Google Chrome, the world’s leading web browser with over 3.5 billion installations, is urging its users to update immediately in response to a significant security vulnerability. A recent security bulletin from Google has revealed that the flaw, located within the browser’s Chrome V8 engine, poses a high-severity risk that cybercriminals have already begun to exploit.
The vulnerability enables hackers to develop malicious web pages capable of stealing sensitive user data, including passwords and personal information, or even deploying harmful software like viruses and ransomware. Google has confirmed that malicious actors, potentially including state-sponsored groups, are already taking advantage of this flaw.
Jake Moore, a global cybersecurity advisor at ESET, emphasized the importance of keeping devices and applications updated. “Updating your devices and apps is vital, and browsers are no different and just as essential to fix security holes like this one,” he stated in an interview with MailOnline.
The security issue, tracked as CVE-2025-6554, received a severity score of 8.1 out of 10, indicating a ‘high’ level of threat. This zero-day vulnerability had not been previously identified by Chrome’s developers, making it particularly dangerous, as it can be exploited before any security patch is available.
Google’s bulletin confirmed that an exploit for CVE-2025-6554 is currently in use, allowing hackers to insert malicious code or extract critical information. Moore warned, “Criminal hackers could have been able to take advantage of this vulnerability to read anything stored in the browser’s memory, which, worryingly, could include sensitive information like passwords.” Such access could lead to further targeting of individuals within the victim’s contact network.
The vulnerability was identified by Clément Lecigne from Google’s Threat Analysis Group (TAG), responsible for monitoring threats from nation-states and advanced persistent threats (APTs). Given its exploitation, it is suspected that the flaw may have been utilized by state actors for highly focused attacks, similar to previous incidents where Chrome V8 vulnerabilities were exploited against journalists and political dissidents.
Moore cautioned that “a flaw this serious could be used by anyone with the determination and the right knowledge to take advantage of it, which could easily include nation state actors.” He noted that such groups often seek out powerful vulnerabilities to conduct espionage on targeted individuals, including government employees.
While Google has applied the necessary patches, users are strongly advised to check their browser versions and ensure they are updated to the latest release. Chrome typically updates automatically, but users can manually verify their version by visiting the menu in the top-right corner, selecting Help, and clicking on ‘About Google Chrome.’ The current recommended versions are 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS, and 138.0.7204.96 for Linux. If an update is not visible, users are already operating on the latest version.
Google has been approached for further comments regarding the situation.
