This is the second actively exploited Chrome zero-day patched by Google this year, after another high-severity Chrome zero-day bug (CVE-2025-2783), which was abused to target Russian government organizations, media outlets, and educational institutions in cyber-espionage attacks. On Thursday, CISA warned U.S. federal agencies to secure their systems against ongoing attacks exploiting a high-severity vulnerability in the Chrome web browser. While Google didn't disclose if the vulnerability was previously abused in attacks or if it's still being exploited, it warned in a security advisory that it has a public exploit, which is how it usually hints at active exploitation. As mandated by the November 2021 Binding Operational Directive (BOD) 22-01, U.S. Federal Civilian Executive Branch (FCEB) agencies must patch their Chrome installation within three weeks, by May 7th, to secure their systems against potential breaches. As Kokorin explained, the vulnerability is due to insufficient policy enforcement in Google Chrome's Loader component, and successful exploitation can allow remote attackers to leak cross-origin data via maliciously crafted HTML pages. Kaspersky researchers who spotted the zero-day attacks said that the threat actors used CVE-2025-2783 exploits to bypass Google Chrome's sandbox protections and infect targets with malware. One day later, CISA confirmed CVE-2025-4664 is being abused in the wild and added it to the Known Exploited Vulnerabilities catalog, which lists security flaws actively exploited in attacks. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," the cybersecurity agency warned.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 16 May 2025 08:14:55 +0000