Mozilla has rolled out Firefox 136.0.4 to fix a serious security vulnerability (CVE-2025-2857) that allows attackers to break out of the browser’s sandbox on Windows systems. This flaw, identified by Mozilla developer Andrew McCreight, affects both standard Firefox releases and extended support versions (ESR) used by organizations.
Although Mozilla has not disclosed technical details, they indicated that this flaw is similar to a Chrome zero-day (CVE-2025-2783) exploited in recent cyberattacks. In this case, attackers tricked the browser’s parent process into leaking handles, allowing them to bypass sandbox protections.
This vulnerability only impacts Windows users, with other operating systems remaining unaffected. Mozilla advises all users to update their browsers immediately to versions 136.0.4, ESR 115.21.1, or ESR 128.8.1 to stay protected.
Earlier this week, Kaspersky researchers revealed that the Chrome zero-day was exploited in Operation ForumTroll, a cyber-espionage campaign targeting Russian government agencies and journalists. The attackers used malicious emails disguised as invitations to a forum to spread malware.
Mozilla has previously patched multiple sandbox escape vulnerabilities, including one (CVE-2024-9680) exploited by the Russian RomCom cybercrime group in October. This flaw allowed hackers to execute code outside of Firefox’s sandbox by chaining it with a Windows privilege escalation zero-day (CVE-2024-49039).
Additionally, Mozilla addressed two Firefox zero-day vulnerabilities in March, just one day after they were exploited during the Pwn2Own Vancouver 2024 hacking competition. These incidents highlight the ongoing threats to web browsers and the importance of keeping them updated.
Logging you in...
Loading IntenseDebate Comments...