THREAT ADVISORY: Chrome Zero Day Vulnerability (CVE-2025-10585) – Immediate Update Required

WHAT HAPPENED

Google disclosed a critical zero-day vulnerability in Chrome (CVE-2025-10585) that is actively being exploited.

• The flaw affects Chrome’s V8 JavaScript engine, which runs web content.
• Attackers can exploit this simply by luring users to a malicious webpage with no click or download required.

WHY IT MATTERS

Zero-day flaws in widely used browsers spread risk across entire organizations.

• Even with auto-update enabled, patches take time to fully deploy that can leave a gap where systems remain exposed.
• Other Chromium-based browsers (Edge, Brave, Opera, etc.) likely share parts of the same core engine and may also be vulnerable until vendor fixes are issued.
• Environments with large numbers of endpoints are at higher risk if updates lag.

WHO’S AT RISK

• Vulnerable versions: Chrome earlier than 140.0.7339.185/.186 for Windows/Mac and 140.0.7339.185 for Linux.
• High-risk groups: organizations with unmanaged browsers, delayed update cycles, or use of Chromium-based alternatives awaiting vendor patches.

HOW THEY’RE ATTACKING

Malicious actors are creating web pages with crafted HTML payloads that exploit a type confusion bug in V8.

• Just loading the page (or a link or iframe embedded in another site) can enable remote code execution.
• Once triggered, attackers may gain a foothold for deeper compromise.

WHAT TO DO NOW

• Update Chrome immediately to version 140.0.7339.185/.186 for Windows/Mac or 140.0.7339.185 for Linux.
• Verify auto-update is enabled across all endpoints.
• Track vendor advisories for Chromium-based browsers such as Edge and Brave.
• Monitor systems for unusual browser behavior or crashes that could indicate exploitation.
  
  

  ---

RESOURCES

• BleepingComputer: “Google fixes fourth actively exploited Chrome zero‑day of 2025”
• TheHackerNews: “Google Patches Chrome Zero-Day CVE-2025-10585 as Active V8 Exploit Threatens Millions”