Google fixes fourth actively exploited Chrome Zero-Day of 2025

In late June 2025, Google released a critical emergency update for Chrome, patching what is now the fourth actively exploited zero-day vulnerability in the browser this year. The pace at which Chrome vulnerabilities are being discovered—and exploited—continues to raise concerns in the cybersecurity world, especially as attacks become more sophisticated and highly targeted.

Why It Matters

Zero-day vulnerabilities are flaws that are discovered and exploited before the vendor has released a fix—meaning users are vulnerable by default. When such flaws affect Chrome, the world’s most widely used browser, the impact is potentially massive: millions of users across Windows, macOS, Linux, and Android may be exposed without even knowing it.

This latest patch addresses CVE-2025-6554, a vulnerability in the V8 JavaScript engine, and highlights growing concerns around browser-level attacks being used for spyware injection, credential theft, and remote code execution.

Breakdown of 2025’s Known Chrome Zero-Days (So Far)

1. CVE-2025-6554 (V8 – Type Confusion)

• Disclosed: June 27, 2025
• Severity: High
• Exploited in the wild: Yes
• A type confusion bug in the V8 engine that can lead to arbitrary code execution in the context of the browser.
• This bug was discovered internally by Google’s Threat Analysis Group (TAG), after observing targeted exploitation in the wild.

2. CVE-2025-2783 (WebAssembly – Memory Corruption)

• Disclosed: April 2025
• Exploited in the wild: Yes
• Exploits improper memory management in Chrome’s WebAssembly implementation, allowing attackers to escape the browser sandbox and run code on the host machine.

3. CVE-2025-4664 (Skia – Use After Free)

• Disclosed: May 2025
• A use-after-free vulnerability in Skia, the 2D graphics engine used in Chrome.
• Can be exploited to crash the browser or potentially execute arbitrary code when rendering complex graphics or PDF content.

4. CVE-2025-3012 (ANGLE – GPU Exploit Path)

• Disclosed: February 2025
• Exploits Chrome’s ANGLE component used for WebGL rendering. While no mass attacks were reported, the flaw was found being used in highly targeted spyware campaigns.

What You Should Do Now

If you’re using Google Chrome, update immediately. As of now, the patched version is Chrome 125.0.6422.111 or later. Available on Windows, Mac, Linux, and Android.

To manually update:

1. Go to Settings > About Chrome
2. Chrome will auto-check for updates and prompt you to relaunch

Pro Tip:

Enable automatic updates and use Enhanced Safe Browsing to better detect malicious sites and downloads.

The Bigger Picture: Zero-Days Are Not Slowing Down

The frequency of zero-day discoveries in 2025 is tracking ahead of previous years. Google, Microsoft, and Apple have all issued multiple critical patches for actively exploited flaws in the first half of the year. Attackers are focusing on browser engines because:

• They are constantly running in the background
• They act as a gateway to cloud apps, password managers, wallets, and more
• Exploiting them bypasses OS-level protections

Governments, APT groups, and financially motivated attackers are using zero-day chains to deliver surveillance tools and credential stealers that don’t require user interaction.

Google’s rapid response to this fourth zero-day exploit in Chrome is commendable—but it also highlights the growing arms race between browser vendors and threat actors. For users and IT admins, staying secure in 2025 means treating browser updates as critical system updates, not optional patches.

Keep your software current. Don’t delay.
Zero-days don’t wait for you to click “Update.”