Mozilla has released an emergency security update for Firefox on Windows after identifying a vulnerability (CVE-2025-2857) that was actively exploited.
This flaw allowed attackers to bypass Firefox’s security protections, potentially putting users at risk. The update, which brings Firefox to version 136.0.4, follows Google’s recent patch for a similar issue in Chrome.
Security Risk and Exploitation Details
The vulnerability enabled attackers to escape Firefox’s sandbox, a critical security feature that isolates the browser from other applications and user data.
If successfully exploited, this flaw could grant attackers deeper system access, increasing the risk of data breaches or malware execution. Mozilla has urged all users to update their browsers immediately to mitigate potential threats.
Impact on Other Browsers
Other browsers built on Firefox’s codebase, including the Tor Browser, were also affected. In response, the Tor Project has issued a security update, bringing its browser to version 14.0.7 to ensure privacy-focused users remain protected.
Previous Zero-Day Exploit in Firefox
Earlier this year, Mozilla addressed another critical zero-day vulnerability (CVE-2024-9680) in Firefox, which had a CVSS severity score of 9.8. This flaw allowed remote code execution without user interaction, posing a significant cybersecurity risk.
- The Russia-aligned threat group RomCom exploited this vulnerability alongside a Windows Task Scheduler flaw (CVE-2024-49039) to bypass Firefox’s sandbox and execute arbitrary code.
- The primary targets of these attacks were users in Europe and North America.
- Mozilla released patches on October 9th, updating Firefox to version 131.0.2 and Firefox ESR to version 128.3.1 to address the issue.
Ongoing Cybersecurity Threats
Security researcher Boris Larin from Kaspersky, who initially discovered the Chrome zero-day vulnerability, confirmed that the root cause of the Chrome flaw also impacts Firefox.
Kaspersky linked this vulnerability to cyberattacks on journalists, educational institutions, and government organizations in Russia, raising concerns about potential espionage and broader cybersecurity threats.
Ensuring Browser Security
While Mozilla has responded quickly to mitigate risks, the discovery of similar vulnerabilities in both Firefox and Chrome highlights the persistent challenges in browser security. Given the increasing sophistication of cyber threats, users are strongly encouraged to:
- Keep their browsers updated to the latest versions.
- Enable automatic security updates for real-time protection.
- Remain vigilant against potential cyber threats targeting widely used applications.
These measures are essential for maintaining security and reducing the risks posed by zero-day exploits and advanced persistent threat (APT) groups.
