A critical use-after-free vulnerability, identified as CVE-2025-11708, has been discovered. This flaw, with a CVSS score of 9.8, can allow a remote attacker to execute arbitrary code on a target system by tricking a user into visiting a specially crafted webpage. Successful exploitation could lead to a full system compromise, granting the attacker control over the affected device.

The vulnerability is a use-after-free memory corruption flaw within the MediaTrackGraphImpl::GetInstance() function. An attacker can exploit this by creating a malicious website with specific media content that causes the application to incorrectly manage memory. When the application attempts to access a memory location that has already been deallocated (freed), the attacker can manipulate this action to corrupt memory, cause a crash, or execute arbitrary code with the privileges of the logged-in user.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of system confidentiality, integrity, and availability. An attacker could install malware such as ransomware or spyware, exfiltrate sensitive corporate or personal data, steal user credentials, or use the compromised system as a pivot point to attack other internal network resources. The potential for remote code execution through a common application like a web browser presents a significant and direct risk to the organization.

Immediate Action: Update Unknown Multiple Products to the latest version. All systems running the affected versions of Firefox, Firefox ESR, and Thunderbird should be patched immediately following the vendor's guidance. After patching, monitor for any signs of exploitation attempts by reviewing relevant system and application access logs.

Proactive Monitoring: Implement enhanced monitoring on endpoints and network traffic. Look for suspicious outbound connections from browsers, unexpected child processes being spawned by firefox.exe or thunderbird.exe, and alerts from Endpoint Detection and Response (EDR) solutions related to memory exploitation techniques. Intrusion Detection/Prevention Systems (IDS/IPS) should be updated with signatures for this threat if they become available.

Compensating Controls: If immediate patching is not feasible, consider implementing temporary controls to reduce risk. This includes restricting users from visiting untrusted websites through web filtering, ensuring that exploit protection features like Windows Defender Exploit Guard are enabled, and reinforcing user awareness about phishing and malicious links. Using an alternative, unaffected browser for critical tasks can also serve as a temporary mitigation.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability represents a severe risk to the organization. We strongly recommend that the vendor-provided patches be applied to all affected systems as a top priority. Although this CVE is not currently listed on the CISA KEV list, its high severity makes it a prime candidate for future inclusion and active exploitation. Organizations should treat this vulnerability with urgency and complete remediation actions without delay to prevent potential system compromise.