Google Chrome Mojo IPC Sandbox Escape (Operation ForumTroll)

Overview

CVE-2025-2783 is a sandbox-escape vulnerability in Mojo, the inter-process communication (IPC) layer that Google Chrome uses to broker messages between its sandboxed renderer processes and the more privileged browser process. On Windows builds prior to 134.0.6998.177, an incorrect handle is provided under unspecified circumstances, allowing a remote attacker to escape the renderer sandbox by means of a malicious file. Unlike the typical V8 memory-corruption zero-day, this is a logic bug: the attacker abuses Chrome's mishandling of Windows object handles rather than corrupting heap memory.

The flaw was discovered by Boris Larin and Igor Kuznetsov of Kaspersky after they detected an active espionage campaign that Kaspersky named "Operation ForumTroll." Victims were compromised simply by clicking a personalized phishing link, after which the exploit fired with no further interaction. Google shipped an emergency Stable channel update on March 25, 2025, and CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog the following day with a remediation deadline of April 17, 2025.

Technical Details

Mojo passes operating-system handles between processes as part of its message-pipe machinery. On Windows, the vulnerable code path provided a handle whose ownership or access rights were not correctly validated, so a renderer that an attacker had already partially influenced could obtain a handle far more powerful than the sandbox policy intended. With that handle, the attacker pivots out of the low-integrity renderer and into the security context of the browser process, defeating the sandbox boundary that is the last line of defense against full system compromise.

Because the exploit chain delivered through Operation ForumTroll paired this escape with a second (separately patched) remote code-execution primitive, the full chain achieved code execution from a single link click. NVD assigns a base score of 8.3 (High) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H. The Scope:Changed flag reflects that the impact crosses the sandbox security boundary; the High attack complexity and required user interaction (clicking the link) reflect the real-world delivery. NVD lists the weakness as NVD-CWE-noinfo because the root cause is a handle-ownership logic error rather than a single classic memory weakness.

Impact

• Sandbox escape from a Chrome renderer to the browser process on Windows, neutralizing Chrome's primary exploit-mitigation boundary.
• When chained with a renderer RCE bug, full remote code execution on the victim host from a single click on an attacker-controlled link.
• Used in the wild for targeted cyber-espionage (Operation ForumTroll) against media, education, and government organizations.
• Affects Google Chrome and, by extension, other Chromium-based browsers that share the vulnerable Mojo code on Windows until they ship the equivalent fix.

Mitigation

1. Update Google Chrome on Windows to version 134.0.6998.177 or later (Stable channel update of March 25, 2025).
2. Restart the browser after updating; the patch is inert until all Chrome processes are relaunched.
3. Update Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi) to the build that incorporates the corresponding Mojo fix as soon as each vendor publishes it.
4. For managed fleets, push the update via enterprise policy and verify the reported version in chrome://settings/help across endpoints rather than relying on background auto-update alone.
5. Federal Civilian Executive Branch agencies were required to remediate by April 17, 2025 under CISA BOD 22-01; treat that deadline as the baseline for any organization.

Detection

This vulnerability was used in narrowly targeted attacks, so detection leans on installed-version inventory plus behavioral telemetry rather than network signatures. Begin by auditing the Chrome version across every Windows endpoint: any host reporting a version below 134.0.6998.177 is exposed. Endpoint management tools, the Windows registry key under HKLM\SOFTWARE\Google\Update\Clients, or a fleet query of chrome://version output all provide an authoritative version inventory. Microsoft Edge and other Chromium forks should be cross-checked against their own fixed builds.

For behavioral detection, the escape manifests as a Chrome renderer child process spawning or acquiring privileges inconsistent with the sandbox. EDR rules should flag chrome.exe renderer processes (those launched with the --type=renderer flag) that subsequently spawn unexpected child processes such as cmd.exe, powershell.exe, or rundll32.exe, or that perform process-handle duplication into the browser process. Sysmon Event ID 1 (process creation) and Event ID 10 (process access, particularly cross-process handle requests with elevated access masks targeting the parent chrome.exe) are the highest-value data sources here.

Because Operation ForumTroll began with a phishing email containing a single personalized link, correlate email-security and proxy logs for one-time, short-lived domains delivering Chrome content to high-value users. Kaspersky's public reporting includes indicators of compromise for the campaign; ingest those domains and hashes into threat-intelligence feeds. After exploitation, look for the second-stage payload: anomalous outbound connections from a host immediately after Chrome activity, new persistence entries (Run keys, scheduled tasks, services) created under the user that was browsing, and credential-access tooling. Finally, ensure Chrome's own crash and update telemetry is being collected centrally, because failed exploit attempts often surface as renderer crashes with distinctive Mojo-related stack frames that can serve as an early-warning signal before a successful compromise.