Google has issued urgent out-of-band security updates to rectify a critical vulnerability in its Chrome browser for Windows. This flaw, designated as CVE-2025-2783 (CVSS score: 8.3), has reportedly been exploited in real-world phishing attacks aimed primarily at organizations in Russia.
Described as stemming from an “incorrect handle provided in unspecified circumstances in Mojo on Windows,” this vulnerability signifies a breakdown in security protocols that facilitate inter-process communication on the operating system. Although Google has remained tight-lipped about the technical specifics of the attacks and the actors involved, the flaw has been mitigated in Chrome versions 134.0.6998.177/.178 for Windows.
The emergence of CVE-2025-2783 as the first active zero-day exploit for Chrome this year raises significant concerns within the cybersecurity community. Credit for its discovery goes to Kaspersky researchers Boris Larin and Igor Kuznetsov, who reported the issue on March 20, 2025. Kaspersky characterized this exploitation as indicative of a sophisticated, targeted attack consistent with tactics often employed by advanced persistent threat (APT) groups.
In a focused bulletin, Kaspersky detailed how exploitation occurred through links embedded in phishing emails, which led victims to malicious sites opened in the Google Chrome browser. The vulnerability effectively bypasses the browser’s sandbox protections thanks to a logic error at the intersection of Chrome and the Windows operating system. Such exploitation techniques align closely with initial access tactics outlined in the MITRE ATT&CK framework.
The phishing campaigns appeared to target diverse sectors, including media outlets, educational institutions, and government entities across Russia. The emails contained invitations allegedly from the organizers of a legitimate scientific forum, the Primakov Readings, further emphasizing the tailored nature of the assault.
Kaspersky noted that the first stage of the attack leveraged CVE-2025-2783 in conjunction with another exploit designed for remote code execution—a technique part of the privilege escalation arsenal within the MITRE framework. However, details about this secondary exploit remain undisclosed.
Analyzing the indicators associated with this attack, researchers have concluded that its sophisticated nature suggests involvement from state-sponsored threat actors. The ongoing espionage goals and the meticulous planning behind the phishing emails indicate a high level of organization, consistent with an APT operation code-named Operation ForumTroll.
With active exploitation confirmed, it is crucial for users of Chromium-based browsers—including Microsoft Edge, Brave, Opera, and Vivaldi—to apply updates as soon as they become available to safeguard against potential threats stemming from this vulnerability. In doing so, they can fortify their systems against the sophisticated tactics employed in these targeted attacks.
