Full Report
On Thursday, CISA warned U.S. federal agencies to secure their systems against ongoing attacks exploiting a high-severity vulnerability in the Chrome web browser. [...]
Analysis Summary
# Vulnerability: Actively Exploited Chrome Zero-Day Leading to Information Leakage
## CVE Details
- CVE ID: CVE-2025-4664
- CVSS Score: (Severity not explicitly provided in text, but context suggests High/Critical given active exploitation and CISA tagging)
- CWE: (Not explicitly provided in text, but relates to improper handling of 3rd-party resources/query parameters)
## Affected Systems
- Products: Google Chrome
- Versions: Prior to the patch released by Google (Specific versions not detailed in summary)
- Configurations: Vulnerability related to loading images from 3rd-party resources, potentially allowing query parameter theft.
## Vulnerability Description
The vulnerability in Google Chrome involves a flaw related to how the browser processes images loaded from 3rd-party resources. Successful exploitation allows an attacker to potentially steal query parameters by utilizing an image resource from a third-party context. This bypasses standard security protections related to cross-origin resource sharing or data leakage.
## Exploitation
- Status: Actively exploited in the wild (Confirmed by CISA via inclusion in KEV catalog)
- Complexity: (Not explicitly stated, but the existence of a public exploit suggests it may be Low/Medium for known actors)
- Attack Vector: Network (Via web content hosting the malicious resource)
## Impact
- Confidentiality: High (Potential sensitive data/query parameters can be stolen)
- Integrity: Undetermined/Low (Primary impact appears to be leakage, not modification)
- Availability: Low (No direct impact to availability mentioned)
## Remediation
### Patches
- Google has released a patch to address CVE-2025-4664. Users must update Chrome to the latest version provided by Google.
### Workarounds
- (No specific workarounds were detailed in the provided text, immediate patching is the primary advice.)
## Detection
- Detection methods and tools are not specified in the article.
- Indicators of compromise (IOCs) are primarily related to observed exploitation attacks cataloged by CISA/Google, but specific network or process-level IOCs are not listed.
## References
- Vendor Advisory: Google Security Advisory mentioning a public exploit.
- CISA Confirmation: cisa(dot)gov/news-events/alerts/2025/05/15/cisa-adds-three-known-exploited-vulnerabilities-catalog
- CISA KEV Catalog Search: cisa(dot)gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-4664&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=
- Previous Related Flaw: bleepingcomputer(dot)com/news/security/google-fixes-chrome-zero-day-exploited-in-espionage-campaign/