Infosec

Security Advisory

Reflected XSS Vulnerability in Splunk Enterprise & Cloud Platform 

Summary 

Splunk has disclosed a medium-severity cross-site scripting (XSS) vulnerability affecting multiple versions of its Enterprise and Cloud Platform products that could allow low-privileged attackers to execute malicious JavaScript code in users’ browsers.

OEM Cisco 
Severity MEDIUM 
CVSS Score 4.3 
CVEs CVE-2025-20297 
CWEs CWE-79 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A security vulnerability identified as CVE-2025-20297 has been found in older versions of Splunk Enterprise and Splunk Cloud Platform.

This issue allows low privileged users to execute unauthorized JavaScript code in a victim’s browser using a specific Splunk feature that generates Pdf from dashboards.

Although the vulnerability is rated as Medium (CVSS 4.3) but it could be a significant risk in environments where Splunk Web is widely accessed by users. 

The vulnerability specifically targets instances with Splunk Web enabled, which represents the majority of production deployments given the component’s central role in dashboard management and user interface functionality.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Reflected Cross Site Scripting  CVE-2025-20297 Splunk Enterprise & Cloud  Medium  Check the remediation section. 

Technical Summary 

The vulnerability lies in the pdfgen/render REST endpoint used to create dashboard PDFs. In vulnerable versions, a low \privileged user (not an admin or power user) can inject a malicious script via this endpoint.

If a legitimate user interacts with the resulting PDF or link, their browser may execute the injected script without their consent, this is working as reflected XSS. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-20297  Splunk Enterprise & Cloud multiple versions Low-privileged users can exploit the pdfgen/render endpoint to inject unauthorized JavaScript code into a victim’s browser. Code Execution/Reflected xss. 

Remediation

Splunk has released updates, that addressed the vulnerability:  

  • Splunk Enterprise: Upgrade to version 9.4.2, 9.3.4, 9.2.6, 9.1.9 or latest. 
  • Splunk Cloud Platform: Upgrade to version 9.3.2411.102, 9.3.2408.111, 9.2.2406.118 or latest. 

If you cannot upgrade immediately, you can disable Splunk Web to prevent exploitation. For this you can review the web.conf configuration file and follow the Splunk guidance on disabling unnecessary components. 

Disabling Splunk Web may impact users who rely on the web interface so consider access controls or network-based restrictions as temporary mitigations. 

Conclusion: 
While CVE-2025-20297 is rated as a medium severity vulnerability, it should not be ignored in the environments where many users interact with Splunk dashboards. Attackers with limited permissions could potentially target higher privileged users by modifying malicious links or payloads. 

Organizations should prioritize upgrading Splunk to the fixed versions or implementing the workarounds immediately.

Even though this vulnerability requires some user interaction, the risks include unauthorized access to sensitive data through potential session hijacking. 

While Splunk has not provided specific detection methods for this vulnerability, organizations should monitor access patterns to the pdfgen/render endpoint and review user privilege assignments to minimize potential exposure

This vulnerability poses a significant risk to organizations relying on Splunk’s data analytics platform for security monitoring and business intelligence operations.

References

Security Advisory

High Risk DoS Vulnerability in ModSecurity WAF 

Summary 

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx.

OEM ModSecurity 
Severity HIGH 
CVSS Score 7.5 
CVEs CVE-2025-48866 
CWEs CWE-1050 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A Denial of Service (DoS) vulnerability has been identified in ModSecurity, an open-source web application firewall (WAF) used with Apache, Nginx and IIS.

The issue affects versions prior to 2.9.10 and related to the “sanitiseArg” action, which can be exploited by adding an excessive number of arguments, ultimately causing the system to fail or crash. The vulnerability has been fixed in version 2.9.10. 

There is no user interaction required to trigger, exploiting it can lead to significant resource consumption, resulting in service disruption. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Denial of Service (DoS) vulnerability  CVE-2025-48866 Modsecurity WAF  High  v2.9.10 

Technical Summary 

The vulnerability arises from the behavior of the “sanitiseArg” (also referred to as “sanitizeArg”) action in ModSecurity. This action sanitizes a specific argument passed to a rule (e.g.- password), masking it in the logs by replacing its value with asterisks (*). 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-48866  ModSecurity (mod_security2.x) prior to v2.9.10 When a rule uses the sanitiseArg action, it processes each argument that matches the specified name (e.g – password).  If a large number of matching arguments (e.g.- 500 or more) are passed, ModSecurity repeatedly adds them to memory, which can lead to excessive memory consumption and potentially crash the system. System crashes due to resource exhaustion (DoS)   

Remediation

Apply Patches Promptly: Upgrade to ModSecurity version 2.9.10 or the latest one. 

