Google has issued an out-of-band fix to rectify a high-severity security flaw affecting its Chrome browser for Windows. This vulnerability, tracked as CVE-2025-2783, has reportedly been exploited in the wild, particularly targeting organizations within Russia. The flaw arises from an incorrect handle provided in unspecified circumstances in Mojo on Windows, which is a collection of runtime libraries facilitating inter-process communication (IPC).
In line with its usual practices, Google has refrained from disclosing extensive technical details regarding the nature of the attacks, the identities of the threat actors involved, or the specific entities that may have been affected. However, the vulnerability has been addressed in the latest Chrome versions, specifically 134.0.6998.177 and 134.0.6998.178 for Windows.
Google acknowledged in a brief advisory that they are aware of reports indicating the existence of an exploit for CVE-2025-2783 in the wild. Notably, this is the first actively exploited Chrome zero-day vulnerability reported since the beginning of the year.
The vulnerability was discovered and reported by Kaspersky researchers Boris Larin and Igor Kuznetsov on March 20, 2025. In their bulletin, Kaspersky described the zero-day exploitation of CVE-2025-2783 as a technically sophisticated targeted attack, indicative of an advanced persistent threat (APT). They are tracking this activity under the name Operation ForumTroll.
According to Kaspersky, infections occurred immediately after victims clicked on links contained in phishing emails, which opened malicious websites using the Google Chrome web browser. Once the link was clicked, no further action was necessary for the victim to become infected.
The essence of the vulnerability lies in a logical error at the junction of Chrome and the Windows operating system, allowing attackers to bypass the browser's sandbox protection. The phishing emails were crafted to appear as legitimate invitations from organizers of a reputable scientific and expert forum, known as Primakov Readings. Targets of this campaign included media outlets, educational institutions, and government organizations within Russia.
Moreover, CVE-2025-2783 is designed to operate in conjunction with an additional exploit that enables remote code execution. Kaspersky has reported that they were unable to obtain this secondary exploit. The analyzed attack artifacts indicate a high level of sophistication among the attackers, leading researchers to confidently conclude that a state-sponsored APT group orchestrated this attack.
In light of the ongoing exploitation of CVE-2025-2783, users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are strongly advised to apply the necessary fixes as they become available. Ensuring your browser is up to date is crucial for maintaining security against potential threats.
