Mozilla has released security updates to address one critical vulnerability in Firefox and Firefox ESR.
Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. The original vulnerability was being exploited in the wild. This only affects Firefox on Windows. Other operating systems are unaffected.
Google has deployed Chrome version 134.0.6998.177/.178 to patch a high-severity vulnerability that has been actively exploited. This flaw could allow a remote attacker to bypass the sandbox by exploiting a malicious file. The company has confirmed that an exploit for CVE-2025-2783 is currently being used in real-world attacks.
CrushFTP a security researcher has uncovered a vulnerability in CrushFTP, a file server that supports standard secure file transfer protocols. This flaw, identified as CVE-2025-2825, is classified as a critical ‘improper authentication’ vulnerability with a CVSSv3 score of 9.8. If exploited, an unauthenticated attacker could craft remote HTTP requests, potentially gaining unauthorised access to CrushFTP. However, organisations that have configured the demilitarised zone (DMZ) function in CrushFTP are not vulnerable to this exploit.
Ingress NGINX Controller for Kubernetes: Five vulnerabilities have been identified in the Ingress NGINX Controller for Kubernetes, a tool designed to manage and direct external traffic to services within a Kubernetes cluster. Functioning as both a reverse proxy and load balancer, the Ingress Controller supports multiple protocols, including WebSocket, gRPC, TCP, and UDP. Additionally, it offers key features such as content-based routing and TLS/SSL termination.
Broadcom has issued a security advisory regarding a high-severity vulnerability in VMware Tools for Windows. VMware Tools is a set of utilities designed to improve the performance of VMware virtual machines while adding additional functionality. Identified as CVE-2025-22230, this authentication bypass vulnerability results from improper access control and has a CVSSv3 score of 7.8. If exploited, an attacker with non-administrative privileges on a Windows guest virtual machine (VM) could execute certain high-privilege operations within the VM.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Mozilla – Security Advisories
Google – Chrome Releases
CrushFTP – Update
Ingress – Github: Releases
Broadcom (VMWare) – Security Advisories
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.