojo Sandbox Escape Vulnerability
vulncheck·2025·CVSS 8.3
CVE-2025-2783 [HIGH] Google Chromium Mojo Sandbox Escape Vulnerability
Google Chromium Mojo Sandbox Escape Vulnerability
Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being provided in unspecified circumstances. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Affected: Google Chromium Mojo
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edi
VulnCheck
Firefox Incorrect Handle Sandbox Escape
vulncheck·2025·CVSS 8.3
CVE-2025-2857 [HIGH] Firefox Incorrect Handle Sandbox Escape
Firefox Incorrect Handle Sandbox Escape
Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape.
The original vulnerability was being exploited in the wild.
*This only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 136.0.4, Firefox ESR < 128.8.1, and Firefox ESR < 115.21.1.
Affected: Mozilla Firefox
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.loginsoft.com/reports/annually/vu
No detection rules found.
Mandiant
Look What You Made Us Patch: 2025 Zero-Days in Review
blogs_mandiant·2026-03-05
Look What You Made Us Patch: 2025 Zero-Days in Review
Threat Intelligence
# Look What You Made Us Patch: 2025 Zero-Days in Review
March 5, 2026
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan
### Executive Summary
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
In 2025, we continued to observe the structural shift, first
Mandiant
Look What You Made Us Patch: 2025 Zero-Days in Review
blogs_mandiant·2026-03-05
Look What You Made Us Patch: 2025 Zero-Days in Review
## Look What You Made Us Patch: 2025 Zero-Days in Review
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan
## Executive Summary
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
In 2025, we continued to observe the structural shift, first identified in 2024, toward increased enterprise exploitation. Both
Securelist
Operation ForumTroll continues: Russian political scientists targeted using plagiarism reports
blogs_securelist·2025-12-17·CVSS 8.3
CVE-2025-2783 [HIGH] Operation ForumTroll continues: Russian political scientists targeted using plagiarism reports
Table of Contents
Introduction
Emails posing as a scientific library
A well-prepared attack
The malicious archive
The final payload: the Tuoni framework
Conclusion
Indicators of compromise
Authors
Georgy Kucherin
## Introduction
In March 2025, we discovered Operation ForumTroll , a series of sophisticated cyberattacks exploiting the CVE-2025-2783 vulnerability in Google Chrome. We previously detailed the malicious implants used in the operation: the LeetAgent backdoor and the complex spyware Dante, developed by Memento Labs (formerly Hacking Team). However, the attackers behind this operation didn’t stop at their spring campaign and have continued to infect targets within the Russian Federation.
More reports about this threat are available to customers of the Kaspersky Intellig
Securelist
A new campaign by the ForumTroll APT group
blogs_securelist·2025-12-17·CVSS 8.3
CVE-2025-2783 [HIGH] A new campaign by the ForumTroll APT group
Table of Contents
- Introduction
- Emails posing as a scientific library
- A well-prepared attack
- The malicious archive
- The final payload: the Tuoni framework
- Conclusion
- Indicators of compromise
Authors
- Georgy Kucherin
## Introduction
In March 2025, we discovered Operation ForumTroll, a series of sophisticated cyberattacks exploiting the CVE-2025-2783 vulnerability in Google Chrome. We previously detailed the malicious implants used in the operation: the LeetAgent backdoor and the complex spyware Dante, developed by Memento Labs (formerly Hacking Team). However, the attackers behind this operation didn’t stop at their spring campaign and have continued to infect targets within the Russian Federation.
More reports about this threat are available to customers of the Kaspersk
Bleepingcomputer
Google fixes eighth Chrome zero-day exploited in attacks in 2025
blogs_bleepingcomputer·2025-12-11·CVSS 9.8
[CRITICAL] Google fixes eighth Chrome zero-day exploited in attacks in 2025
## Google fixes eighth Chrome zero-day exploited in attacks in 2025
## Sergiu Gatlan
The company has now fixed this high-severity vulnerability for users in the Stable Desktop channel, with new versions rolling out worldwide to Windows (143.0.7499.109), macOS (143.0.7499.110), and Linux users (143.0.7499.109).
