Browser Security

Urgent Browser Security Alert: Chrome Patches Multiple High-Severity Vulnerabilities, Zimbra XSS Zero-Day Actively Exploited

Nishant Sharma

2 min read

In the rapidly evolving landscape of cybersecurity, staying ahead of potential threats is paramount. This update brings critical news concerning both direct browser vulnerabilities and web application flaws that impact user browser security. Google Chrome has released urgent patches for a suite of high-severity vulnerabilities, while a zero-day Cross-Site Scripting (XSS) vulnerability in Zimbra Collaboration Suite is under active exploitation. Read on for a detailed breakdown of these pressing security concerns and crucial steps to protect your digital presence.

Browser-Specific Security Updates

Google Chrome

Google has rolled out a vital update for its Chrome browser, addressing multiple high-severity vulnerabilities that could expose users to arbitrary code execution.

  • CVE IDs & Severity:
    • CVE-2025-4554: Use-after-free in Dawn (High)
    • CVE-2025-4555: Use-after-free in WebCodecs (High)
    • CVE-2025-4556: Use-after-free in WebRTC (High)
    • CVE-2025-4557: Out-of-bounds write in ANGLE (High)
    • CVE-2025-4558: Type Confusion in V8 (High)
    • CVE-2025-4559: Heap buffer overflow in PDF (High)
    • CVE-2025-4560: Inappropriate implementation in Fullscreen API (Medium)
    • CVE-2025-4561: Out-of-bounds read in ANGLE (Medium)
  • Affected Versions/Platforms: Google Chrome stable channel versions prior to 138.0.6789.123/124 on Windows, Mac, and Linux.
  • Exploit Status: No immediate reports of active exploitation at the time of the advisory, but the high severity of these issues makes prompt patching critical.
  • Patch/Workaround Details: Users are strongly advised to update their Google Chrome browser to version 138.0.6789.123/124 or later. While Chrome typically updates automatically, it is prudent to manually check for and apply updates by navigating to Settings > About Chrome.
  • Details: These vulnerabilities encompass a range of critical flaws including 'use-after-free' issues, 'type confusion', 'heap buffer overflow', and 'out-of-bounds read/write' bugs. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code within the context of the browser, potentially leading to data theft, system compromise, or other malicious activities. The 'Inappropriate implementation' in the Fullscreen API could enable user interface spoofing, tricking users into revealing sensitive information.

Web Application Security Impacting Browsers

Zimbra Collaboration Suite (ZCS)

A critical zero-day Cross-Site Scripting (XSS) vulnerability in Zimbra Collaboration Suite (ZCS) is currently being actively exploited, posing a significant risk to organizations using the platform. CISA has also added this flaw to its Known Exploited Vulnerabilities Catalog.

  • CVE ID: CVE-2025-27915
  • Severity: Critical (Zero-Day, Actively Exploited, CISA KEV listing)
  • Affected Versions/Platforms: All unpatched Zimbra Collaboration Suite (ZCS) instances. Specific version ranges should be verified against vendor advisories.
  • Exploit Status: Zero-day, actively exploited in the wild.
  • Patch/Workaround Details: Organizations utilizing Zimbra Collaboration Suite are urged to apply vendor-provided patches immediately. Due to active exploitation, immediate action is required to mitigate risk.
  • Details: This XSS vulnerability enables attackers to inject malicious scripts into web pages served by ZCS. When a user accesses a compromised ZCS instance through their browser, these scripts can execute, potentially leading to session hijacking, credential theft, or the delivery of further client-side malware. The active exploitation and CISA's warning highlight the severe and immediate threat this vulnerability presents.

References

Read more