Google patches a Chrome zero-day vulnerability used in espionage

Google has released an out-of-band security patch for its Chrome browser to fix a high-severity zero-day vulnerability, CVE-2025-2783, which has been actively exploited in targeted espionage campaigns.

The security firm Kaspersky unearthed this weakness in mid-March 2025 while investigating a series of sophisticated attacks. The flaw resides in Chrome’s Mojo component within Windows platforms, where an “incorrect handle” is passed under unknown conditions that allow attackers to bypass the browser’s sandbox protections.

The bug was exploited in phishing campaigns

The bug has also been exploited in a campaign called “Operation ForumTroll” against specific Russian media outlets, schools, and government institutions. Attackers sent targeted phishing emails that, when engaged with, executed malware through Chrome.

To combat the exploitation, Google has released Chrome version 134.0.6998.178 for Windows users with the patch required to correct this bug. The company is rolling out this update in the next few days and weeks. Users are advised to update their browsers as soon as possible to protect against probable exploits.

To verify whether your browser is up to date, go to the Chrome menu, select “Help,” then “About Google Chrome,” and allow the browser to search for and install any updates available.