Google has swiftly patched a critical zero-day vulnerability in its Chrome browser, identified as CVE-2025-6554, which was being actively exploited in the wild. This marks the fifth such zero-day vulnerability addressed by Google in 2025, underscoring the persistent threat landscape facing popular web browsers.
CVE-2025-6554 is a type confusion flaw in the V8 JavaScript engine used by Chrome. With a CVSS score of 8.1, this vulnerability allows remote attackers to perform arbitrary read and write operations via a specially crafted HTML page. The flaw was disclosed on June 30, 2025, and was reportedly exploited within just one day of its disclosure, highlighting the rapid pace at which threat actors are able to weaponize newly discovered vulnerabilities.
The vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of July 2, 2025, signaling its significance and the urgency for organizations to apply the available patches. The Exploit Prediction Scoring System (EPSS) for this vulnerability is relatively low at 0.009, suggesting that while the vulnerability is critical, the likelihood of exploitation across the broader internet remains limited.
Proof-of-concept (PoC) exploits for CVE-2025-6554 have already surfaced, with at least eight known instances available, further emphasizing the need for immediate action by security teams. The vulnerability affects versions of Google Chrome prior to 138.0.7204.96, and users are urged to update to the latest version to mitigate potential risks.
The Security Severity Vulnerability Classification (SSVC) for this flaw is marked as 'attend,' indicating that organizations should prioritize addressing this vulnerability due to its active exploitation status. The rapid exploitation timeline, with a time-to-exploit in the wild of just 1.1 days, serves as a stark reminder of the importance of timely patch management.
For security practitioners, the immediate focus should be on ensuring that all systems running affected versions of Chrome are updated. Additionally, monitoring for any signs of compromise related to this vulnerability should be a priority. As attackers continue to target widely used software like Chrome, maintaining a robust patch management strategy is essential to safeguarding against these evolving threats.
CSURFACE