Avoid using the “sanitizeArg” or “sanitizeArg” actions in your rules. If these actions are not used, the engine will not be affected by the vulnerability.  

Conclusion: 
This vulnerability is similar to this CVE-2025-47947 issue, presents a significant risk, especially for organizations relying on ModSecurity 2.x versions for web application protection. 

Although the vulnerability is rated as high, it requires a specific set of conditions to be exploited. But to ensure the continued stability and security of web applications, the fix needs to be applied as soon as possible. 

References

Security Advisory

Critical Vulnerabilities Patched in IBM QRadar Suite & Cloud Pak for Security 

Summary : Security Advisory

Multiple vulnerabilities have been discovered in IBM QRadar Suite Software and Cloud Pak, affecting versions 1.10.0.0 through 1.11.2.0.

The company released patches on June 3, 2025, addressing five distinct Common Vulnerabilities and Exposures (CVEs) that affect enterprise security infrastructure used by organizations worldwide.

OEM IBM 
Severity Critical 
CVSS Score 9.6 
CVEs CVE-2025-25022, CVE-2025-2502, CVE-2025-25020, CVE-2025-25019, CVE-2025-1334 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These include risks such as remote code execution, information disclosure, session hijacking, and denial of service. The most critical vulnerability (CVE-2025-25022) allows unauthenticated access to sensitive configuration files. IBM has released version 1.11.3.0 to address these issues. 

Vulnerability Name CVE ID Product Affected CVSS Score Severity 
​Information Disclosure Vulnerability  CVE-2025-25022 IBM Cloud Pak, QRadar Suite  9.6  Critical 
Code Execution Vulnerability  CVE-2025-25021 IBM QRadar SIEM  7.2  High 
Denial of Service Vulnerability  CVE-2025-25020 IBM QRadar SIEM  6.5  Medium 
Session Hijacking Vulnerability  CVE-2025-25019 IBM QRadar SIEM  4.8  Medium 
Web Cache Disclosure Vulnerability  CVE-2025-1334 IBM QRadar Suite  4.0  Medium 

Technical Summary 

The identified vulnerabilities affect both the IBM QRadar Suite and Cloud Pak, exposing them to a variety of threats such as unauthorized access, arbitrary code execution, and denial of service.

These flaws arise from weaknesses in session handling, code generation, API validation, and file configuration security. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-25022   QRadar SIEM Unauthenticated access to sensitive config files due to poor protections.   Information disclosure, RCE 
   CVE-2025-25021    QRadar SIEM Privileged code execution due to improper script code generation in case management.   Remote Code Execution 
  CVE-2025-25020   QRadar SIEM API input validation flaw allowing service crash via malformed data   Denial of Service 
   CVE-2025-25019    QRadar SIEM Sessions not invalidated upon logout, enabling impersonation by attackers. Session Hijacking 
  CVE-2025-1334   QRadar Suite Cached web content readable by other users, compromising multi-user data confidentiality. Local Info Disclosure 

Remediation

  • Apply Latest Fix: Upgrade to IBM QRadar Suite Software and Cloud Pak version 1.11.3.0 or later. 

Refer to IBM’s official installation and upgrade documentation for detailed steps.  

Conclusion: 
These vulnerabilities pose significant security risks, especially CVE-2025-25022 with a critical severity score of 9.6. Organizations using the affected IBM QRadar and Cloud Pak versions should prioritize upgrading to latest version to mitigate exposure.

IBM has acknowledged these issues and released patches to address all five vulnerabilities. 

Notably, IBM has identified no effective workarounds or mitigations for these vulnerabilities, making patching the only viable protection strategy.

References

Security Advisory

Critical 0-Day Vulnerabilities in Qualcomm Adreno GPU Drivers Actively Exploited  

Summary 

OEM Qualcomm 
Severity HIGH 
CVSS Score 8.6 
CVEs CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Three actively exploited zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) have been disclosed and patched.

