Vulnerability In Chrome Being Attacked
Google has released an update to its vulnerability in the Chrome web browser, closing a zero-day vulnerability that is already being exploited.
Google released an update for its Chrome web browser on Wednesday night. It fixes a zero-day security vulnerability that attackers are already exploiting in the wild. Anyone using Google Chrome should quickly check whether the bug-fixed version is already installed and active.
In the release announcement, Google developers write that under unspecified circumstances, Chrome on Windows assigns an incorrect handle in the Mojo component, which provides interprocess communication functionality (CVE-2025-2783, no CVSS, risk ” high ” according to Google). A handle provides access to resources, but in this case, to the wrong ones, which can be abused by attackers—and they are already doing so, as Google also mentions in the release announcement: “Google is aware of reports that an exploit for CVE-2025-2783 exists in the network.”
Abused zero-day vulnerability in Chrome discovered by Kaspersky
The zero-day vulnerability was discovered by IT researchers at Kaspersky. They describe the observed attacks of the “Operation ForumTroll” APT in a blog post . According to the report, the attack begins with a phishing email that purports to invite users to an event at the International Forum for Economics and Political Science and leads to a program and registration form. Both links, however, lead to a malware infection in the Chrome web browser on Windows, without any further interaction from the victim.
Kaspersky has yet to provide details about the vulnerability, but describes it as a logic error between Chrome and the Windows operating system that allows Chrome’s sandbox protection to be bypassed. The observed attacks were particularly targeted at Russian media representatives, employees of educational institutions, and government organizations. Kaspersky believes the attackers are trying to spy on their victims. The links in the phishing emails are currently no longer active, but attackers could use the exploit elsewhere at any time.
The current bug-fixed versions are Chrome 134.0.6998.177/.178 for Windows. The extended stable version is 134.0.6998.178 on Windows, which is the bug-fixed version.
Version check
The version dialog reveals whether Chrome is already up to date. This opens after clicking on the browser menu, located behind the three stacked dots to the right of the address bar. From there, go to “Help” and then “About Google Chrome.” If the update hasn’t been installed yet, the dialog offers to update and then restart the browser, which is necessary to activate the new software.
On Linux, the software management of the distribution in use usually performs the update. However, since the vulnerability occurs on Windows, an update is not urgent here. Other Chromium-based web browsers, such as Microsoft Edge, are also expected to release an update soon, which users should also apply promptly.
Exactly one week ago, Google released an important update for the Chrome browser. It fixed a security vulnerability classified as critical.
Dangerous zero-day vulnerability in Chrome exploited for espionage
Attackers can break out of the Chrome sandbox and execute code on a user’s Windows system simply by visiting a malicious website.
After closing a critical security vulnerability in its Chrome web browser just last week , Google is now upping the ante. With an update released on Tuesday, Google fixes a vulnerability that is already being actively exploited in targeted espionage attacks. Users are urged to update their Chrome browsers.
The exploitation of the Chrome vulnerability registered as CVE-2025-2783 was discovered by security researchers at Kaspersky in mid-March. As they explain in a blog post , previously unknown malware was used. The observed attacks were therefore most likely carried out by a state-sponsored hacker group.
Infection via malicious websites
According to the information, the vulnerability can be exploited through specially crafted websites that the target person simply needs to visit. In the observed attacks, access was gained via links in a phishing email disguised as an invitation to an economics and political science forum, addressed to Russian media representatives and employees of educational institutions.
“If a Windows PC user using the Google Chrome browser (or any other browser based on the Chromium engine) clicks on these links, their computer will be infected without requiring any further user interaction ,” the researchers write. CVE-2025-2783 allows attackers to break out of the web browser’s sandbox and access the underlying Windows system.
Another security vulnerability in Chrome exploited
Kaspersky researchers published some further insights into the attack campaign, dubbed Operation Forumtroll, in a separate report . According to the report, CVE-2025-2783 was combined with another vulnerability that allows malicious code execution in the observed attacks. However, researchers have apparently not yet been able to obtain further details about this second vulnerability.