While the security patch could take days or weeks to reach all users, according to Google, it was immediately available when BleepingComputer checked for updates earlier today.
If you prefer not to update manually, you can also let your web browser check for updates automatically and install them after the next launch.
Although Google didn't share any other details about this zero-day bug, including the CVE ID used to track it, and said it's still "under coordination."
"Access
Bleepingcomputer
Google fixes new Chrome zero-day flaw exploited in attacks
blogs_bleepingcomputer·2025-11-18·CVSS 9.8
[CRITICAL] Google fixes new Chrome zero-day flaw exploited in attacks
## Google fixes new Chrome zero-day flaw exploited in attacks
## Sergiu Gatlan
Google fixed the zero-day flaw with the release of 142.0.7444.175/.176 for Windows, 142.0.7444.176 for Mac, and 142.0.7444.175 for Linux.
While these new versions are scheduled to roll out to all users in the Stable Desktop channel over the coming weeks, the patch was immediately available when BleepingComputer checked for the latest updates.
Although the Chrome web browser updates automatically when security patches are available, users can also confirm they're running the latest version by going to Chrome menu > Help > About Google Chrome, letting the update finish, and then clicking on the 'Relaunch' button to install it.
Although Google has already confirmed that CVE-2025-13223 was used in attacks, i
Securelist
Mem3nt0 mori – The Hacking Team is back!
blogs_securelist·2025-10-27·CVSS 8.3
[HIGH] Mem3nt0 mori – The Hacking Team is back!
Table of Contents
Attack chain
Phishing email
Validator
Sandbox escape exploit
Persistent loader
LeetAgent
Finding Dante
Dante
Conclusion
Indicators of compromise
Authors
Boris Larin
In March 2025, Kaspersky detected a wave of infections that occurred when users clicked on personalized phishing links sent via email. No further action was required to initiate the infection; simply visiting the malicious website using Google Chrome or another Chromium-based web browser was enough.
The malicious links were personalized and extremely short-lived to avoid detection. However, Kaspersky’s technologies successfully identified a sophisticated zero-day exploit that was used to escape Google Chrome’s sandbox. After conducting a quick analysis, we reported the vulnerability to the Google
Bleepingcomputer
Italian spyware vendor linked to Chrome zero-day attacks
blogs_bleepingcomputer·2025-10-27·CVSS 8.3
[HIGH] Italian spyware vendor linked to Chrome zero-day attacks
## Italian spyware vendor linked to Chrome zero-day attacks
## Bill Toulas
A zero-day vulnerability in Google Chrome, exploited in Operation ForumTroll earlier this year, delivered malware linked to Italian spyware vendor Memento Labs, born after IntheCyber Group acquired the infamous Hacking Team.
Operation ForumTroll was uncovered by Kaspersky in March. The campaign targeted Russian organizations - media outlets, universities, research centers, government organizations, and financial institutions, with well-crafted invitations to the Primakov Readings forum that contained a malicious link.
Loading the link in any Chromium-based web browser was enough to infect the computer system. Kaspersky researchers said that the malware delivery was done by exploiting CVE-2025-2783, a sandbox e
Securelist
Mem3nt0 mori – The Hacking Team is back!
blogs_securelist·2025-10-27·CVSS 8.3
[HIGH] Mem3nt0 mori – The Hacking Team is back!
Table of Contents
- Attack chain
- Finding Dante
- Dante
- Conclusion
- Indicators of compromise
Authors
- Boris Larin
In March 2025, Kaspersky detected a wave of infections that occurred when users clicked on personalized phishing links sent via email. No further action was required to initiate the infection; simply visiting the malicious website using Google Chrome or another Chromium-based web browser was enough.
The malicious links were personalized and extremely short-lived to avoid detection. However, Kaspersky’s technologies successfully identified a sophisticated zero-day exploit that was used to escape Google Chrome’s sandbox. After conducting a quick analysis, we reported the vulnerability to the Google security team, who fixed it as CVE-2025-2783.
