Google said it has fixed a vulnerability in its Chrome browser for Windows that malicious hackers have used to break into victims’ computers.
In a brief note on Tuesday, Google said that it fixed the vulnerability, tracked as CVE-2025-2783, that was discovered by researchers at security firm Kaspersky earlier this month.
Google said it was aware of reports that an exploit for the bug “exists in the wild.” The bug is referred to as a zero-day because the vendor — in this case, Google — was given no time to fix the bug before it was exploited.
According to Kaspersky, the bug was exploited as part of a hacking campaign targeting Windows computers running Chrome.
In a blog post, Kaspersky called the campaign “Operation ForumTroll,” and said victims were targeted with a phishing email inviting them to a Russian global political summit. When a link in the email was clicked, victims were taken to a malicious website that immediately exploits the bug to gain access to the victim’s PC data.
Kaspersky provided little detail about the bug at the time of the Chrome patch, but said that the bug allowed the attackers to bypass Chrome’s sandbox protections, which limit the browser’s access to other data on the user’s computer. Kaspersky said the bug affects all other browsers based on Google’s Chromium engine.
In a separate analysis, Kaspersky said the bug was likely used in an espionage campaign, typically designed to stealthily monitor and steal data from a target’s device, usually over a period of time. The Russia-headquartered security firm said the hackers sent personalized phishing emails to Russian media representatives and employees at educational institutions.
It’s unclear who was exploiting the bug, but Kaspersky attributed the campaign to a likely state-sponsored or government-backed group of hackers.
Browsers like Chrome are a frequent target for malicious hackers and government-backed groups. Zero-day bugs capable of breaking through their protections and into the victim’s sensitive device data can be sold at high prices. In 2024, one zero-day broker was offering up to $3 million for exploitable bugs that can be triggered from over the internet.
Google said Chrome updates will roll out over the coming days and weeks.
