This article was originally published here:
https://pducklin.com/2025/03/26/chrome-zero-day-used-in-wild
Users of Chrome on Windows, check that you have at least version 134.0.6998.177 to block this bug.
Assume that every Chrome-based Windows browser, including Chromium and Edge, will need updating, too, though the version numbers may be different.
Google’s release notes say, in its traditionally ambiguous language, that the company “is aware of reports that an exploit for CVE-2025-2783 exists in the wild,” but researchers at Russian anti-virus outfit Kaspersky claim to have recovered samples of a working exploit from a phishing site with a link that pretends to be a Russian economic think-tank.
(The URL of the real site is [nameoforg].ru, while the imposter site is the believably similar [nameoforg].info.)
According to the researchers, the bogus site was promoted via email invitations to a well-known annual conference put on by [nameoforg].
Note. Although Firefox isn’t based on Google’s Chromium engine, Mozilla developers reviewed their own code and found a very similar bug in Firefox, which they promptly updated, too. If you have Firefox in any form (the regular version or one of the business-oriented Extended Support Releases), be sure to patch promptly.
Victims would need to click through to take a look at the bogus site, but the exploit, which is a sandbox bypass allowing malicious code to escape from the browser’s security controls, would then apparently be activated invisibly and automatically.
Victims therefore wouldn’t see any “are you sure” dialogs or other pop-up warnings, so that merely viewing the rogue page could be enough to leave them silently infected with malicious code.
The researchers say that this sandbox escape isn’t enough on its own to implant malware, but that it seems to open the door to infection by enabling a subsequent code-execution exploit to run without being blocked.
They admit that they weren’t able to get hold of the second exploit, but that they disclosed the sandbox escape so it could be patched promptly.
If the code execution trick is a second zero-day, which seems likely, the cybercriminals may have gone out of their way to avoid deploying it against visitors they thought might be researchers rather than likely victims.
Interestingly, Google’s release notes imply not only that this exploit is unique to Windows, but also that the 134.0.6998.177 version number is a Windows-specific update.
In other words, if you are a macOS or Linux user, you will still see an older version number, but will presumably not be at risk.
Patch early, patch often.
In other words, Don’t delay: Check today!
Learn more about SolCyber’s mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers:
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