Acknowledgement for find
Qualys
Patch Automation for Browsers with TruRisk™ Eliminate
blogs_qualys·2025-09-24·CVSS 9.8
CVE-2025-10585 [CRITICAL] Patch Automation for Browsers with TruRisk™ Eliminate
## Table of Contents
Conclusion: Automated Patching is the Smarter Way
Recently, CISA added a Chrome zero-day vulnerability, CVE-2025-10585 , to its Known Exploited Vulnerabilities (KEV) Catalog , confirming that threat actors are actively exploiting this high-severity flaw in real-world attacks.
This vulnerability affects multiple web browsers that utilize the Chromium engine, including Google Chrome, Microsoft Edge, Opera, and Brave.
CISA strongly urges all organizations and individual users to prioritize updating their browsers as part of essential vulnerability management practices.
A patch is available. You can find the vulnerability in Qualys VMDR and eliminate the risk as follows:
Find the vulnerability in VMDR
View Risk Elimination
Create Remediation job
We just launched a
Qualys
Automated Browser Patching with Qualys TruRisk™ Eliminate | Qualys
blogs_qualys·2025-09-24·CVSS 9.8
CVE-2025-10585 [CRITICAL] Automated Browser Patching with Qualys TruRisk™ Eliminate | Qualys
#### Table of Contents
- Conclusion: Automated Patching is the Smarter Way
Recently, CISA added a Chrome zero-day vulnerability, CVE-2025-10585, to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that threat actors are actively exploiting this high-severity flaw in real-world attacks.
This vulnerability affects multiple web browsers that utilize the Chromium engine, including Google Chrome, Microsoft Edge, Opera, and Brave.
CISA strongly urges all organizations and individual users to prioritize updating their browsers as part of essential vulnerability management practices.
A patch is available. You can find the vulnerability in Qualys VMDR and eliminate the risk as follows:
- Find the vulnerability in VMDR
- View Risk Elimination
- Create Remediation job
We just laun
Bleepingcomputer
Google patches sixth Chrome zero-day exploited in attacks this year
blogs_bleepingcomputer·2025-09-18·CVSS 9.8
[CRITICAL] Google patches sixth Chrome zero-day exploited in attacks this year
## Google patches sixth Chrome zero-day exploited in attacks this year
## Sergiu Gatlan
Google has released emergency security updates to patch a Chrome zero-day vulnerability, the sixth one tagged as exploited in attacks since the start of the year.
While it didn't specifically say whether this security flaw is still being actively abused in the wild, the company warned that it has a public exploit, a common indicator of active exploitation.
"Google is aware that an exploit for CVE-2025-10585 exists in the wild," Google warned in a security advisory published on Wednesday.
This high-severity zero-day vulnerability is caused by a type confusion weakness in the web browser's V8 JavaScript engine, reported by Google's Threat Analysis Group on Tuesday.
Google TAG frequently flags zero-d
Bleepingcomputer
Google fixes actively exploited sandbox escape zero day in Chrome
blogs_bleepingcomputer·2025-07-16·CVSS 8.8
[HIGH] Google fixes actively exploited sandbox escape zero day in Chrome
## Google fixes actively exploited sandbox escape zero day in Chrome
## Bill Toulas
ANGLE (Almost Native Graphics Layer Engine) is an open-source graphics abstraction layer used by Chrome to translate OpenGL ES API calls to Direct3D, Metal, Vulkan, and OpenGL.
Because ANGLE processes GPU commands from untrusted sources like websites using WebGL, bugs in this component can have a critical security impact.
The vulnerability allows a remote attacker using a specially crafted HTML page to execute arbitrary code within the browser’s GPU process. Google has not provided the technical details on how triggering the issue could lead to escaping the browser's sandbox.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” states Google in the
Bleepingcomputer
Google patches new Chrome zero-day bug exploited in attacks
blogs_bleepingcomputer·2025-06-03·CVSS 8.3
[HIGH] Google patches new Chrome zero-day bug exploited in attacks
## Google patches new Chrome zero-day bug exploited in attacks
## Sergiu Gatlan
Google says the issue was mitigated one day later by a configuration change the company pushed to the Stable channel across all Chrome platforms.
