Firefox fixes flaw similar to Chrome zero-day

Firefox fixes flaw similar to Chrome zero-day used against Russian organizations. Mozilla has patched a critical security flaw in its Firefox browser, just days after Google addressed a similar vulnerability that had been exploited as a zero-day in espionage attacks against Russian organizations.

The Firefox flaw, tracked as CVE-2025-2857, allows attackers to escape the browser’s sandbox protections and gain broader system access. According to Mozilla, this issue affects only Firefox on Windows. There is no evidence that the vulnerability has been exploited in the wild.

Firefox developers discovered the issue after Google disclosed that unknown hackers had exploited a previously unreported bug, now tracked as CVE-2025-2783, to break out of Chrome’s protective system. 

In a report earlier this week, researchers at the Russian cybersecurity firm Kaspersky said that the Chrome flaw was exploited in an espionage campaign targeting media outlets and educational institutions in Russia.

Kaspersky described the bug as “one of the most interesting” they had encountered. Without engaging in any obviously malicious or forbidden actions, the hackers managed to bypass Google Chrome’s sandbox protections “as if they didn’t even exist,” the researchers said. Sandboxes allow a browser to run potentially unsafe code in a way that’s isolated from other functions.

Due to the complexity of the attack and the tools used, Kaspersky believes the operation was carried out by state-sponsored hackers, though they have not attributed it to a specific country.

On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-2783 to its Known Exploited Vulnerabilities (KEV) catalog.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” the agency said.

Earlier in October, Firefox patched another serious security flaw that had been exploited by hackers. Mozilla stated that the bug, tracked as CVE-2024-9680, could allow attackers to execute malicious code within Firefox’s content process—an environment where web content is loaded and rendered.

The exploit requires no user interaction and can be executed over the network with low complexity.