Kaspersky discovers & patches zero-day Chrome flaw

Kaspersky has announced the discovery and patching of a zero-day vulnerability in Google Chrome identified as CVE-2025-2783.

The vulnerability had allowed attackers to circumvent Google Chrome's sandbox protection system, needing only a click on a malicious link to compromise systems. The exploit was characterised by its technical complexity and was discovered by Kaspersky's Global Research and Analysis Team (GReAT). Google has acknowledged Kaspersky's efforts in identifying and reporting the flaw.

During March 2025, Kaspersky identified a series of infections caused by users clicking on personalised phishing links received via email. These links required no further actions on the part of those affected. After confirming that the exploit took advantage of a previously unknown vulnerability in the latest version of Chrome, Kaspersky promptly informed Google's security team, resulting in the release of a security patch on March 25, 2025.

The campaign associated with the exploit was dubbed "Operation ForumTroll" by Kaspersky. This operation involved attackers sending targeted phishing emails inviting recipients to the "Primakov Readings" forum, primarily focusing on media, educational, and governmental bodies in Russia. The malicious links used were designed to be short-lived to avoid detection, redirecting to the legitimate "Primakov Readings" site once the exploit was dismantled.

Further analysis revealed that the zero-day vulnerability in Chrome was part of a larger attack chain, involving at least two exploits. A remote code execution exploit, yet to be obtained, appeared to have initiated the attack, while the sandbox bypass discovered by Kaspersky constituted the secondary stage of the operation. The nature of the malware suggests this was mainly an espionage operation, likely orchestrated by an Advanced Persistent Threat (APT) group.

Boris Larin, Principal Security Researcher at Kaspersky GReAT, stated, "This vulnerability stands out among the dozens of zero-days we've discovered over the years. The exploit bypassed Chrome's sandbox protection without performing any obviously malicious operations – it's as if the security boundary simply didn't exist. The technical sophistication displayed here indicates development by highly skilled actors with substantial resources. We strongly advise all users to update their Google Chrome and any Chromium-based browser to the latest version to protect against this vulnerability."

As Kaspersky continues its investigation into Operation ForumTroll, it plans to release a detailed analysis of the exploits and malware once Google Chrome user security is confirmed. In the meantime, Kaspersky products can detect and shield against this exploit chain and related malware.

The identification of this vulnerability highlights the effectiveness of Kaspersky's Next EDR Expert platform, part of the broader Kaspersky Next XDR Expert solution, which was instrumental in detecting the malware wave. "Our exploit detection and protection technologies swiftly identified a zero-day exploit before it became publicly known, enabling us to thoroughly analyse its behaviour and impact," the company noted.

This development follows Kaspersky GReAT's previous identification of a separate Chrome zero-day—CVE-2024-4947—exploited by the Lazarus APT group for cryptocurrency theft. The earlier case involved a type confusion bug in Google's V8 JavaScript engine.

To combat such sophisticated attacks, Kaspersky security experts recommend regular software updates, adopting a multi-layered security approach, and leveraging threat intelligence services for the latest information on emerging exploits and attacker techniques. These measures are vital in ensuring robust protection against advanced threats and APT campaigns."