Google has confirmed that its Chrome browser is under attack again, with a new emergency update issued to address a critical vulnerability (CVE-2025-6554). The US cyber defence agency, CISA, has also mandated federal employees update or stop using Chrome by July 23.
The fix relates to a type confusion vulnerability in the V8 Javascript engine that could allow a remote attacker to perform arbitrary read/write operations via a crafted HTML page. Visiting the wrong website can put users at risk.
Google discovered the vulnerability just five days before releasing a patch, highlighting its urgency. The attack is likely to be highly targeted, using specialized websites and social media to deploy attacks. As it’s now public domain, the risks are high, and attackers may deploy it before the fix is widely available.
This marks the fourth zero-day exploit of this year, underscoring the importance of keeping all browsers updated. The CISA mandate applies to federal agencies but extends to organizations to help manage vulnerabilities and keep pace with threat activity.
Chrome users will see a flag indicating an update has been downloaded; they must restart their browser for the fix to take effect. Incognito tabs may reopen, but unsaved data could be lost. More details on the vulnerability are expected in the coming weeks as Google becomes aware of exploits in the wild.
Source: https://www.forbes.com/sites/zakdoffman/2025/07/02/google-chrome-warning-update-or-stop-using-browser-by-july-23