Google has patched a critical Chrome zero-day vulnerability that hackers were actively using to sidestep the browser’s defenses and infect targeted systems with malware. The exploit was tracked as CVE-2025-2783. It’s the first Chrome zero-day discovered this year, and it’s already been weaponized in real-world attacks.
Security researchers at Kaspersky uncovered the vulnerability during an investigation into a phishing campaign dubbed Operation ForumTroll, which targeted Russian media outlets, universities, and government agencies. Victims were lured in by fake email invitations to an academic event and redirected to a malicious domain designed to launch the attack.
According to Kaspersky, this latest Chrome zero-day exploit bypassed Chrome’s sandbox—a key line of defense that isolates web activity from the rest of a user’s system. Once through, attackers deployed spyware-grade malware, all without raising alarms. “It allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist,” the researchers explained.
Google quickly issued a fix for the zero-day vulnerability with Chrome version 134.0.6998.178, which is now available in the Stable Desktop channel. While the update is rolling out globally, users can also trigger the update manually by visiting Settings > About Chrome and installing the latest update. Doing so not only neutralizes CVE-2025-2783 but also shuts down a second, related exploit used in the same attack chain.
Security researchers say the vulnerability was caused by incorrect handle usage within Mojo, a key component used by Chrome on Windows. Though Google hasn’t disclosed full technical details, the company confirmed that the flaw was being actively exploited. This no doubt prompted a swift security response.
This isn’t the first time Chrome has come under attack, but with exploits growing more sophisticated, even a few days’ delay in updating can leave users vulnerable. With the patch now live, the best defense is a simple one: make sure Chrome is up to date.
