WASHINGTON, D.C., March 28, 2025 – In a growing fear of cybersecurity that has frustrated the world’s digital defense experts, Google Chrome and Mozilla Firefox have been under fire for zero-day critical vulnerabilities that compromise the safe – a central line of defense in modern browsers. ​The attacks, which began attacking Chrome users and later discovered a similar risk on ​Firefox, raised important concerns about the security of navigation platforms used by billions of worlds.

According to Kaspersky, the Russian ​cybersecurity ​company that detected Chrome’s vulnerability, the explosion was discovered in ​the middle of an increase in sophisticated malware attacks in mid-March 2025. The campaign, called “Operation ForumTroll” in-house, involved highly targeted phishing emails ​that attract victims – mainly ​Russian journalists, academics and government staff – to click on links that immediately compromised their systems by a defect known as CVE-2025-2783.

The explosion ​disappeared the Chrome sandbox – a critical mechanism that isolates web pages and plug-ins to prevent a compromised site from affecting others. In this ​case, just by clicking on ​a malicious link was enough to let attackers slide through Chrome protections and execute more code, all without the user doing anything else. The researchers ​of Kaspersky Igor Kuznetsov ​and Boris Larin describe ​the defect as particularly insidious because the browser behaves as if its defenses did not even exist.

What is a sandbox and why is it important?

In ​terms of secularity, a sandbox is ​like a padded playpen for tabs and ​extensions of your browser. Even if a tab ​is loaded with malicious content, ​the sandbox keeps it confined. So if the attackers escape, they have access to ​the rest of their system. ​In the case of Chrome, attackers did not select the lock – they ​found ​a hidden door, thanks to ​a ​logical ​error that involves the internal ​framework ​of Google IPC (process communication) called Mojo.

Mojo is responsible for letting different parts of the ​browser speak without letting them exceed its limits. But under certain specific conditions of Windows, an incorrect handle ​was provided, which attackers intelligently exploited to jump from ​the ​sandbox. The problem is subtle, but dangerous – ​and more painful, it has already been exploited in nature by state-sponsored threat agents, according to Kaspersky’s investigation.

Who’s behind these attacks?

According to Kaspersky’s findings, the malware in question had signs of state-sponsored advanced threat ​group (APT) reports. Although attribution ​in cyber espionage is notoriously mishumored, ​the ​level of sophistication and ​concentration on espionage suggests a ​highly resourced organization. The phishing e-mails imitated the invitations of ​the “Primakov Readings”, a ​legitimate ​Russian academic forum. These ​false invitations were ​created to deceive targets to open the malicious ​link, starting the infection process ​immediately.

Curiously, the explosion did not seem to ​be an ​independent weapon. It was ​to be used in tandem with another unidentified operation, capable of operating the code remotely. While Kaspersky did not capture ​this second explosion, he warned ​that the Chrome update now ​divides the attack chain before malware can do ​its worst.

Is Firefox also affected?

And Mozilla didn’t waste any time acting. According to Mozilla’s ​security advice, the operation of ​Chrome has ​led to ​a closer inspection of Firefox’s own IPC mechanisms. Soon, engineers discovered a surprisingly ​similar ​vulnerability now known as CVE-2025-2857. Although there is no evidence that this Firefox defect was still exploited, it represented the same underlying risk – a child-driven process could deceive the father to give him undue privileges, allowing a sandbox escape on Windows machines.

Firefox users in versions 136.0.4 or ESR 115.21.1 and 128.8.1 are now protected. The Tor project, which builds its privacy-based ​browser in the Firefox code base, also issued an emergency patch in version ​140.8 for Windows users. Mozilla confirmed that other ​operating systems such as Linux and macOS are not affected.

What urgency ​is the Chrome update, really?

Very ​urgent. The U.S. ​Cybersecurity and Infrastructure Security Agency (CISA) added Chrome’s vulnerability to its known ​KEV and ordered all ​federal ​agencies to apply patches ​by April 17. If they cannot update, CISA clearly states that “use of the product is interrupted”. Although the directive applies to federal systems, the directives apply ​to any company or organization that deals with ​digital integrity.

Google has already pushed Chrome version 134.0.6998.177 /.178 for Windows to fix CVE-2025-2783. If you are a Windows user, updating your browser and ​restarting is non-negotiable, especially since attackers could ​trigger infections without the ​victim raising a finger beyond clicking on a link.

What are the implications for ​other Chrome-based browsers?

Since Chrome – the open source engine ​behind Chrome – also power Microsoft Edge, Opera, Brave, ​and others, it is likely that the same IPC vulnerability exists in these browsers as well. ​Although updates to these platforms have not been confirmed individually, users must be proactive: check ​patches or switch to ​a browser that has already corrected the defect.

It’s not just a Google problem. It’s a wake-up call for the entire browser ecosystem. The mechanisms of the CPI are often ​neglected because they are deeply buried in the browser architecture, but as this incident shows, only one error ​here ​can lead to devastating violations.

Why were the Russians targeted, and others should worry?

The malware campaign seemed very specific, focusing on individuals critical of Russia’s ongoing actions in ​Ukraine. Some phishing sites have even passed for the CIA and Ukraine delivers telephone lines. According to Silent Push, a cybersecurity company, ​these fake websites were intended ​to collect personal data from politically vulnerable Russians. While the initial wave ​was regional, once a sand leak ​is publicly ​known, the operating code ​is often found in wider criminal hands.

This is the real risk of progress. ​Once a technique shows success, it is routed from elite APT ​groups to ransomware, hackertivist and cybercriminal-by-rental bands. Although the original targets were very valuable individuals, the next wave of victims ​could be anyone who runs ​an old-fashioned ​browser.

What should users do now?

• Update Chrome: Make sure you’re running ​version 134.0.6998.177/.178 or later. Then restart your browser.
• Update Firefox: If you’re on Windows, upgrade to ​Firefox 136.0.4 ​or ESR 115.21.1 or 128.8.1.

​

• Tor Users: Windows users should ensure they have ​version 14.0.8 installed.
• Be wary of emails: Even if it looks official, think before you click. Personalized phishing emails are hard to detect but devastating in impact.
• Enable auto-updates: Most browsers offer this by default — don’t disable it.

To quote the Kaspersky evaluation:

“This particular explosion ​is certainly one of the most interesting that we found… without doing something clearly malicious or prohibited, it allowed attackers to avoid the protection ​of ​the Google Chrome sandbox as if ​it didn’t even exist.”

For now, the ​operation ​has been neutralized. But the broader ​implications – vulnerabilities in the browser’s basic architecture, coordinated phishing campaigns, and the haste of competing developers to check their own code – all indicate ​a truth: the security arms race is far from over.

As the digital landscape becomes more harmonious, user monitoring and timely software updates are our ​best, and sometimes only, the line of defense.