These flaws impact billions of Android devices across vendors such as Samsung, Google, Xiaomi, and OnePlus. Qualcomm released patches to OEMs in May 2025, urging immediate integration to mitigate severe memory corruption and code execution threats. 

Vulnerability Name CVE ID Product Affected CVSS Score Severity 
​Incorrect Authorization Vulnerability  CVE-2025-21479 Qualcomm Adreno GPU Driver  8.6  High 
Incorrect Authorization Vulnerability  CVE-2025-21480 Qualcomm Adreno GPU Driver  8.6  High 
Use-After-Free Vulnerability  CVE-2025-27038 Qualcomm Adreno GPU Driver  7.5  High 

Technical Summary 

These vulnerabilities reside within Qualcomm’s Adreno GPU driver, specifically in the Graphics component. The flaws allow attackers to corrupt memory, escalate privileges or execute arbitrary code. Two issues (CVE-2025-21479, CVE-2025-21480) result from incorrect authorization mechanisms in GPU microcode and the third (CVE-2025-27038) is a use-after-free flaw that can be exploited via malicious content rendered through Chrome. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-21479   Android (Adreno GPU) Unauthorized command execution during specific GPU microcode sequences causes memory corruption.   Privilege escalation, system compromise. 
   CVE-2025-21480    Android (Adreno GPU) Similar unauthorized GPU command flaw allowing memory corruption via improper authorization checks.   Memory corruption, remote code execution. 
  CVE-2025-27038   Android (Chrome/Adreno) Use-after-free condition in graphics rendering pipeline (via Chrome) allows attacker control over freed memory space.   Arbitrary code execution. 

Recommendations

  • Apply OEM Patches Immediately: Qualcomm released fixes in May 2025 to all OEMs; users should install the latest firmware updates from their device manufacturers. 
  • Check for Updates: Go to Settings → System → Software Update and apply the latest security patches as soon as available. 
  • Apply Security Updates: Users should ensure their Android devices receive the latest security updates. 
  • Monitor Manufacturer Communications: Stay informed about patch availability specific to your device model via official OEM channels. 

Conclusion: 
These zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers highlight ongoing security risks in mobile hardware components.

Exploited in limited, targeted attacks potentially by spyware vendors or state-sponsored actors these flaws pose significant threats to Android devices worldwide. 

In response to confirmed exploitation, CISA has added all three CVEs (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) to its Known Exploited Vulnerabilities (KEV) catalog, mandating swift action for federal systems.

Timely patching by OEMs and proactive updates by users are critical to mitigating these risks and preventing further exploitation. 

References

 

Security Advisory

RCE Risk in D-Link Routers due to Hardcoded Telnet Credentials

Summary A significant security flaw (CVE-2025-46176) has exposed thousands of D-Link routers to remote code execution attacks through hardcoded Telnet credentials embedded in firmware. This is affecting its DIR-605L and DIR-816L routers.

If successful exploitation happens this will enables attackers to modify router configurations, deploy malware, or pivot into internal networks.

OEMD-link
SeverityMedium
CVSS Score6.5
CVEsCVE-2025-46176
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

The flaw exposes devices to remote command execution (RCE) through hardcoded Telnet credentials.

The vulnerability has been rated medium in severity (CVSS 6.5), with no official firmware patch available as of May 2025.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
Hardcoded Telnet Credentials vulnerability  CVE-2025-46176D-Link Router  MediumNo official fix available

Technical Summary

The vulnerability arises from hardcoded Telnet credentials in the router firmware, which allows unauthenticated remote attackers to execute arbitrary commands.

Firmware analysis revealed embedded credentials in configuration files used during Telnet service initialization.

Security experts recommended retiring these EOL devices due to absence of security support and the impossibility of removing hardcoded credentials through configuration changes.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-46176D-Link DIR-605L v2.13B01, DIR-816L v2.06B01Telnet service (/usr/sbin/telnetd -l /bin/sh -u Alphanetworks:$image_sign) uses hardcoded credentials from image_sign file, exposing plaintext passwords.      RCE

Recommendations:

As of May 2025, no firmware updates are available to fix the vulnerability. Recommended temporary mitigations include :

  • Disable Telnet access via the router’s web interface.
  • Block Telnet port (23) using firewall rules:

“iptables -A INPUT -p tcp –dport 23 -j DROP”

  • Restrict WAN access to management interfaces.
  • Monitor D-Link’s official support page for firmware updates.

