Google has patched a dangerous zero-day vulnerability that has already been exploited by sophisticated threat actors in the wild. According to security researchers, Russian organizations were among the targets.
The high-severity vulnerability, labeled CVE-2025-2783, affects Mojo, an inter-process communication (IPC) system used internally by the Google Chrome browser.
This system helps sandbox Chrome components while allowing processes to communicate and pass data between each other.
“There was an incorrect handle provided in unspecified circumstances in Mojo on Windows,” the company said in an advisory.
“Google is aware of reports that an exploit for CVE-2025-2783 exists in the wild.”
Although the zero-day has not yet received a numeric severity rating, it is considered a high-severity flaw that allows remote code execution with a single click on a malicious link.
Google didn’t share any additional details and said the information needs to be kept restricted until a majority of users and third-party libraries are updated with a fix, which is standard practice.
The Chrome version 134.0.6998.177/.178 for Windows fixes the issue.
However, Kaspersky, a cybersecurity firm with ties to Russia, disclosed the flaw. It said sophisticated threat actors used the flaw to target Russian media, educational, and other organizations.
The victims receive phishing invitations to economic and political science forums. However, the links in the email lead to malicious websites. If a victim visits the website, they get compromised without any other action required.
The discovered zero-day helps circumvent Chrome's defense mechanism and bypass the browser’s sandbox protection due to an error in logic at the intersection between Chrome and the Windows OS.
Allegedly, the threat actor designed and delivered malware for espionage, and escaping the sandbox allows for complete system compromise. In the second stage of the attack, threat actors were observed running remote code on compromised systems.
Users are recommended to update their Chrome browsers on Windows.
Your email address will not be published. Required fields are markedmarked