{"id":9194,"date":"2025-12-14T10:03:33","date_gmt":"2025-12-14T10:03:33","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/12\/14\/cisa-warns-of-google-chromium-0-day-vulnerability-exploited-in-attacks\/"},"modified":"2025-12-14T10:03:33","modified_gmt":"2025-12-14T10:03:33","slug":"cisa-warns-of-google-chromium-0-day-vulnerability-exploited-in-attacks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/12\/14\/cisa-warns-of-google-chromium-0-day-vulnerability-exploited-in-attacks\/","title":{"rendered":"CISA Warns of Google Chromium 0-Day Vulnerability Exploited in Attacks"},"content":{"rendered":"<p>    CISA Warns of Google Chromium 0-Day Vulnerability Exploited in Attacks<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical <a href=\"https:\/\/cybersecuritynews.com\/tag\/zero-day-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">zero-day vulnerability<\/a> in Google Chromium\u2019s ANGLE graphics engine to its Known Exploited Vulnerabilities (KEV) catalog.<\/p>\n<p>Tracked as <a href=\"https:\/\/cybersecuritynews.com\/apple-0-day-vulnerabilities-exploited-2\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-14174<\/a>, the flaw allows remote attackers to trigger out-of-bounds memory access via a malicious HTML page, potentially leading to arbitrary code execution in browsers.<\/p>\n<p>Discovered and patched just days ago, this vulnerability underscores ongoing threats to Chromium-based browsers dominating the web. Attackers could exploit it for drive-by compromises, data theft, or ransomware deployment, though CISA notes no confirmed ransomware ties yet. Federal agencies must apply mitigations by January 2, 2026, or discontinue affected products.<\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/chrome-0-day-vulnerability-exploited-wild\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-14174<\/a> resides in ANGLE, Chromium\u2019s OpenGL ES interface layer, where improper bounds checking allows memory corruption. A crafted webpage can invoke the flaw during rendering, bypassing sandbox protections in some scenarios.<\/p>\n<p>The National Vulnerability Database (NVD) rates it high severity, with early CVSS v3.1 assessments pointing to remote code execution risks.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>CVE ID<\/th>\n<th>Description<\/th>\n<th>CVSS v3.1 Score<\/th>\n<th>Affected Versions<\/th>\n<th>Patched Versions<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>CVE-2025-14174<\/td>\n<td>Out-of-bounds memory access in ANGLE via HTML<\/td>\n<td>8.8 (High)<\/td>\n<td>Chromium &lt; 131.0.6778.200<\/td>\n<td>Chrome 131.0.6778.201+<br \/>Edge 131.0.3139.95+<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>No public indicators of compromise (IoCs) have surfaced, but threat actors are likely to chain it to <a href=\"https:\/\/cybersecuritynews.com\/phishing-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">phishing<\/a> or malvertising.<\/p>\n<p>CISA urges immediate patching per Binding Operational Directive (BOD) 22-01 for federal systems, especially cloud services. Organizations should scan for unpatched browsers, enforce automatic updates, and monitor for anomalous rendering crashes.<\/p>\n<p>Google rolled out Stable Channel fixes on December 10, bumping Chrome to version 131.0.6778.201. Microsoft Edge followed with 131.0.3139.95, while Opera users should check vendor channels. \u201cUsers are advised to relaunch browsers post-update,\u201d Google stated in its release notes.<\/p>\n<p>This incident highlights Chromium\u2019s vast attack surface, affecting over 70% of desktop browsers. Security teams worldwide should prioritize remediation amid rising zero-day exploits.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/chromium-0-day-vulnerability-exploited\/\">CISA Warns of Google Chromium 0-Day Vulnerability Exploited in Attacks<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/chromium-0-day-vulnerability-exploited\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA Warns of Google Chromium 0-Day Vulnerability Exploited in Attacks The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical zero-day vulnerability in Google Chromium\u2019s ANGLE graphics engine to its Known Exploited Vulnerabilities (KEV) catalog. Tracked as CVE-2025-14174, the flaw allows remote attackers to trigger out-of-bounds memory access via a malicious HTML page, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-9194","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9194"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=9194"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9194\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=9194"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=9194"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=9194"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}