Mozilla says Firefox developers have determined that their browser is affected by a critical vulnerability that is similar to the Chrome zero-day disclosed a few days ago.
On Tuesday, Google announced a Chrome update that patches CVE-2025-2783, a vulnerability reported to the tech giant by cybersecurity firm Kaspersky, whose researchers saw it being exploited in attacks aimed at Russian organizations.
Kaspersky said CVE-2025-2783 has been exploited since at least mid-March by what is likely a state-sponsored threat actor to escape Chrome’s sandbox. The exploit chain also targeted another vulnerability (which Kaspersky was unable to identify) to achieve remote code execution.
The campaign, which the security firm dubbed Operation ForumTroll because it used fake invitations to a scientific forum as a lure, targeted media outlets, educational institutions and government organizations in Russia.
Firefox developers have analyzed CVE-2025-2783 and found that a similar pattern also exists in their IPC code.
The issue, described as an incorrect handle, can allow a compromised child process to cause the parent process to “return an unintentionally powerful handle, leading to a sandbox escape”, Firefox developers said.
In the case of Firefox, the vulnerability is tracked as CVE-2025-2857. The flaw only impacts Firefox for Windows and it has been patched with the release of versions 136.0.4, 128.8.1 (ESR), and 115.21.1 (ESR).
Mozilla noted that the original vulnerability has been exploited in the wild, but did not mention anything about attacks aimed at Firefox users.
The Tor browser, which is based on Firefox, has also been updated to address the vulnerability.
The cybersecurity agency CISA on Thursday added the Chrome flaw to its Known Exploited Vulnerabilities (KEV) catalog. The agency noted that other Chromium-based browsers may also be affected, including Microsoft Edge and Opera. Microsoft has issued an advisory.
The exploitation of Firefox vulnerabilities is not as common as the exploitation of Chrome bugs, but there have been roughly a dozen security holes exploited over the past decade. One example came to light in late November 2024, when ESET reported that a Russian APT had chained Firefox and Windows zero-days to deploy a backdoor.
*updated with link to Microsoft advisory
Related: Chrome 134, Firefox 136 Patch High-Severity Vulnerabilities
Related: Chrome 133, Firefox 135 Updates Patch High-Severity Vulnerabilities
Related: Chrome 133, Firefox 135 Patch High-Severity Vulnerabilities