On Monday, it also fixed the zero-day with the release of 137.0.7151.68/.69 for Windows/Mac and 137.0.7151.68 for Linux, versions that are rolling out to users in the Stable Desktop channel over the coming weeks.
While Chrome will automatically update when new security patches are available, users can speed up the process by going to the Chrome menu > Help > About Google Chrome, letting the update finish, and clicking the 'Relaunch' button to install it immediately.
While Google has already confirmed that CVE-2025-5419 is being exploited in the wild, the company
Bleepingcomputer
CISA tags recently patched Chrome bug as actively exploited
blogs_bleepingcomputer·2025-05-16·CVSS 4.3
CVE-2025-4664 [MEDIUM] CISA tags recently patched Chrome bug as actively exploited
## CISA tags recently patched Chrome bug as actively exploited
## Sergiu Gatlan
On Thursday, CISA warned U.S. federal agencies to secure their systems against ongoing attacks exploiting a high-severity vulnerability in the Chrome web browser.
Solidlab security researcher Vsevolod Kokorin discovered the flaw (CVE-2025-4664) and shared technical details online on May 5th. Google released security updates to patch it on Wednesday.
As Kokorin explained, the vulnerability is due to insufficient policy enforcement in Google Chrome's Loader component, and successful exploitation can allow remote attackers to leak cross-origin data via maliciously crafted HTML pages.
"You probably know that unlike other browsers, Chrome resolves the Link header on subresource requests. But what's the problem?
Bleepingcomputer
Google fixes high severity Chrome flaw with public exploit
blogs_bleepingcomputer·2025-05-15·CVSS 8.3
[HIGH] Google fixes high severity Chrome flaw with public exploit
## Google fixes high severity Chrome flaw with public exploit
## Sergiu Gatlan
The vulnerability was discovered by Solidlab security researcher Vsevolod Kokorin and is described as an insufficient policy enforcement in Google Chrome's Loader component that lets remote attackers leak cross-origin data via maliciously crafted HTML pages.
"You probably know that unlike other browsers, Chrome resolves the Link header on subresource requests. But what's the problem? The issue is that the Link header can set a referrer-policy. We can specify unsafe-url and capture the full query parameters," Kokorin explained .
"Query parameters can contain sensitive data - for example, in OAuth flows, this might lead to an Account Takeover. Developers rarely consider the possibility of stealing query parame
Checkpoint
31st March – Threat Intelligence Report
blogs_checkpoint·2025-04-01
CVE-2025-2783 31st March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 31st March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 31st March, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
New York University (NYU) suffered a cyber-attack which resulted in the exposure of over 3 million applicants’ data, including names, test scores, majors, and zip codes. The hacker redirected NYU’s website to display this information, alleging the university’s continued use of race-sensitive admissions policies despite the Su
Securelist
Operation ForumTroll: APT attack with Google Chrome zero-day exploit chain
blogs_securelist·2025-03-25·CVSS 8.3
[HIGH] Operation ForumTroll: APT attack with Google Chrome zero-day exploit chain
Authors
- Igor Kuznetsov
- Boris Larin
In mid-March 2025, Kaspersky technologies detected a wave of infections by previously unknown and highly sophisticated malware. In all cases, infection occurred immediately after the victim clicked on a link in a phishing email, and the attackers’ website was opened using the Google Chrome web browser. No further action was required to become infected.
