Search
On this page ▾
CVE-2025-2783 — Google Chromium Mojo Sandbox Escape Vulnerability

CVE-2025-2783

Google Chrome Mojo (Windows) — IPC Handle Logic Error Enables Sandbox Escape; Operation ForumTroll Russian APT; March 2025 Zero-Day
⚠️ CVSS 3.1  8.3 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is Chrome's Mojo IPC Framework?

Mojo is Google's inter-process communication (IPC) framework used within Chrome to enable communication between its isolated processes (browser process, renderer processes, GPU process, utility processes). Chrome's security model depends on Mojo correctly isolating processes — messages sent via Mojo should not allow a sandboxed renderer to escalate privileges to the browser process or OS. Logic errors in Mojo handle management can allow sandboxed processes to access OS resources they should not be able to reach.

Overview

CVE-2025-2783 is a logic error in Chrome's Mojo IPC framework on Windows that results in an incorrect OS handle being provided in unspecified circumstances — enabling a sandbox escape from the Chrome renderer process. Discovered by Kaspersky researchers during analysis of the "Operation ForumTroll" APT campaign, this was the first Chrome zero-day of 2025. The Changed scope (S:C) in the CVSS vector reflects the sandbox boundary crossing — code in the restricted renderer process escapes to the broader OS context. Kaspersky attributed Operation ForumTroll to a Russian APT targeting journalists, academics, and government officials in Russia via spear-phishing emails with links to a malicious web forum.

Affected Versions

Product Vulnerable Fixed
Google Chrome for Windows < March 25, 2025 stable update March 25, 2025 update
Microsoft Edge (Windows) Corresponding pre-fix version March 2025 Edge update
Other Chromium browsers (Windows) Varies Update per vendor

Windows-specific: The Mojo handle logic error is specific to Windows (handles are Windows OS concepts). macOS and Linux Chromium users are not affected by this specific CVE.

Technical Details

The sandbox escape occurs due to a logic error in how Mojo handles Windows OS handles (file handles, process handles, event handles, etc.) during IPC operations between Chrome processes. Mojo's handle brokering mechanism — which controls which handles can be shared between processes — provides an incorrect handle in certain circumstances, allowing a sandboxed renderer process to access OS resources outside its sandbox boundary.

The precise handle type and trigger condition are not publicly disclosed. The High attack complexity (AC:H) reflects that the trigger requires specific conditions to produce the incorrect handle provision — the attacker must engineer the right state through crafted JavaScript execution. Despite AC:H, Kaspersky confirmed this was reliably exploited in Operation ForumTroll.

Full exploit chain in Operation ForumTroll:

  1. Phishing email delivers a malicious link to a web forum page
  2. Victim's Chrome processes the page, triggering a V8 or rendering vulnerability for initial renderer code execution
  3. CVE-2025-2783 Mojo sandbox escape elevates from renderer to OS-level access
  4. Attacker delivers payload (espionage implant) to the compromised Windows system

Discovery

Kaspersky Threat Research — specifically researchers who identified active exploitation in phishing campaigns targeting Russian academics, journalists, and government officials (Operation ForumTroll). Kaspersky reported the zero-day to Google on March 17, 2025; Google patched on March 25, 2025.

Exploitation Context

Operation ForumTroll: A Russian APT (suspected APT29/Cozy Bear or related actor, though Kaspersky did not formally attribute) used CVE-2025-2783 in targeted spear-phishing campaigns. Victims received emails inviting them to a Russian scientific forum; the link led to a malicious page hosting the Chrome exploit. Targets included Russian-language media organizations, academic researchers, and government-affiliated individuals. The targeting of Russian citizens by a presumably Russian-state actor is consistent with internal counterintelligence operations.

Remediation

  1. Apply the March 25, 2025 Chrome stable update (or any later version) for Windows. The CISA deadline was April 17, 2025.
  2. Update all Chromium-based browsers on Windows: Edge, Brave, Opera, Vivaldi — all use Mojo and need vendor-specific updates.
  3. Enable automatic Chrome updates — the Operation ForumTroll exploitation window was approximately 8 days (March 17–25, 2025); rapid updates minimize exposure.
  4. High-risk users: journalists, researchers, and government employees — particularly those working on Russia-related topics — should treat any unsolicited link as suspect.

Key Details

PropertyValue
CVE ID CVE-2025-2783
Vendor / Product Google — Chromium Mojo
NVD Published2025-03-26
NVD Last Modified2025-10-24
CVSS 3.1 Score8.3
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
SeverityHIGH
CISA KEV Added2025-03-27
CISA KEV Deadline2025-04-17
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2025-04-17. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2025-03-17Kaspersky discovers zero-day exploitation in the wild (Operation ForumTroll)
2025-03-25Chrome stable channel update released with fix
2025-03-26CVE published
2025-03-27CISA adds to KEV; Kaspersky publishes Operation ForumTroll report
2025-04-17CISA BOD 22-01 remediation deadline

References

ResourceType
Chrome Stable Channel Update — March 25, 2025 Vendor Advisory
NVD — CVE-2025-2783 Vulnerability Database
CISA KEV Catalog Entry US Government
Kaspersky — Operation ForumTroll: Chrome Sandbox Escape Zero-Day Security Research

Last updated: 2026-05-17

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML