A high-severity zero-day vulnerability, CVE-2025-6554, in Google Chrome's V8 JavaScript engine is currently being exploited in the wild. This type confusion flaw, identified as CWE-843, allows remote attackers to execute arbitrary read and write operations via a crafted HTML page. The vulnerability affects Chrome versions prior to 138.0.7204.96 and carries a CVSS score of 8.1, underscoring its potential impact.
The flaw was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on July 2, 2025, just two days after its initial disclosure on June 30, 2025. The rapid exploitation of this vulnerability, with a time-to-exploit in the wild of just 1.1 days, highlights the urgency for users to update their browsers immediately. Google has responded swiftly by releasing a security update to address the issue.
Proof-of-concept exploits for CVE-2025-6554 are already circulating, with at least eight known examples available. This increases the risk of widespread exploitation, as attackers can leverage these PoCs to craft malicious web pages targeting vulnerable Chrome installations.
Security teams should prioritize patching affected systems and ensure that Chrome is updated to the latest version to mitigate potential attacks. The Security Severity Vulnerability Classification (SSVC) for this flaw is marked as 'attend,' indicating that it requires immediate attention from security professionals.
Given the active exploitation and the availability of PoCs, organizations should also consider implementing additional security measures, such as network-level protections and monitoring for unusual activity, to defend against potential attacks leveraging this vulnerability.
CSURFACE