All malicious links were personalized and had a very short lifespan. However, Kaspersky’s exploit detection and protection technologies successfully identified the zero-day exploit that was used to escape Google Chrome’s sandbox. We quickly analyzed the exploit code, reverse-engineered its logic, and confirmed that it was based on a zero-day vulnerability affecting the latest version of Google Chrome
Securelist
Operation ForumTroll: APT attack with Google Chrome zero-day exploit chain
blogs_securelist·2025-03-25·CVSS 8.3
CVE-2025-2783 [HIGH] Operation ForumTroll: APT attack with Google Chrome zero-day exploit chain
Authors
Igor Kuznetsov
Boris Larin
In mid-March 2025, Kaspersky technologies detected a wave of infections by previously unknown and highly sophisticated malware. In all cases, infection occurred immediately after the victim clicked on a link in a phishing email, and the attackers’ website was opened using the Google Chrome web browser. No further action was required to become infected.
Acknowledgement for finding CVE-2025-2783 (excerpt from security fixes included into Chrome 134.0.6998.177/.178)
Example of a malicious email used in this campaign (translated from Russian)
At the time of writing, there’s no exploit active at the malicious link – it just redirects visitors to the official website of “Primakov Readings”. However, we strongly advise against clicking on any potentially m
Threat Intel
Team46
threat_intel·CVSS 8.4
CVE-2025-2783 [HIGH] Team46
# Threat Actor: Team46
## Description
Team46 is a sophisticated APT group active since at least late 2024, targeting Russian government, academic, and media organizations through spearphishing emails disguised as forum invitations or service notifications. They exploit zero-day vulnerabilities like CVE-2025-2783 in Google Chrome (March 2025, Operation ForumTroll) and CVE-2024-6473 in Yandex Browser, deploying multi-stage loaders (e.g., winsta.dll, donut shellcode) that decrypt payloads using machine-specific keys like firmware UUID for environmental guardrails. Key malware includes the Trinper backdoor for keylogging, clipboard theft, file/process discovery, and encrypted C2 exfiltration over HTTPS with domain fronting, alongside auxiliary .NET tools (dirlist.exe, ProcessList.exe) and var
Threat Intel
Operation ForumTroll
threat_intel·CVSS 8.3
CVE-2025-2783 [HIGH] Operation ForumTroll
# Threat Actor: Operation ForumTroll
## Description
Operation ForumTroll is a sophisticated cyber espionage campaign discovered by Kaspersky in mid-March 2025. The attack exploited a zero-day vulnerability in Google Chrome, identified as CVE-2025-2783, which allowed attackers to bypass the browser's security features. Victims were infected by clicking on personalized phishing links in emails, allegedly from the organizers of the "Primakov Readings" forum, targeting media outlets, educational institutions, and government organizations in Russia. The goal of the attack appears to be espionage, and the campaign is believed to be the work of a state-sponsored APT group. Google quickly released an update to fix the vulnerability after being notified by Kaspersky.
Bugzilla
CVE-2025-2857 firefox: Firefox IPC sandbox escape on windows
bugzilla·2025-03-27·CVSS 8.3
CVE-2025-2857 [HIGH] CVE-2025-2857 firefox: Firefox IPC sandbox escape on windows
CVE-2025-2857 firefox: Firefox IPC sandbox escape on windows
Following the sanbdox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code. Attackers were able to confuse the parent process into leaking handles into unpriviled child processes leading to a sandbox escape.
The original vulnerability was being exploited in the wild.
*This only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 136.0.4, Firefox ESR < 128.8.1, and Firefox ESR < 115.21.1.
Bugzilla
Investigate Windows Chromium pseudo handle issue
bugzilla·2025-03-26·CVSS 8.3
CVE-2025-2783 [HIGH] Investigate Windows Chromium pseudo handle issue
Investigate Windows Chromium pseudo handle issue
Chromium [patched a zero-day today](https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html) with this odd description:
> Incorrect handle provided in unspecified circumstances in Mojo on Windows.
There's a blog post about it [by the people who found it](https://securelist.com/operation-forumtroll/115989/) which doesn't have too many details but it does say:
> The vulnerability CVE-2025-2783 really left us scratching our heads, as, without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist. The cause of this was a logical error at the intersection of Google Chrome’s sandbox and the Windows operating system.
The pa
2025-03-26
Published
2025-03-27
Added to CISA KEV
Exploited in the wild