Mozilla has taken a proactive step in enhancing the security of its Firefox browser with the release of version 136.0.4. This update addresses a critical security vulnerability, identified as CVE-2025-2857, which could potentially allow attackers to escape the browser’s sandbox environment on Windows systems.
Described as an “incorrect handle could lead to sandbox escapes,” this flaw was brought to light by Mozilla developer Andrew McCreight. The vulnerability affects both the latest standard releases of Firefox and the extended support releases (ESR), which are tailored for organizations that require long-term support for large-scale deployments. Mozilla has effectively patched this security issue in Firefox 136.0.4, as well as in Firefox ESR versions 115.21.1 and 128.8.1.
While Mozilla has refrained from disclosing specific technical details about CVE-2025-2857, they noted that the vulnerability bears similarities to a recent zero-day exploit affecting Google Chrome, which was addressed by Google just days prior. In a Thursday advisory, Mozilla explained, “Following the sandbox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code. Attackers were able to confuse the parent process into leaking handles into unprivileged child processes leading to a sandbox escape.” It is important to note that this vulnerability exclusively impacts Firefox on Windows, leaving other operating systems unaffected.
Chrome zero-day exploited to target Russia
In a related context, Kaspersky’s Boris Larin and Igor Kuznetsov reported on the exploitation of CVE-2025-2783, a zero-day vulnerability in Chrome that was actively used in cyber-espionage campaigns targeting Russian government entities and journalists from unnamed media outlets. The researchers revealed that the vulnerability allowed attackers to bypass Chrome’s sandbox protections, facilitating the deployment of sophisticated malware.
“The vulnerability CVE-2025-2783 really left us scratching our heads, as, without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist,” they remarked. The malicious emails used in this campaign contained invitations purportedly from the organizers of a scientific forum, ‘Primakov Readings,’ aimed at media outlets, educational institutions, and government organizations in Russia.
In a broader context of security vulnerabilities, Mozilla also addressed a zero-day vulnerability (CVE-2024-9680) in October, which was exploited by the RomCom cybercrime group. This flaw allowed attackers to execute code within Firefox’s sandbox and was linked to a Windows privilege escalation zero-day (CVE-2024-49039), enabling them to execute code outside the Firefox environment. Victims were lured into visiting a malicious website that facilitated the download and execution of the RomCom backdoor on their systems.
Earlier in the year, Mozilla had to respond swiftly to two Firefox zero-day vulnerabilities that were exploited during the Pwn2Own Vancouver 2024 hacking competition, demonstrating the ongoing challenges in maintaining browser security in an ever-evolving threat landscape.