The investigation into Operation Forumtroll is ongoing. Security researchers plan to publish a report with further technical details at a later date.
Anyone who wants to protect themselves from potential attacks should update their Chrome browser for Windows promptly. Version 134.0.6998.177/.178 is considered patched. Corresponding updates are expected to be distributed soon for other Chromium-based web browsers. The vulnerability does not appear to exist on MacOS or Linux.
Google Chrome 134.0.6998.177/.178: Important security update available
Google has once again released an update for its Chrome browser on the desktop, this time for the Stable Channel. The new version is 134.0.6998.177, or 178 for Windows, and will, as usual, be distributed to all users in the coming days and weeks. The Extended Stable Channel will also receive the update to version 134.0.6998.178 for Windows.
This update includes an important security fix. The vulnerability has the identifier CVE-2025-2783 and is rated “High.” It affects incorrect handle provisioning in the Mojo component on Windows under unspecified circumstances. The incident was reported by Boris Larin and Igor Kuznetsov of Kaspersky.
Particularly important: Google is aware that an exploit for this vulnerability (CVE-2025-2783) is already actively exploited (“in the wild”). This means it is a so-called zero-day vulnerability. An update is therefore strongly recommended.
As usual, Google is withholding more details about the vulnerability until the majority of users have received the update. So, as always, keep an eye out for the update icon in your browser or manually check via “Help” > “About Google Chrome” to see if the new version has arrived. Better safe than sorry.
Attackers are already exploiting a gap in Chrome: Install the update immediately
Google has released a new security update for Chrome. It fixes a browser vulnerability that is already being exploited.
Google has released the new Chrome versions 134.0.6998.177/178 for Windows. Chrome updates for Mac, Linux, and Android have not been announced. The security vulnerability closed by the update is apparently already being exploited for attacks. The makers of other Chromium-based browsers are likely to follow suit quickly.
In the Chrome Release Blog, Srinivas Sista mentions the fixed vulnerability, which was discovered by external security researchers and reported to Google. Google classifies the vulnerability CVE-2025-2783 as high risk. It is an exploitable flaw in the Mojo component that occurs under unclear conditions. Mojo is a collection of runtime libraries for interprocess communication (IPC). The vulnerability was reported to Google on March 20 by experts from the Russian antivirus vendor Kaspersky.
According to Google, there are indications that this vulnerability is already being exploited for attacks. This information likely comes from Boris Larin and Igor Kuznetsov, security researchers at Kaspersky. They presumably discovered the vulnerability while investigating malware attacks. Who is attacking whom remains unclear at this point, but the attacks appear to be targeting Windows computers, as Google only provides Chrome updates for Windows.
A week ago, Google released a security update for Chrome, closing two security vulnerabilities . Chrome usually updates automatically when a new version is available. You can manually initiate the update check by selecting “Help” from the menu and selecting “About Google Chrome.”
Other Chromium-based browsers
The makers of other Chromium-based browsers are now being called upon to follow suit with updates. Brave, Vivaldi, and Microsoft Edge are at the same level as last week and are expected to be updated later this week. Opera is still stuck on the outdated Chromium version 132. However, the Norwegian company backported the fix for the 0-day vulnerability CVE-2025-24201 from March 10th for Opera 117 to Chromium 132 this week. At least Opera users on macOS could benefit from this update.
Sources used:
- With material from the News agencies dpa and AFP, ntv.de, Reuters news agency, BBC News and CNN reports. The content has been independently analyzed and rewritten to provide original insights.
Welcome to TrendFiTech, your go-to source for the latest trending news, technology updates, and financial insights. Our mission is to provide accurate, informative, and engaging content to keep you updated on global trends, innovations, and market movements.
At TrendFiTech, we cover:
✅ Trending News – Stay informed with the latest happenings worldwide.
✅ Technology – Discover innovations, gadget reviews, and tech trends.
✅ Finance – Get expert insights on investments, business, and economic updates.
We are committed to delivering high-quality, original content while ensuring a user-friendly and informative experience.
Thanks!