Mozilla has issued an urgent security update for Firefox on Windows to address a critical vulnerability currently being exploited in the wild. The patch, arriving with Firefox version 136.0.4, targets a flaw identified as CVE-2025-2857 that poses a significant risk to user data and system integrity.
Understanding the CVE-2025-2857 Threat
The vulnerability allows attackers to bypass the browser’s sandbox—a vital security mechanism designed to isolate web processes from the underlying operating system. By escaping this environment, a malicious actor could potentially gain unauthorized access to applications and sensitive data stored on the host computer.
According to Mozilla’s official security advisory, the flaw shares a nearly identical exploitation pattern with a zero-day vulnerability recently patched by Google in the Chrome browser.
Broader Impact and Targeted Attacks
The threat extends beyond the standard Firefox browser. Other applications built on the same codebase, including the Tor Browser, are similarly affected. Developers have already pushed Tor Browser 14.0.7 to mitigate these risks for their user base.
Boris Larin, a researcher at Kaspersky who originally discovered the Chrome zero-day, confirmed that the root cause of the exploit is present in both browsers. Previous investigations by Kaspersky have linked these specific exploits to targeted campaigns aimed at journalists, government officials, and academic staff operating within Russia.
Recommended Action for Users
Given that this vulnerability is already under active exploitation, users are strongly advised to update their software immediately. To ensure your system is protected, verify that your browser is running version 136.0.4 or later. If you utilize the Tor Browser, confirm your installation has been upgraded to version 14.0.7 to close the security gap.