Mozilla has released Firefox 136.0.4 to patch a critical security vulnerability that can let attackers escape the web browser’s sandbox on Windows systems.
Tracked as CVE-2025-2857, this flaw is described as an “incorrect handle could lead to sandbox escapes” and was reported by Mozilla developer Andrew McCreight.
The vulnerability impacts the latest Firefox standard and extended support releases (ESR) designed for organizations that require extended support for mass deployments. Mozilla fixed the security flaw in Firefox 136.0.4 and Firefox ESR versions 115.21.1 and 128.8.1.
While Mozilla didn’t share technical details regarding CVE-2025-2857, it said the vulnerability is similar to a Chrome zero-day exploited in attacks and patched by Google earlier this week.
“Following the sanbdox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code. Attackers were able to confuse the parent process into leaking handles into unpriviled [sic] child processes leading to a sandbox escape,” Mozilla said in a Thursday advisory.
“The original vulnerability was being exploited in the wild. This only affects Firefox on Windows. Other operating systems are unaffected.”
Chrome zero-day exploited to target Russia
Kaspersky’s Boris Larin and Igor Kuznetsov, who discovered and reported CVE-2025-2783 to Google, said on Tuesday that the zero-day was exploited in the wild to bypass Chrome sandbox protections and infect targets with sophisticated malware.
They spotted CVE-2025-2783 exploits deployed in a cyber-espionage campaign dubbed Operation ForumTroll, targeting Russian government organizations and journalists at unnamed Russian media outlets.
“The vulnerability CVE-2025-2783 really left us scratching our heads, as, without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist,” they said.
“The malicious emails contained invitations supposedly from the organizers of a scientific and expert forum, ‘Primakov Readings,’ targeting media outlets, educational institutions and government organizations in Russia.”
In October, Mozilla also patched a zero-day vulnerability (CVE-2024-9680) in Firefox’s animation timeline feature exploited by the Russian-based RomCom cybercrime group that let the attackers gain code execution in the web browser’s sandbox.
The flaw was chained with a Windows privilege escalation zero-day (CVE-2024-49039) that allowed the Russian hackers to execute code outside the Firefox sandbox. Their victims were tricked into visiting an attacker-controlled website that downloaded and executed the RomCom backdoor on their systems.
Months earlier, it fixed two Firefox zero-day vulnerabilities one day after they were exploited at the Pwn2Own Vancouver 2024 hacking competition.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
