Chrome Had 8 Zero-Day Exploits in 2025 — Including a State-Sponsored Sandbox Escape

Chrome browser zero-day vulnerability cybersecurity hacker scene

2025 Was Chrome's Worst Year for Zero-Days

Google's Chrome browser — used by an estimated 3.4 billion people — suffered through eight actively exploited zero-day vulnerabilities in 2025. All eight were patched, but not before attackers — including state-sponsored groups — had already used them in real-world attacks.

Operation ForumTroll: The Most Alarming Incident

In March 2025, researchers uncovered a highly sophisticated targeted attack campaign dubbed "Operation ForumTroll", attributed to an unidentified state-sponsored APT (Advanced Persistent Threat) group. The attack leveraged a single Chrome zero-day (CVE-2025-2783) to escape the browser's sandbox and gain full control of victims' Windows systems.

No click required beyond visiting a carefully crafted page — a compromised forum post, a phishing invite. That's the level of threat these vulnerabilities represent.

The Technical Pattern

Type confusion vulnerabilities dominated 2025's Chrome zero-day landscape, accounting for three of the eight exploited flaws. These bugs occur when Chrome's V8 JavaScript engine misidentifies the type of an object, allowing attackers to execute arbitrary code. All eight were added to CISA's Known Exploited Vulnerabilities catalog, with an average CVSS severity score of 8.5.

What You Should Do

Update Chrome. Right now. Check your version at chrome://settings/help and restart the browser to apply any pending updates. Chrome's background updater downloads patches automatically, but a restart is required to activate them.

The Bottom Line

Eight zero-days in a single year for the world's most popular browser is alarming — but it also means Google's threat intelligence caught and patched every one of them. The real question: how many equivalent vulnerabilities exist in less-scrutinized browsers that nobody is even looking for yet?