Users of Chrome on Windows, check that you have at least version 134.0.6998.177 to block this bug.
Assume that every Chrome-based Windows browser, including Chromium and Edge, will need updating, too, though the version numbers may be different.
Google’s release notes say, in its traditionally ambiguous language, that the company “is aware of reports that an exploit for CVE-2025-2783 exists in the wild,” but researchers at Russian anti-virus outfit Kaspersky claim to have recovered samples of a working exploit from a phishing site with a link that pretends to be a Russian economic think-tank.
(The URL of the real site is [nameoforg].ru, while the imposter site is the believably similar [nameoforg].info.)
According to the researchers, the bogus site was promoted via email invitations to a well-known annual conference put on by [nameoforg].
Note. Although Firefox isn’t based on Google’s Chromium engine, Mozilla developers reviewed their own code and found a very similar bug in Firefox, which they promptly updated, too. If you have Firefox in any form (the regular version or one of the business-oriented Extended Support Releases), be sure to patch promptly.
What could go wrong?
Victims would need to click through to take a look at the bogus site, but the exploit, which is a sandbox bypass allowing malicious code to escape from the browser’s security controls, would then apparently be activated invisibly and automatically.
Victims therefore wouldn’t see any “are you sure” dialogs or other pop-up warnings, so that merely viewing the rogue page could be enough to leave them silently infected with malicious code.
The researchers say that this sandbox escape isn’t enough on its own to implant malware, but that it seems to open the door to infection by enabling a subsequent code-execution exploit to run without being blocked.
They admit that they weren’t able to get hold of the second exploit, but that they disclosed the sandbox escape so it could be patched promptly.
If the code execution trick is a second zero-day, which seems likely, the cybercriminals may have gone out of their way to avoid deploying it against visitors they thought might be researchers rather than likely victims.
Interestingly, Google’s release notes imply not only that this exploit is unique to Windows, but also that the 134.0.6998.177 version number is a Windows-specific update.
In other words, if you are a macOS or Linux user, you will still see an older version number, but will presumably not be at risk.
What to do?
Patch early, patch often.
In other words, Don’t delay: Check today!
Learn more about SolCyber’s mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers:
More About Duck
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
Paul Ducklin
03/26/2025
Share this article:
Table of contents:
The world doesn’t need another traditional MSSP or MDR or XDR.
We start with identity and end with transparency — protecting where attacks begin and keeping you informed, with as much visibility as you want. No black boxes, just clear, expert-driven security.
I am interested in SolCyber Foundational Coverage™
I am interested in a Free Demo
11222
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Privacy policy