Post

Critical Chromium V8 Vulnerability Added to CISA's Known Exploited Vulnerabilities Catalog

Posted
By Tom Grant
2 min read
Critical Chromium V8 Vulnerability Added to CISA's Known Exploited Vulnerabilities Catalog

TL;DR

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Chromium V8 vulnerability, tracked as CVE-2025-6554, to its Known Exploited Vulnerabilities (KEV) catalog. This zero-day vulnerability, which allows for arbitrary read/write operations via crafted HTML pages, has been exploited in the wild. Google has released security patches, and federal agencies are required to address this vulnerability by July 23, 2025.

CISA Adds Critical Chromium V8 Vulnerability to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a significant Chromium V8 vulnerability, identified as CVE-2025-6554, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, described as a type confusion issue in the V8 JavaScript and WebAssembly engine, allows remote attackers to execute arbitrary read/write operations through specially crafted HTML pages 1.

Vulnerability Overview

  • CVE ID: CVE-2025-6554
  • Severity: High
  • Description: A type confusion vulnerability in the V8 engine of Google Chrome allows remote attackers to perform arbitrary read/write operations via a crafted HTML page 2.
  • Discovery: The vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group on June 25, 2025 3.

Exploitation and Mitigation

Google released security patches to address this vulnerability, updating Chrome Stable to version 138.0.7204.x for Windows, Mac, and Linux. The issue was mitigated through a configuration change pushed to the Stable channel across all platforms on June 26, 2025 4.

The existence of an exploit for this vulnerability in the wild suggests that it may have been used by threat actors, including state-sponsored hackers or commercial spyware vendors, in targeted attacks 5.

Impact and Recommendations

CVE-2025-6554 is the fourth Chrome zero-day vulnerability patched by Google in 2025. According to CISA’s Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must address identified vulnerabilities by the specified due date to protect their networks 6.

CISA has mandated that federal agencies fix this vulnerability by July 23, 2025. Private organizations are also strongly advised to review the KEV Catalog and address any vulnerabilities in their infrastructure 7.

Conclusion

The addition of CVE-2025-6554 to CISA’s KEV catalog underscores the critical importance of timely patch management. Organizations must remain vigilant and proactive in addressing known vulnerabilities to safeguard against potential cyber threats. Future implications may include increased scrutiny of browser security and a heightened focus on rapid response to zero-day exploits.

For further insights, check:

References

  1. “CISA Adds One Known Exploited Vulnerability to Catalog”. CISA. Retrieved 2025-07-07. ↩︎

  2. “CVE-2025-6554 Detail”. NIST National Vulnerability Database. Retrieved 2025-07-07. ↩︎

  3. “Stable Channel Update for Desktop”. Google Chrome Releases. Retrieved 2025-07-07. ↩︎

  4. “Stable Channel Update for Desktop”. Google Chrome Releases. Retrieved 2025-07-07. ↩︎

  5. “Salt Typhoon: China-Linked Threat Actors Breached US ISP”. Security Affairs. Retrieved 2025-07-07. ↩︎

  6. “Binding Operational Directive (BOD) 22-01”. CISA. Retrieved 2025-07-07. ↩︎

  7. “Known Exploited Vulnerabilities Catalog”. CISA. Retrieved 2025-07-07. ↩︎

Cybersecurity & Data Protection, Vulnerabilities
cybersecurity vulnerability chromium
This post is licensed under CC BY 4.0 by the author.