The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a critical zero-day vulnerability in Google Chrome that is currently being exploited in active attacks. Federal Civilian Executive Branch agencies have been instructed to implement necessary security updates by October 14, 2025, as per Binding Operational Directive 22-01. The vulnerability, identified as CVE-2025-10585, has been added to CISA’s Known Exploited Vulnerabilities list, emphasizing the urgent need for users and administrators to act promptly. Google has acknowledged the existence of an exploit for this flaw and has released security updates to mitigate the risk.
The vulnerability arises from a type confusion flaw in Chrome’s JavaScript and WebAssembly V8 engine. This occurs when a program accesses a resource with an incompatible type, leading to incorrect data interpretation and potential memory corruption. Attackers can exploit this to crash the browser or execute arbitrary code on the affected system.
Discovered by Google’s Threat Analysis Group on September 16, 2025, details about specific attacks or threat actors remain undisclosed to prevent further exploitation before users can apply patches. This marks the sixth actively exploited Chrome zero-day vulnerability this year, underscoring a trend of attackers focusing on browser vulnerabilities.
While the directive is mandatory for federal agencies, CISA strongly recommends that all organizations and individuals prioritize updating their systems to prevent potential attacks. Users can initiate updates by accessing the Chrome menu, selecting “Help,” and then “About Google Chrome,” which will automatically check for and install the latest version. Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply security updates from their providers promptly.
