CISA Warns Hackers Are Exploiting a New Chrome Bug Update ASAP

Chrome Zero-Day Exploited in the Wild Here’s What You Need to Know

If you’re using Google Chrome, stop what you’re doing and check for updates. A critical vulnerability (CVE-2025-4664) is being actively exploited by hackers, and both Google and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) are urging users to patch immediately.

What’s the Vulnerability About?

Discovered by Solidlab researcher Vsevolod Kokorin, this flaw resides in Chrome’s Loader component, where weak policy enforcement allows attackers to steal sensitive data like login credentials or OAuth tokens from other websites you visit.

Here’s the kicker: Attackers can craft a malicious HTML page that abuses Chrome’s handling of Link headers (a usually harmless web feature) to leak information from other tabs or services running in your browser. Kokorin demonstrated how this could expose query parameters in URLs often containing passwords, session tokens, or private API keys simply by tricking you into loading a booby-trapped image or script.

Why Is This So Dangerous?

• Silent Data Theft: Unlike flashy ransomware attacks, this exploit works quietly, siphoning data without triggering alarms.

• Widespread Impact: OAuth logins, banking portals, and single-sign-on (SSO) systems often pass sensitive data via URL parameters. Developers rarely expect these to be stolen via a browser quirk.

• Confirmed Exploits: While Google’s advisory vaguely notes a “public exploit exists,” CISA explicitly added CVE-2025-4664 to its Known Exploited Vulnerabilities catalog, confirming active attacks.

Who’s at Risk?

• Federal agencies: Under CISA’s Binding Operational Directive (BOD 22-01), U.S. government bodies must patch within three weeks (by June 6, 2025).

• Everyone else: Cybercriminals don’t discriminate. If you use Chrome on any device, you’re a potential target.

How to Protect Yourself

1. Update Chrome immediately: Go to Settings > About Chrome. Version 124.0.6367.201 (or later) contains the fix.

2. Be wary of shady links: Avoid clicking unfamiliar links, especially in emails or messages.

3. Monitor accounts: Enable 2FA for critical services if tokens were leaked, attackers might try to hijack sessions.

Google’s Growing Zero-Day Problem

This is the second Chrome zero-day patched in 2025 after CVE-2025-2783, which Russian hackers used to bypass Chrome’s sandbox and infect government targets. The frequency of these flaws suggests attackers are increasingly finding and weaponizing subtle browser quirks.

The Bottom Line

Don’t wait for a breach to act. Updates take minutes; recovering from stolen data can take months. Patch now, stay vigilant, and spread the word your coworkers and family might still be at risk