Mozilla has launched Firefox 136.0.4 to patch a crucial security vulnerability that may let attackers escape the online browser’s sandbox on Home windows techniques.
Tracked as CVE-2025-2857, this flaw is described as an “incorrect deal with may result in sandbox escapes” and was reported by Mozilla developer Andrew McCreight.
The vulnerability impacts the most recent Firefox customary and prolonged help releases (ESR) designed for organizations that require prolonged help for mass deployments. Mozilla fastened the security flaw in Firefox 136.0.4 and Firefox ESR variations 115.21.1 and 128.8.1.
Whereas Mozilla did not share technical particulars relating to CVE-2025-2857, it mentioned the vulnerability is just like a Chrome zero-day exploited in assaults and patched by Google earlier this week.
“Following the sanbdox escape in CVE-2025-2783, varied Firefox builders recognized an analogous sample in our IPC code. Attackers had been in a position to confuse the dad or mum course of into leaking handles into unpriviled [sic] baby processes resulting in a sandbox escape,” Mozilla mentioned in a Thursday advisory.
“The unique vulnerability was being exploited within the wild. This solely impacts Firefox on Home windows. Different working techniques are unaffected.”
Chrome zero-day exploited to focus on Russia
Kaspersky’s Boris Larin and Igor Kuznetsov, who found and reported CVE-2025-2783 to Google, mentioned on Tuesday that the zero-day was exploited within the wild to bypass Chrome sandbox protections and infect targets with refined malware.
They noticed CVE-2025-2783 exploits deployed in a cyber-espionage marketing campaign dubbed Operation ForumTroll, focusing on Russian authorities organizations and journalists at unnamed Russian media retailers.
“The vulnerability CVE-2025-2783 actually left us scratching our heads, as, with out doing something clearly malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox safety as if it didn’t even exist,” they mentioned.
“The malicious emails contained invites supposedly from the organizers of a scientific and skilled discussion board, ‘Primakov Readings,’ focusing on media retailers, instructional establishments and authorities organizations in Russia.”
In October, Mozilla additionally patched a zero-day vulnerability (CVE-2024-9680) in Firefox’s animation timeline function exploited by the Russian-based RomCom cybercrime group that permit the attackers acquire code execution within the internet browser’s sandbox.
The flaw was chained with a Home windows privilege escalation zero-day (CVE-2024-49039) that allowed the Russian hackers to execute code outdoors the Firefox sandbox. Their victims had been tricked into visiting an attacker-controlled web site that downloaded and executed the RomCom backdoor on their techniques.
Months earlier, it fastened two Firefox zero-day vulnerabilities someday after they had been exploited on the Pwn2Own Vancouver 2024 hacking competitors.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and defend towards them.
