On Thursday, CISA warned American federal agencies to secure their system against the ongoing attacks, exploiting high-seriousness vulnerability in the Chrome web browser.
Solidlab security researcher Vsevolod Kokorin shared the blame (CVE-2025-4664) and online technical details on 5 May. Google on Wednesday issued security updates to patch it.
As Cocorin explained, is vulnerable Payable For insufficient policy enforcement in Google Chrome’s loader component, and successful exploitation may allow remote attackers to leak cross-zo data through maliciously designed HTML pages.
“You probably know that unlike other browsers, Chrome solves the link header on subresores requests. But what is the problem? The issue is that the link header can set a refer-policy. Cocorine noted,
“Querry parameters can contain sensitive data – for example, in Oauth flow, this can lead to an account acquisition. Developers rarely consider the possibility of stealing query parameters through an image from 3 -party resources.”
While Google did not disclose whether the vulnerability was misused in the attacks earlier or if it is still being exploited, it warns a security advisor that it has a public exploitation, which usually indicates active exploitation.
Actively marked as exploitation
A day later, Sisa confirmed CVE-2025-4664 is being abused in the wild and added Known exploitative weaknesses catalogWhich actively lists exploited security defects in attacks.
As November 2021 Binding Binding Operational Directive (BOD) 22-01, US Federal Civilian Executive Branch (FCB) agencies will have to patch their chrome installation within three weeks by May 7 to secure their system against potential violations.
While this instruction applies only to federal agencies, all network defenders are advised to prioritize patching as soon as possible to this vulnerability.
The cyber security agency warned, “These types of weaknesses are frequent attacks for malicious cyber actors and pose a significant risk for federal enterprises.”
This year has been an actively exploited chrome zero-day patches by Google after another high-seriousness chrome zero-day bug (CVE-2025-2783), misused to target Russian government organizations, media outlets and educational institutions in cyber-Jasucian attacks.
Researchers in Kascski, who looked at the zero-day attacks, said the danger actors exploited the CVE-2025-2783 to bypass Google Chrome’s sandbox security and infect the target with malware.
Based on the analysis of 14M malicious tasks, search for the top 10 MITERAT & CK techniques behind the 93% attacks and how to defend them against them.
