Full Report
Microsoft said it has revamped the Internet Explorer (IE) mode in its Edge browser after receiving "credible reports" in August 2025 that unknown threat actors were abusing the backward compatibility feature to gain unauthorized access to users' devices. "Threat actors were leveraging basic social engineering techniques alongside unpatched (0-day) exploits in Internet Explorer's JavaScript
Analysis Summary
# Vulnerability: Microsoft Edge IE Mode Abuse Leading to RCE via Chakra Engine Exploit
## CVE Details
- CVE ID: Not disclosed in the provided text.
- CVSS Score: Not disclosed in the provided text.
- CWE: Not disclosed in the provided text.
## Affected Systems
- Products: Microsoft Edge (specifically its Internet Explorer (IE) Mode feature).
- Versions: Unspecified, but addressed by Microsoft following credible reports in August 2025.
- Configurations: Systems where IE Mode could be easily initiated (e.g., via toolbar button, context menu, or hamburger menu).
## Vulnerability Description
Threat actors were abusing the IE Mode backward compatibility feature in Microsoft Edge. The attack involved social engineering to trick users into reloading a visited webpage in IE Mode. Once loaded in the legacy environment, threat actors weaponized an unspecified **0-day exploit in Internet Explorer's JavaScript engine (Chakra)** to achieve Remote Code Execution (RCE). A second, unspecified exploit was then used to escape the browser sandbox/confines and elevate privileges, allowing the adversary full control over the victim's device, enabling post-exploitation activities like malware deployment and lateral movement.
## Exploitation
- Status: Reported as **Exploited* in the Wild* (Credible reports received in August 2025).
- Complexity: Implied **Medium to High** due to requiring social engineering, an unpatched 0-day in Chakra, and a second follow-up exploit for privilege escalation/sandbox escape.
- Attack Vector: **Network** (User visits a malicious website).
## Impact
- Confidentiality: High (Implied, given full device control and data exfiltration capability).
- Integrity: High (Implied, given full device control and malware deployment).
- Availability: High (Implied, given likelihood of system compromise/takeover).
## Remediation
### Patches
- No specific patch CVE or version information was disclosed in the text. The fix implemented was a *configuration lockdown* of the IE Mode feature by Microsoft.
### Workarounds
Microsoft has significantly restricted how IE Mode can be launched to balance security and legacy needs. This acts as a primary mitigation:
1. **Removal:** The dedicated toolbar button, context menu option, and hamburger menu items to launch IE Mode have been removed.
2. **Intentional Enabling Required:** Users must now explicitly enable IE Mode on a case-by-case basis by:
* Navigating to Edge Settings > Default Browser.
* Setting "Allow sites to be reloaded in Internet Explorer mode" to **Allow**.
* Adding the specific site(s) requiring IE compatibility to the Internet Explorer mode pages list.
## Detection
- Indicators of Compromise (IOCs): Not specified in detail, but related to activity chaining an IE Mode reload with potential shellcode execution targeting the Chakra engine, followed by a sandbox/process escape.
- Detection methods and tools: Not explicitly detailed, but network monitoring for unusual post-browser process activity and file system changes following interaction with sites loaded in IE Mode would be relevant indicators.
## References
- Vendor advisory (Microsoft Edge Browser Vulnerability Research): hxxps://microsoftedge[.]github[.]io/edgevr/posts/Changes-to-Internet-Explorer-Mode-in-Microsoft-Edge/
- Documentation on IE Mode: hxxps://learn[.]microsoft[.]com/en-us/deployedge/edge-ie-mode
- Article Source: hxxps://thehackernews[.]com/2025/10/microsoft-locks-down-ie-mode-after[.]html