Mozilla has addressed a critical security vulnerability in its Firefox browser for Windows, actively exploited by attackers. The company released Firefox version 136.0.4 to resolve the issue, identified as CVE-2025-2857. This flaw allowed malicious actors to bypass Firefox’s protective sandbox, a feature designed to isolate the browser from sensitive system resources and applications.
The vulnerability shares technical similarities with a Chrome browser zero-day flaw patched by Google earlier this week. Security researchers noted that both vulnerabilities stemmed from comparable weaknesses in browser architecture, though specific implementation details differ between the two platforms.
Mozilla’s update impacts not only Firefox but also other browsers built on the same codebase. The Tor Browser, a privacy-focused alternative, has already released version 14.0.7 to address this security gap. Users of affected browsers are urged to apply updates immediately to prevent potential system compromises.
Boris Larin, a cybersecurity expert at Kaspersky, confirmed the connection between the Firefox vulnerability and the previously discovered Chrome exploit. Research indicates these vulnerabilities have been weaponized in targeted campaigns against journalists, academic institutions, and government entities, particularly in Russia. The attacks appear focused on bypassing digital protections to access sensitive information.
This marks the second major browser vulnerability disclosure this week, following Google’s emergency Chrome update. Security professionals emphasize the growing sophistication of browser-based attacks and recommend enabling automatic updates across all web browsers to maintain protection against emerging threats.