Conclusion:
Security researchers discovered the flaw through firmware analysis, revealing that both router models contain default Telnet credentials that cannot be changed by users. 

While exploitation likelihood is currently assessed as low, vulnerability enables unauthenticated attackers to gain control of the routers, affecting confidentiality, integrity and availability.

Immediate mitigation is advised, especially for publicly exposed devices and Security experts strongly recommend retiring these EOL devices due to the absence of security support and the impossibility of removing hardcoded credentials through configuration changes.

Threat from Legacy Devices:

The vulnerability in Telnet revealed security risks that legacy networking equipment carry with them and is embedded hardcoded credentials in IoT devices.

Inadequate security, harboring multiple unpatched vulnerabilities and relying on inadequate security controls that fail to address underlying risks. This poses a threat not only to device itself, but also to the network and connected critical assets.

References:

Security Advisory

Linux Kernel Exploitation in ksmbd (CVE-2025-37899) Discovered with AI Assistance

Summary: A high-severity use-after-free vulnerability (CVE-2025-37899) has been discovered in the ksmbd component of the Linux kernel, which implements the SMB3 protocol for file sharing.

OEMLinux
SeverityHigh
CVSS ScoreN/A
CVEsCVE-2025-37899
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

The vulnerability, confirmed on May 20, 2025 which was uncovered through AI-assisted code analysis using OpenAI’s o3 model. It affects multiple versions of the Linux kernel and may lead to arbitrary code execution with kernel privileges. As of now, no official fix is available, but Linux distributions including SUSE team are actively working on patches.

Vulnerability NameCVE IDProduct AffectedSeverity
​ksmbd use-after-free vulnerability  CVE-2025-37899Linux kernel  High

Technical Summary

The vulnerability lies in the ksmbd kernel server component responsible for SMB3 protocol handling.

A use-after-free bug occurs when one thread processes a logoff command and frees the sess->user object, while another thread bound to the same session attempts to access the same object simultaneously. This results in a race condition that can lead to memory corruption and potentially enable attackers to execute arbitrary code with kernel privileges.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-37899  Linux kernel (ksmbd)A race condition during handling of SMB2 LOGOFF commands. sess->user is freed in one thread while still being accessed in another, leading to a classic use-after-free vulnerability. The absence of synchronization around sess->user allows attackers to exploit the freed memory during concurrent SMB operations.  Kernel memory corruption, privilege escalation, remote code execution

Remediation:

  • Fix status: As of now, an official fix has not been released. Linux distributions, including SUSE, are actively developing and testing patches.

General Recommendations

  • Monitor your distribution’s security advisories and apply patches as soon as they are available.
  • Consider disabling or restricting ksmbd (in-kernel SMB3 server) if not explicitly required.
  • Use firewall rules to restrict access to SMB services to trusted networks.
  • Employ kernel hardening options (e.g. memory protections, SELinux/AppArmor policies).
  • Audit SMB traffic for signs of abnormal session setup and teardown behavior.

Conclusion:
CVE-2025-37899 highlights the increasing role of AI in modern vulnerability discovery and the complex nature of concurrency bugs in kernel components. While no fix is yet available, administrators should apply defense-in-depth strategies and watch for updates from their Linux vendors.

The discovery underscores the importance of rigorous code audits, especially in components exposed to network traffic and multithreaded processing.

References:

Security Advisory

CISCO ISE & UIC Security Flaws Allow DoS, Privilege Escalation

Summary: Cisco has disclosed multiple vulnerabilities affecting its Identity Services Engine (ISE) and Unified Intelligence Center (UIC).

The ISE bug, tracked as CVE-2025-20152, impacts the RADIUS message processing feature and could be exploited remotely, without authentication, to cause ISE to reload, leading to a denial of service (DoS) condition.

