Mozilla has patched multiple vulnerabilities that could have enabled attackers to hijack user devices.
Multiple vulnerabilities have been discovered in Mozilla products, including Firefox and Firefox ESR web browsers and Thunderbird and Thunderbird ESR email clients.
The most dangerous discovered vulnerability could allow threat actors to execute arbitrary code on a user's device without the victim realizing they’ve been compromised.
Attackers can infect a device using the Drive-by Compromise technique, where simply visiting a malicious website is enough to compromise the device. Based on the user's privileges, an attacker could install programs, access, modify, or delete data, and even create new accounts with full user permissions.
Discovered vulnerabilities are particularly dangerous for system administrators, putting medium to large-size organizations and governmental institutions at the highest risk of potential exploitation. Risks for home users remain low.
Mozilla products affected:
- Thunderbird versions prior to ESR 128.8
- Thunderbird versions prior to 136
- Firefox ESR versions prior to 128.8
- Firefox ESR versions prior to 115.2.1
- Firefox versions prior to 136
Among the most severe vulnerabilities, the following could enable attackers to crash systems, steal data, or execute malicious code:
- CVE-2024-43097 could cause a memory overflow in graphics rendering, leading to crashes or exploits.
- CVE-2025-1930 and CVE-2025-1931 involve use-after-free (UAF) bugs in AudioIPC and WebTransportChild, which could let attackers escape browser sandboxes or execute remote code.
- CVE-2025-1932 could allow unauthorized memory access via an XSLT sorting flaw, potentially causing crashes or data leaks.
- CVE-2025-1933 could corrupt WASM i32 return values on 64-bit CPUs, leading to incorrect execution or security risks.
- CVE-2025-1937, CVE-2025-1938, and CVE-2025-1943 involve memory safety bugs in Firefox and Thunderbird that could enable remote code execution.
- CVE-2025-1939 exploits Android Custom Tabs animations for tapjacking, tricking users into granting unintended permissions.
Exploiting vulnerabilities considered of lower severity could still let attackers steal data, trick users, or run malicious code:
- CVE-2025-26696 could make a fake encrypted email look real, exposing sensitive info.
- CVE-2025-26695 could let attackers swap OpenPGP keys, enabling impersonation.
- CVE-2025-1934 could crash the browser or run harmful code.
- CVE-2025-1935 could trick users into registering malicious protocol handlers.
- CVE-2025-1936 could hide malware inside JAR files by faking file extensions.
- CVE-2025-1942 could leak memory data when converting text.
- CVE-2025-1940 could tapjack Android prompts, tricking users into confirming unwanted actions.
- CVE-2024-9956 could allow passkey phishing over Bluetooth.
- CVE-2025-1941 could bypass Firefox Focus’s lock screen for Android, exposing browser data.
On March 4th, Mozilla released a security advisory that addressed the issues. Updating Mozilla software is highly advisable. So far, there are no reports of these vulnerabilities being exploited in the wild.
Last year, Mozilla patched a critical zero-day vulnerability affecting Firefox and Thunderbird that Russian hackers already exploited. The cybercrooks used the vulnerability to run arbitrary code without any user interaction – just by visiting a web page with an exploit.
Your email address will not be published. Required fields are markedmarked