Google Patches Dangerous Zero-Day Flaw in Chrome

Image by Pexels

This post is also available in: עברית (Hebrew)

Google has rolled out a critical fix for a zero-day vulnerability (CVE-2025-2783) in its Chrome browser that has been actively exploited by sophisticated cybercriminals. The flaw, affecting Mojo—an inter-process communication (IPC) system in Chrome—has allowed attackers to bypass the browser’s sandbox protection, putting Windows users at significant risk.

Mojo is an integral component of Chrome, designed to facilitate secure communication between different browser processes while maintaining isolation for safety. The vulnerability arises from a specific error that allows malicious actors to execute remote code with just a single click on a malicious link. Google confirmed that this flaw had been used in real-world attacks, with reports suggesting that Russian organizations, including media and educational institutions, were among the targeted victims.

The discovery of the flaw was disclosed by Kaspersky, a Russian cybersecurity firm, which revealed the sophisticated nature of the attacks, indicating that the malware was likely intended for espionage purposes. Google has kept further technical details under wraps, urging users and developers to apply the fix before any additional information is made publicly available.

Security experts believe that the attackers used phishing tactics to lure victims. Emails containing fake invitations to forums on economics and political science led recipients to compromised websites. Merely visiting these sites was enough for the malware to infect the victim’s system, without requiring any further interaction. This exploit bypasses Chrome’s sandbox, which is designed to prevent malicious code from accessing the host system, giving attackers full control over compromised machines.

Though Google has not yet assigned a formal severity rating, the flaw is classified as high-risk due to its ability to execute code remotely. Users are strongly advised to update their browsers immediately to Chrome version 134.0.6998.177/.178  in order to safeguard against potential exploitation.