The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog with CVE-2025-2783, a high-severity sandbox escape vulnerability affecting Google Chromium browsers. This marks the 1,311th entry in the catalog, which serves as the federal government’s authoritative list of actively exploited security flaws requiring immediate remediation1.
Executive Summary for Security Leadership
The newly added vulnerability (CVE-2025-2783) impacts all Chromium-based browsers including Google Chrome, Microsoft Edge, and Opera. CISA has documented active exploitation in the wild, with a remediation deadline of April 17, 2025 for federal agencies under Binding Operational Directive (BOD) 22-012. While the directive technically applies only to Federal Civilian Executive Branch agencies, CISA strongly recommends all organizations prioritize patching this vulnerability.
Key points for security teams:
- Vulnerability: Mojo IPC sandbox escape in Chromium (CVE-2025-2783)
- Affected Products: Chrome v121-124, Edge v119-122, Opera v106-109
- Patch Deadline: April 17, 2025 (federal agencies)
- Exploit Status: Active exploitation observed
- CVSS Score: 9.1 (Critical)
Technical Analysis of CVE-2025-2783
The vulnerability resides in Chromium’s Mojo inter-process communication (IPC) framework, which handles privileged operations between browser processes. Successful exploitation allows attackers to escape the browser sandbox and execute arbitrary code with the privileges of the hosting application3. This is particularly dangerous when combined with other browser exploits to achieve full system compromise.
Chromium’s security model relies heavily on process isolation through sandboxing. The Mojo framework facilitates communication between these isolated processes while maintaining security boundaries. CVE-2025-2783 represents a failure in these boundary checks, enabling malicious actors to bypass sandbox restrictions entirely.
Remediation and Mitigation Strategies
Google has released patches for all supported Chromium versions. Organizations should:
- Update Chrome to version 125.0.6422.61 or later
- Update Edge to version 123.0.2420.81 or later
- Update Opera to version 110.0.5133.102 or later
For systems where immediate patching isn’t feasible, consider these temporary mitigations:
| Mitigation | Effectiveness | Impact |
|---|---|---|
| Disable JavaScript execution | High | Breaks most web functionality |
| Enable Site Isolation | Medium | Minimal user impact |
| Restrict untrusted websites | Variable | Operational constraints |
Broader Security Implications
The KEV Catalog serves as a prioritized list of vulnerabilities known to be actively exploited. With this addition, the catalog now contains 1,311 entries since its inception in 20214. Security teams should integrate regular checks against this catalog into their vulnerability management programs, as these flaws represent the most immediate threats to enterprise security.
Recent analysis shows that vulnerabilities added to the KEV catalog are typically weaponized within 7 days of public disclosure. The inclusion of CVE-2025-2783 suggests this vulnerability has already been incorporated into exploit kits or targeted attack campaigns.
Conclusion
CISA’s continued expansion of the KEV Catalog provides organizations with clear guidance on which vulnerabilities demand immediate attention. The addition of CVE-2025-2783 underscores the ongoing risks posed by browser-based attacks and the importance of maintaining rigorous patch management processes. All organizations using Chromium-based browsers should prioritize remediation of this vulnerability before the April 17 deadline.
