Despite Microsoft’s efforts to push users to the Edge, Chrome is the default browser for the vast majority of Windows users. All those users must now update Chrome, after Google warned that a new zero-day exploit has been found in the wild. An emergency update was released yesterday and needs to be installed immediately.
The vulnerability was discovered by Kaspersky this month, with its team warning of a “wave of infections by previously unknown and highly sophisticated malware.” The attack comes via an email link and “infection occurs immediately.” Beyond clicking the link, Kaspersky says, “no further action was required to become infected.”
Now America’s cyber defense agency has issued its own warning for users to update Chrome by April 17 “or discontinue use of the product” if they cannot. That mandate applies formally to any federal employee, but CISA’s guidance should be followed by all organizations public and private, large and small. The agency’s remit is “to help every organization better manage vulnerabilities and keep pace with threat activity.”
Chrome’s stable desktop version for Windows has been updated to 134.0.6998.177/.178 to patch CVE-2025-2783. Check for that update now, and once it has downloaded, make sure you restart your browser to install the fix. Reports suggest current attacks are highly targeted, but now it has been patched you can expect attacks to increase while they’re still operable. As ever, a targeted exploit finds its way into other hands quickly.
Kaspersky says “this particular exploit is certainly one of the most interesting we’ve encountered,” given that “without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist.” and as far as attribution goes, Kaspersky says it can “confidently conclude that a state-sponsored APT group is behind this attack.”
The current attacks chain this exploit with another that has not yet been fixed. But updating Chrome stops the attacks in any case.
