Google has issued an emergency security update for its Chrome browser on Windows to address a high-severity zero-day vulnerability, identified as CVE-2025-2783, which has been actively exploited in targeted attacks against organizations in Russia.
Details of the Vulnerability
CVE-2025-2783 is described as an “incorrect handle provided in unspecified circumstances in Mojo on Windows.” Mojo is a set of runtime libraries facilitating platform-agnostic inter-process communication (IPC). The flaw allows attackers to bypass Chrome’s sandbox protections, enabling unauthorized access to the system.
Discovery and Exploitation
Researchers Boris Larin and Igor Kuznetsov from Kaspersky discovered and reported the vulnerability on March 20, 2025. The attacks, dubbed “Operation ForumTroll,” involved sophisticated phishing emails containing malicious links. Upon clicking these links, the victims’ systems were infected without any further action required. The phishing emails masqueraded as invitations from the organizers of the legitimate scientific forum, Primakov Readings, and targeted media outlets, educational institutions, and government organizations in Russia.
Google’s Response
In response to the active exploitation, Google released out-of-band fixes in Chrome version 134.0.6998.177/.178 for Windows. The company acknowledged the reports of the exploit in the wild but has not disclosed additional technical specifics about the attacks or the threat actors involved.
Recommendations for Users
Users of Chrome on Windows are strongly advised to update their browsers to the latest version immediately to mitigate potential threats. Additionally, users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should apply the available fixes promptly. It is also recommended to exercise caution with unsolicited emails and avoid clicking on unknown links to prevent potential infections.
This incident underscores the critical importance of timely software updates and vigilance against phishing attempts to maintain cybersecurity.