Google has urgently patched a critical zero-day vulnerability in its Chrome browser, identified as CVE-2025-10585, which was actively exploited in the wild before its disclosure. This vulnerability, with a CVSS score of 9.8, affects the V8 JavaScript engine used by Chrome, allowing remote attackers to potentially execute arbitrary code through a crafted HTML page. The flaw is categorized under CWE-843, indicating a type confusion issue that can lead to heap corruption.
The zero-day, which was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on September 23, 2025, underscores the persistent threat landscape facing Chrome users. This marks the sixth such zero-day vulnerability in Chrome that Google has addressed in 2025 alone, highlighting a troubling trend of sophisticated attacks targeting one of the world's most widely used web browsers.
The exploitation of CVE-2025-10585 was detected in the wild approximately 1.7 days before its official disclosure, classifying it as a zero-day exploit. The availability of a proof-of-concept (PoC) exploit further exacerbates the risk, as it provides a blueprint for attackers to replicate the exploit. The vulnerability's exploitation potential is reflected in its Security Severity Vulnerability Classification (SSVC) status, which is marked as "act," indicating active exploitation.
Google's swift response involved releasing a patch in Chrome version 140.0.7339.185, which users are strongly advised to apply immediately to mitigate the risk of exploitation. The urgency of this update cannot be overstated, given the critical nature of the vulnerability and its active exploitation status.
For security teams, the immediate focus should be on ensuring that all instances of Chrome within their networks are updated to the latest version. Additionally, monitoring for any signs of compromise related to this vulnerability should be prioritized. Given the nature of the exploit, defenders should be particularly vigilant for unusual HTML page activity that could indicate an attempt to leverage the vulnerability.
This incident serves as a stark reminder of the importance of maintaining up-to-date software and the need for robust patch management processes. As attackers continue to exploit zero-day vulnerabilities, organizations must remain proactive in their cybersecurity defenses to protect against emerging threats.
CSURFACE