The high-risk security flaw affects Google Chrome for Windows, and doesn't require any user interaction.
Chrome users on Windows PCs should update to the latest version that patches the flaw
Photo Credit: Unsplash/ @firmbee
Google has fixed a serious security vulnerability affecting its Google Chrome browser, that allowed attackers to bypass its security features. The flaw was discovered by Kaspersky's Global Research and Analysis Team (GReAT), and was reportedly used to target media outlets, educational institutions, and government organisations. Google Chrome users should update their browser in order to remain protected against the vulnerability, and other Chromium-based browsers are also expected to receive an update that resolves the issue in the coming days.
According to details shared by the security firm, an advanced persistent threat (APT) group is suspected to have run a campaign dubbed Operation ForumTroll to take advantage of a zero-day (previously unknown, undetected) vulnerability in Google Chrome for Windows, identifed as CVE-2025-2783.
The attackers would send personalised phishing emails to persons from media outlets, educational institutions, and government organisations located in Russia. These emails would invite them to join the “Primakov Readings” forum. Kaspersky claims that the links would expire quickly, and would eventually send users to the real forum.
What is most notable about the security exploit is that it allowed an attacker to use a maliciously crafted file to escape the sandbox protection system on Google Chrome. The security flaw impacted Google Chrome on Windows, and did not require users to interact with the malware in any way, after they clicked on the link.
Boris Larin, principal security researcher at Kaspersky GReAT, explains that the exploit managed to completely disregard Chrome's security boundaries, and without triggering any obvious malicious actions. “This vulnerability stands out among the dozens of zero-days we've discovered over the years,” he added.
The security firm disclosed the vulnerability to Google, and a patch for the CVE-2025-2783 vulnerability was included with the update to Google Chrome for Windows 134.0.6998.177 /.178, which began rolling out on Tuesday. Google has credited Kaspersky with discovering the vulnerability and users should update their browser to remain protected against the flaw.
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.