Google has issued out-of-band fixes for a serious security flaw, CVE-2025-2783, in its Chrome browser for Windows. This flaw has been exploited in targeted phishing attacks against organizations in Russia. Described as a logic error in inter-process communication libraries, the vulnerability undermines the browser's sandbox protection. The first actively exploited zero-day of the year, it was reported by Kaspersky researchers and poses significant risks as attackers impersonate legitimate sources in phishing emails, leading to immediate infection upon clicking malicious links.
"In all cases, infection occurred immediately after the victim clicked on a link in a phishing email, and the attackers' website was opened using the Google Chrome web browser."
"Google is aware of reports that an exploit for CVE-2025-2783 exists in the wild," the tech giant acknowledged in a terse advisory.
"The essence of the vulnerability comes down to an error in logic at the intersection of Chrome and the Windows operating system that allows bypassing the browser's sandbox protection."
CVE-2025-2783 is the first actively exploited Chrome zero-day since the start of the year, credited to Kaspersky researchers Boris Larin and Igor Kuznetsov.
Collection
[
|
...
]