SOC Advisory – Critical Zero-Day Vulnerability in Google Chrome (CVE-2025-6554) – 3 July 2025

Overview

CVE: CVE-2025-6554
Severity: CRITICAL
Score: 10.0
Date: 3 July 2025

A critical zero-day vulnerability, CVE-2025-6554, has been identified and patched in Google Chrome. The flaw is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine. Successful exploitation allows a remote attacker to perform arbitrary read/write operations via a crafted HTML page. This vulnerability is currently being exploited in the wild, with evidence suggesting use in highly targeted attacks, potentially by nation-state actors or for surveillance purposes.

Affected Versions

All versions prior to:

• Windows: 138.0.7204.96/.97
• macOS: 138.0.7204.92/.93
• Linux: 138.0.7204.96
• Other Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi) may also be affected and should be updated as patches become available

Mitigation

• Update Chrome to the latest versions:
  • Windows/Linux: 138.0.7204.96 or newer
  • macOS: 138.0.7204.92 or newer
• Monitor for vendor updates for other Chromium-based browsers and apply patches promptly.

Summary for IT Teams

• Products: Google Chrome, Chromium-based browsers
• Threat Level: Critical
• Action:
  • Deploy latest Chrome updates immediately
  • Ensure enterprise-controlled browsers are patched
  • Educate users on avoiding suspicious links and sites

References

• The Hacker News
• CVE

Need Help?

If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.