OEMCISCO
SeverityHIGH
CVSS Score8.6
CVEsCVE-2025-20152, CVE-2025-20113, CVE-2025-20114
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

This include a critical denial-of-service (DoS) vulnerability in the RADIUS protocol processing (CVE-2025-20152) and two privilege escalation flaws (CVE-2025-20113, CVE-2025-20114).

These unpatched issues, could result in network disruption and unauthorized access to sensitive data.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
​RADIUS DoS Vulnerability  CVE-2025-20152Cisco Identity Services Engine  High  ISE 3.4 Patch 1 (3.4P1)
Privilege Escalation Vulnerability  CVE-2025-20113Unified Intelligence Center  High  UIC 12.5(1)SU ES04, 12.6(2)ES04
Privilege Escalation Vulnerability  CVE-2025-20114Unified Intelligence Center  High  UIC 12.5(1)SU ES04, 12.6(2)ES04

Technical Summary

The vulnerabilities identified in ISE and UIC products are critical and the allow an authenticated attacker to elevate their privileges to those of an administrator, for a limited set of functions on a vulnerable system by potentially accessing or manipulating unauthorized data.

Medium-severity bugs were also resolved in Webex, Webex Meetings, Secure Network Analytics Manager, Secure Network Analytics Virtual Manager, ISE, Duo, Unified Communications and Contact Center Solutions, and Unified Contact Center Enterprise (CCE).

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-20152  CISCO ISE 3.4Improper handling of malformed RADIUS authentication requests can cause a system reload.    Denial of Service (DoS), Network Disruption
      CVE-2025-20113 Unified Intelligence Center  12.5, 12.6Insufficient server-side validation in API/HTTP requests may allow an authenticated attacker to escalate privileges to Admin level for certain functions.    Privilege Escalation, Unauthorized Data Access
    CVE-2025-20114Unified Intelligence Center  12.5, 12.6Insufficient input validation in API allows IDOR attacks, enabling attackers to access data of other users.    Horizontal Privilege Escalation, Data Exposure

Remediation:

Cisco has released security updates to address these vulnerabilities:

  • For CVE-2025-20152 (Cisco ISE):

Upgrade to ISE 3.4P1 or later. No workarounds exist; RADIUS services are enabled by default, making immediate patching critical.

  • For CVE-2025-20113 and CVE-2025-20114 (UIC):

Upgrade to:

  • UIC 12.5(1)SU ES04 or later.
    • UIC 12.6(2)ES04 or later.
    • Unified CCX users should migrate to a fixed release if using affected versions.

Administrators are advised to verify product versions and apply patches through official Cisco channels.

Conclusion:
These vulnerabilities pose significant security risks especially CVE-2025-20152, which affects the core authentication protocol in many Cisco ISE deployments.

Organizations should prioritize updates to mitigate risks of denial-of-service attacks and unauthorized data access. No exploitation in the wild has been observed so far, but given the critical nature, immediate action is strongly recommended.

References:

Security Advisory

Critical Firefox 0-Day Vulnerabilities Exploited at Pwn2Own 2025 – Immediate Update Required

Summary: Mozilla Patches Two Critical Zero-Day Vulnerabilities In Firefox.

The Two critical zero-day vulnerabilities (CVE-2025-4918 and CVE-2025-4919) have been discovered in Mozilla Firefox, allowing attackers to execute malicious code through out-of-bounds memory manipulation in the JavaScript engine.

OEMMozilla
SeverityHigh
CVSS Score8.8
CVEsCVE-2025-4918, CVE-2025-4919
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

Mozilla has released emergency security updates to address the issues.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
​ JavaScript Promise OOB Access  CVE-2025-4918Firefox  High  Firefox 138.0.4, ESR 128.10.1, 115.23.1
Array Index Confusion  CVE-2025-4919Firefox  High  Firefox 138.0.4, ESR 128.10.1, 115.23.1

Technical Summary

The two vulnerabilities lie within the JavaScript engine of Mozilla Firefox. CVE-2025-4918 arises from improper handling of JavaScript Promise objects, leading to out-of-bounds memory access. CVE-2025-4919 involves an integer overflow during array index calculations, resulting in memory corruption.

