U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromium flaw to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Google Chromium flaw, tracked as CVE-2025-10585, to its Known Exploited Vulnerabilities (KEV) catalog.
In mid-September, Google released security updates to address four vulnerabilities in the Chrome web browser, including CVE-2025-10585, which has reportedly been exploited in the wild.
“Google is aware that an exploit for CVE-2025-10585 exists in the wild.” reads the advisory published by Google.
The zero-day vulnerability CVE-2025-10585 is a type confusion issue in the V8 JavaScript and WebAssembly engine.
A type confusion issue happens when software misinterprets a piece of memory as the wrong type of object. This confusion can let attackers corrupt memory, crash the program, or execute malicious code. It’s common in C/C++ apps like browsers, where weak memory safety makes such exploits possible.
Google’s Threat Analysis Group (TAG) discovered the vulnerability CVE-2025-10585 on September 16, 2025. Google did not share technical details about the attacks exploiting this vulnerability.
Google’s TAG team investigates attacks by nation-state actors and commercial spyware vendors. One of these threat actors likely exploited the issue in the wild.
CVE-2025-10585 is the sixth Chrome zero-day vulnerability that has been actively exploited in the wild in 2025.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by October 2, 2025.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by October 14, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
