Browser Security

Pwn2Own Ireland 2025: Browser Exploits and Zero-Day Revelations

Nishant Sharma

4 min read

Pwn2Own Ireland 2025 concluded with significant implications for browser security, as researchers demonstrated successful exploits against leading web browsers and other software. The event, held from October 22-24, saw a total of $1,024,750 awarded for 73 zero-day vulnerabilities across various categories.

Breaking News: October 25, 2025 Browser Security Updates

Critical Chrome V8 JavaScript Engine Flaw Discovered

Google has released an emergency security update addressing CVE-2025-12036, a critical vulnerability in Chrome's V8 JavaScript engine discovered by Google's Big Sleep AI project. This inappropriate implementation flaw could enable remote code execution on vulnerable systems. The patch has been rolled out in Chrome version 141.0.7390.122/.123 for Windows and macOS, and version 141.0.7390.122 for Linux.

Malicious Browser Extensions Impersonate AI Sidebars

Security researchers have identified a new threat vector where malicious web browser extensions impersonate the AI sidebar features of AI-powered browsers. These fake extensions can display phishing content and instruct users to execute commands that provide remote access to their devices, enabling malware deployment. This highlights the growing sophistication of browser-based attacks targeting users of modern AI-enhanced browsers.

Recent Chrome Zero-Day Exploits

Chrome has faced six zero-day vulnerabilities exploited in the wild throughout 2025, including the recent CVE-2025-10585, a type confusion vulnerability in the V8 JavaScript engine. Other exploited flaws include CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, and CVE-2025-6558, demonstrating the relentless pace of sophisticated attacks targeting the world's most popular browser.

Pwn2Own Ireland 2025 Overview

The Summoning Team claimed the 'Master of Pwn' title, demonstrating exceptional skill in uncovering critical vulnerabilities. While specific details on all browser exploits are still emerging, the event underscored the ongoing sophistication of attackers and the necessity for continuous security research and patching.

Browser Exploitation Highlights

  • Zero-Days Disclosed: A significant portion of the 73 zero-days discovered during Pwn2Own Ireland targeted web browsers, alongside other applications like enterprise communication platforms and mobile devices.
  • Impact: Successful browser exploits at such events often lead to arbitrary code execution, privilege escalation, and data exfiltration, highlighting the critical need for users to apply security updates promptly.
  • Vendor Response: Vendors of affected software, including browser developers, will receive the details of these vulnerabilities to develop and release patches, often as part of their regular update cycles or out-of-band emergency releases.

Implications for Browser Security

The disclosures at Pwn2Own Ireland emphasize that even widely used and regularly updated browsers can contain exploitable flaws. These findings provide valuable intelligence to browser vendors, allowing them to harden their products against advanced threats. For users and organizations, it's a stark reminder that maintaining an aggressive patching cadence for all web browsers is paramount to mitigating risk from sophisticated attacks that often leverage such zero-day vulnerabilities.

Chrome 141 Security Update: 21 Vulnerabilities Patched

Google recently released Chrome 141 addressing 21 security vulnerabilities, including several critical flaws that could allow attackers to execute arbitrary code:

  • CVE-2025-11205: Heap buffer overflow in WebGPU ($25,000 bounty) - could enable arbitrary code execution
  • CVE-2025-11206: Heap buffer overflow in Video processing ($4,000 bounty)
  • CVE-2025-11215 & CVE-2025-11219: V8 JavaScript engine flaws discovered by Google's Big Sleep AI system
  • CVE-2025-11458: Heap buffer overflow in Chrome Sync component
  • CVE-2025-11460: Use-after-free vulnerability in Storage component

October 2025 Patch Tuesday: Critical Vulnerabilities and Zero-Days

Microsoft's October 2025 Patch Tuesday, released on October 14, 2025, addressed a total of 172 CVEs, including two publicly disclosed and three zero-day vulnerabilities, alongside eight critical severity flaws. While the primary focus of these patches was broader Windows Server and other Microsoft products, the implications for browser security remain relevant due to the interconnectedness of operating systems and browser functionality.

Key Patch Tuesday Highlights (Non-Browser Specific, but Impactful)

  • Critical WSUS Flaw (CVE-2025-59287): A critical Remote Code Execution (RCE) vulnerability in Windows Server Update Services (WSUS) (CVE-2025-59287) has been actively exploited. This flaw, while not directly browser-based, could lead to widespread compromise of systems that depend on WSUS for updates, indirectly impacting browser security postures across an enterprise. Microsoft issued an emergency patch for this critical vulnerability, and the U.S. CISA added it to its Known Exploited Vulnerabilities catalog.
  • APT36 DeskRAT Campaign: The APT36 group is targeting the Indian government with Golang-based DeskRAT malware, which can leverage various attack vectors, potentially including browser-based initial access.
  • Smishing Triad Operation: A large-scale smishing operation is linked to 194,000 malicious domains, indicating pervasive phishing threats that often start with users clicking malicious links in SMS messages, leading to browser compromise.

Urgent Action Required

Immediate Steps for Users and Organizations

  • Update Chrome Immediately: Ensure Chrome is updated to version 141.0.7390.122 or later. Navigate to Settings > About Chrome to check for updates.
  • Update All Browsers: Users of Chromium-based browsers (Edge, Brave, Opera, Vivaldi) should also apply updates as they become available.
  • Review Browser Extensions: Remove unnecessary extensions and verify that installed extensions are from trusted developers with appropriate permissions.
  • Enable Automatic Updates: Configure browsers to update automatically to protect against rapidly emerging threats.
  • Apply OS Patches: Promptly apply all operating system and software patches, especially those addressing critical and actively exploited vulnerabilities.
  • Exercise Caution: Be vigilant against phishing and smishing attempts. Verify the legitimacy of links and attachments before clicking, especially those claiming to be from AI assistants or sidebars.
  • Implement Security Tools: Utilize robust endpoint protection, email security gateways, and web filtering solutions to detect and block malicious content and access.

References

  1. Hackers earn $1,024,750 for 73 zero-days at Pwn2Own Ireland - BleepingComputer
  2. Pwn2Own Ireland 2025: Day Three and Master of Pwn - Zero Day Initiative
  3. CVE-2025-12036 Vulnerability: Critical Chrome V8 JavaScript Engine Flaw - SOC Prime
  4. Security News Weekly Round-Up - 24th October 2025 - DEV Community
  5. Chrome Security Update Patches 21 Vulnerabilities - Cybersecurity News
  6. October 2025 Patch Tuesday Analysis - CrowdStrike
  7. Newly Patched Critical Microsoft WSUS Flaw Comes Under Active Exploitation - The Hacker News
  8. Microsoft drops surprise Windows Server patch before weekend downtime - The Register
  9. U.S. CISA adds Microsoft WSUS, and Adobe Commerce and Magento Open Source flaws to its Known Exploited Vulnerabilities catalog - Security Affairs
  10. APT36 Targets Indian Government with Golang-Based DeskRAT Malware Campaign - The Hacker News
  11. Smishing Triad Linked to 194,000 Malicious Domains in Global Phishing Operation - The Hacker News

Read more