Full Report
Google has released out-of-band fixes to address a high-severity security flaw in its Chrome browser for Windows that it said has been exploited in the wild as part of attacks targeting organizations in Russia. The vulnerability, tracked as CVE-2025-2783, has been described as a case of "incorrect handle provided in unspecified circumstances in Mojo on Windows." Mojo refers to a
Analysis Summary
# Vulnerability: Chrome Mojo IPC Flaw Exploited in Russian Espionage Attacks
## CVE Details
- CVE ID: CVE-2025-2783
- CVSS Score: Not explicitly stated, but described as **high-severity**.
- CWE: Not explicitly stated, but relates to an incorrect handle provided in Mojo IPC.
## Affected Systems
- Products: Google Chrome browser for Windows
- Versions: All versions prior to Chrome **134.0.6998.177/.178** for Windows.
- Configurations: Standard web browsing environment where an attacker can deliver a malicious link to a target.
## Vulnerability Description
The vulnerability is described as an **"incorrect handle provided in unspecified circumstances in Mojo on Windows."** Mojo is a collection of runtime libraries providing an agnostic mechanism for inter-process communication (IPC). The resulting flaw allows an attacker to bypass the browser's sandbox protection. This vulnerability was used in conjunction with a secondary exploit facilitating Remote Code Execution (RCE), though the details of the second exploit were not obtained.
## Exploitation
- Status: **Exploited in the wild** (Confirmed active exploitation by state-sponsored APT group, tracked as Operation ForumTroll).
- Complexity: Described as part of a **technically sophisticated targeted attack**, implying high attacker sophistication, though the initial infection vector required low user interaction (clicking a link).
- Attack Vector: Network (Phishing email leading to a malicious link opened in the Chrome browser).
## Impact
- Confidentiality: High (Implied, as the goal of the campaign was espionage).
- Integrity: High (Implied, due to sandbox bypass and potential RCE).
- Availability: Low (Focus appears to be targeted data theft rather than denial of service).
## Remediation
### Patches
- Google Chrome version **134.0.6998.177** (for Windows) or later.
- Google Chrome version **134.0.6998.178** (for Windows) or later.
### Workarounds
- None explicitly listed in the provided summary, although immediate patching is strongly implied given the active exploitation.
## Detection
- Indicators of Compromise: Activity related to Operation ForumTroll or suspicious processes attempting to break out of the Chrome sandbox following a user click on a link related to legitimate scientific forums (e.g., Primakov Readings).
- Detection methods and tools: Detection relies on security solutions capable of identifying zero-day browser exploitation attempts or sandbox escape post-infection chains.
## References
- Vendor Advisory: chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html
- Research/Details: securelist.com/operation-forumtroll/115989/