Vulnerabilities

Actively Exploited Chromium Zero-Day: CVE-2025-6554 Affects Chrome, Edge, and Opera

Google, Microsoft, and Opera have released emergency security updates to fix a high-severity type confusion vulnerability in Google’s V8 JavaScript engine that affects their browsers. Google’s Threat Analysis Group (TAG) recently discovered and reported the vulnerability, tracked as CVE-2025-6554 with a CVSS score of 8.1. The vulnerability affects all browsers that use the Chromium codebase, and allows a remote attacker to perform arbitrary read/write via a crafted HTML page. What makes this vulnerability especially dangerous is that it’s not only widespread, but actively exploited in the wild — prompting an urgent call to patch all affected browsers.

What is CVE-2025-6554?

CVE-2025-6554 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine used by Chromium-based browsers. A remote attacker can exploit this flaw via a crafted HTML page, allowing arbitrary read/write operations in memory. The zero-day vulnerability was first discovered and patched in Google Chrome, but also affects other Chromium-based browsers like Microsoft Edge and Opera. The vulnerability is currently being exploited in the wild, with possible use in highly targeted attacks, potentially by nation-state actors or for surveillance purposes.

Mondoo ranks this vulnerability as critical since the CVE is ‘known exploited’ and ‘high-severity’

What is a type confusion vulnerability?

A type confusion vulnerability (also known as type manipulation or type-unsafe access) occurs when a program or application accesses a resource, such as a variable or object, with a different type than it was originally allocated or initialized with.

Attackers can exploit these vulnerabilities to trigger unintended behavior and achieve various malicious outcomes, including cross-site scripting, denial of service, data exposure, access control bypass, file inclusion, and even remote code execution (RCE).

Type confusion bugs are especially dangerous in just-in-time (JIT) compilers like V8, which power dynamic languages such as JavaScript.

What is V8?

V8 is Google's open-source JavaScript and WebAssembly engine used in Google Chrome and many Chromium-based browsers. It compiles and runs JavaScript in real time, processing untrusted content from websites.

Because of its central role in browser security — and its exposure to the open web — V8 is a frequent target for attackers, especially in sophisticated campaigns.

Who is affected by CVE-2025-6554?

CVE-2025-6554 affects any browser built on Chromium’s codebase. The popularity of Chrome and the widespread adoption of the V8 engine in other Chromium-based browsers means that a large number of users are potentially vulnerable to exploits, including:

Due to the massive user base of these browsers, millions of users are at risk.

Is CVE-2025-6554 actively exploited?

Yes. Multiple indicators confirm active exploitation:

  • Google TAG has confirmed ‘an exploit exists in the wild.’  
  • The vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog.
  • The Exploit Prediction Scoring System( EPSS) estimates a 91% likelihood of exploitation within 30 days, ranking it among the top 10% of all known vulnerabilities.

This underscores the urgent need to patch all affected browsers immediately.

Mondoo shows that the CVE has a dangerous combination of a high CVSS score (8.1) and a high EPSS percentile

How to remediate CVE-2025-6554 

Most browsers are configured to auto-update, but updates may not apply until the next browser restart. We recommend:

  • Restart your browser immediately to apply the latest patch.
  • Verify your browser version to ensure it’s up to date (Google Chrome: 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS, and 138.0.7204.96 for Linux. Microsoft Edge: 138.0.3351.65).
  • If you manage endpoints in a corporate environment, push the updates through your centralized endpoint management system without delay.

To make sure that all CVEs have been remediated and don’t reoccur, it’s important to continually scan your environment with a vulnerability management tool, such as Mondoo.

Detect CVE-2025-6554 with Mondoo 

Mondoo scans your endpoints for vulnerabilities and alerts if it detects CVE-2025-6554 on any of your machines. Mondoo detects CVE-2025-6554 in Google Chrome and Microsoft Edge on all Windows, macOS, and Linux machines. 

Mondoo detects CVE-2025-6554 in Google Chrome on a Windows OS
Mondoo detects CVE-2025-6554 in Google Chrome on a macOS

Find and fix the security risks that pose the biggest threat to your business.

Problembehebung dreimal schneller mit Mondoo Unified Exposure Management

About Mondoo

Mondoo is an exposure management platform that identifies, prioritizes, and remediates vulnerabilities and misconfigurations in your entire IT infrastructure and SDLC from a single interface — including on-prem, cloud, SaaS, and endpoints. Unlike siloed approaches, Mondoo enables you to quickly understand your most urgent risks and initiate fast remediation, ensuring optimized security efforts and significantly improving security posture. 

Want to see Mondoo in action? Schedule a demo with one of our experts.

Salim Afiune Maya

Salim ist technischer Leiter bei Mondoo und konzentriert sich auf Full-Stack-Entwicklung und Sicherheit, bei der Entwickler an erster Stelle stehen. Zuvor war er mehr als 4 Jahre bei Lacework tätig, um Entwicklertools zu skalieren. Davor half er bei Chef mit Tools wie Test Kitchen bei der Gestaltung von Infrastructure-as-Code. Seine technische Reise begann bei Sun Microsystems, wo er sich ein fundiertes Grundlagenwissen in den Bereichen Systemdenken und Open Source aneignete. Außerhalb der Arbeit findet man ihn beim Rucksackfahren, Snowboarden, Kochen oder bei der Jagd auf Tischtennis-Rallyes.

Deborah Galea

Deborah ist Direktorin für Produktmarketing bei Mondoo und leitet die Bereiche Messaging und Positionierung, Produkteinführungen und Vertriebsförderung. Sie verfügt über mehr als 20 Jahre Erfahrung in der Cybersicherheitsbranche. Vor ihrer Tätigkeit bei Mondoo war Deborah Direktorin für Produktmarketing bei Orca Security und hatte verschiedene Marketingpositionen bei anderen Cybersicherheitsunternehmen inne. Sie war Mitbegründerin des E-Mail-Sicherheitsunternehmens Red Earth Software, das 2014 vom Cybersicherheitsunternehmen OPSWAT übernommen wurde.

You might also like

Microsoft
Microsoft Patch Tuesday August 2025: How to Prioritize Vulnerabilities for Patching
Vulnerabilities
Introducing Agentic Vulnerability Patching Using Ansible
Insights from DEF CON 33: From LLM Hacking to Supply Chain Remediation