Both vulnerabilities can be exploited by tricking users into visiting a malicious website, allowing attackers to gain code execution capabilities within the browser.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-4918  Firefox < 138.0.4, ESR < 128.10.1, < 115.23.1Improper memory boundary handling in JavaScript Promise resolution leads to out-of-bounds read/write    Remote Code Execution
    CVE-2025-4919    Firefox < 138.0.4, ESR < 128.10.1, < 115.23.1Array index miscalculation during optimization routines allows memory corruption via out-of-bounds access    Remote Code Execution

Remediation:

  • Update Firefox: Mozilla has released patched versions that fix these vulnerabilities. Users and administrators should immediately update to the latest versions:
  • Firefox 138.0.4 or later
  • Firefox ESR 128.10.1 or later
  • Firefox ESR 115.23.1 or later

Recommendations:

  • Temporary Workarounds (if immediate update is not possible):
  • Avoid visiting unfamiliar or suspicious websites.
  • Use browser security extensions to restrict or disable JavaScript execution.
  • Consider using application whitelisting or sandboxing to restrict browser-based activities.
  • Enterprise Recommendation:
  • Deploy Firefox updates across managed environments using enterprise software deployment tools.
  • Monitor threat intelligence feeds and endpoint protection logs for any signs of exploitation

Conclusion:
The vulnerabilities CVE-2025-4918 and CVE-2025-4919 pose critical risks as they can be exploited for remote code execution via malicious JavaScript. These flaws were responsibly disclosed and demonstrated at Pwn2Own 2025, a leading security research competition held in Berlin.

  • CVE-2025-4918 was discovered and demonstrated by Edouard Bochin and Tao Yan from Palo Alto Networks, involving an out-of-bounds write in the handling of JavaScript Promise objects.
  • CVE-2025-4919 was discovered by security researcher Manfred Paul, who exploited a memory corruption issue through array index manipulation.

Both researchers participated through Trend Micro’s Zero Day Initiative (ZDI), and their demonstrations earned top scores and prizes. Mozilla has responded swiftly with fixes, and users are strongly urged to update immediately.

Staying current with software patches remains a vital defense against modern web-based threats.

The updates, which cover Firefox on both desktop and Android platforms, as well as two Extended Support Releases (ESR), were issued just hours after the event concluded on Saturday—immediately following the public demonstration of the second vulnerability.

References:

Security Advisory

Zero-Day Threat in Chrome’s Loader Component (CVE-2025-4664) – CISA Flags Urgent Risk 

Summary : A zero-day vulnerability (CVE-2025-4664) in Google Chrome’s Loader component has been actively exploited in the wild.

OEM Google 
Severity Medium 
CVSS Score 4.3 
CVEs CVE-2025-4664 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This flaw allows attackers to bypass security policies, leak cross-origin data, and potentially execute unauthorized code. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging immediate patching. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Insufficient Policy Enforcement vulnerability  CVE-2025-4664 Google Chrome  Medium  136.0.7103.113/.114 (Win/Mac),  136.0.7103.113 (Linux) 

Technical Summary 

CVE-2025-4664 is a zero-day vulnerability found in the Chrome Loader component due to insufficient policy enforcement.

It enables remote attackers to bypass browser security controls using crafted HTML content, possibly leaking cross-origin data or achieving sandbox escape. The bug has been actively exploited in the wild.

A second high-severity flaw, CVE-2025-4609, was also addressed in this update, involving an incorrect handle in the Mojo IPC layer, which can lead to memory corruption or privilege escalation. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-4664  Chrome (Windows, Mac, Linux) Insufficient policy enforcement in Loader enables cross-origin data leaks via crafted HTML.  Data leakage, sandbox escape, potential code execution 

Remediation

  • Update Chrome: Google has released security updates to address these vulnerabilities. Users and administrators must apply the latest Chrome versions: 
  • Windows/macOS: Chrome 136.0.7103.113 /136.0.7103.114 or later 
  • Linux: Chrome 136.0.7103.113 or later 

Conclusion: 
The active exploitation of CVE-2025-4664 highlights the urgent need for rapid security response and patch management. With acknowledgment from CISA and public disclosure by @slonser_, this zero-day poses a real and present threat to users of Chrome and other Chromium-based browsers.

Organizations should take immediate action to patch affected systems and monitor for signs of compromise.

Regular browser updates and proactive vulnerability management are essential to mitigating such critical security risks. 

References

Scroll to top