In October, Mozilla also patched a zero-day vulnerability (CVE-2024-9680) in Firefox's animation timeline feature exploited by the Russian-based RomCom cybercrime group that let the attackers gain code execution in the web browser's sandbox. Kaspersky's Boris Larin and Igor Kuznetsov, who discovered and reported CVE-2025-2783 to Google, said on Tuesday that the zero-day was exploited in the wild to bypass Chrome sandbox protections and infect targets with sophisticated malware. Mozilla has released Firefox 136.0.4 to patch a critical security vulnerability that can let attackers escape the web browser's sandbox on Windows systems. While Mozilla didn't share technical details regarding CVE-2025-2857, it said the vulnerability is similar to a Chrome zero-day exploited in attacks and patched by Google earlier this week. "The vulnerability CVE-2025-2783 really left us scratching our heads, as, without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist," they said. The flaw was chained with a Windows privilege escalation zero-day (CVE-2024-49039) that allowed the Russian hackers to execute code outside the Firefox sandbox. Attackers were able to confuse the parent process into leaking handles into unpriviled [sic] child processes leading to a sandbox escape," Mozilla said in a Thursday advisory. The vulnerability impacts the latest Firefox standard and extended support releases (ESR) designed for organizations that require extended support for mass deployments.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 27 Mar 2025 14:50:18 +0000