Google has released out-of-band security updates to address a critical vulnerability in its Chrome browser. The flaw, tracked as CVE-2025-2783, has been actively exploited in the wild.
The vulnerability is described as a case of insufficient validation of user-supplied input, related to Mojo on Windows. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code on the system. Mojo is a set of runtime libraries that facilitate inter-process communication (IPC) across platforms.
While Google has not disclosed detailed technical information about the attack vector, the identity of the threat actors, or specific targets, it confirmed that the flaw has been actively exploited. The fix for this issue has been rolled out in Chrome version 134.0.6998.177/.178 for Windows.
CVE-2025-2783 marks the first actively exploited Chrome zero-day of the year. According to reports, the flaw has been used in sophisticated, targeted cyberespionage attacks likely orchestrated by an Advanced Persistent Threat (APT) actor. In the attacks, victims were infected after clicking on a malicious link embedded in a phishing email. The phishing emails specifically targeted organizations in Russia, including media outlets, educational institutions, and government entities.
Worthy of note, CVE-2025-2783 works in conjunction with a remote code execution exploit, which has yet to be identified.
