A high-severity vulnerability, identified as CVE-2025-13720, has been discovered in Google Chrome and other Google products. This flaw could allow a remote attacker to execute arbitrary code on a victim's system if they visit a specially crafted, malicious website, potentially leading to a full system compromise. Due to the widespread use of the affected software, this vulnerability poses a significant risk to the organization.

The vulnerability is a "Bad cast" or type confusion weakness within the Loader component of Google Chrome. An attacker can exploit this by creating a malicious web page that causes the browser to incorrectly handle memory objects, treating an object of one type as another. This memory corruption can be leveraged to bypass security protections and achieve arbitrary code execution within the context of the browser process.

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could lead to a complete compromise of the affected user's workstation. Potential consequences include the theft of sensitive data such as login credentials and confidential documents, the installation of malware like ransomware or spyware, and the ability for an attacker to use the compromised system as a pivot point to move laterally within the corporate network. Given that Google Chrome is a standard browser for many employees, this vulnerability represents a critical risk to organizational security and data integrity.

Immediate Action: All systems running vulnerable versions of Google Chrome must be updated to version 143 or later immediately. The vendor's security updates fully address this vulnerability. System administrators should prioritize the deployment of this patch across all corporate endpoints.

Proactive Monitoring: Security teams should monitor for signs of exploitation. This includes observing endpoint detection and response (EDR) alerts for unusual process behavior originating from chrome.exe, such as suspicious child processes or memory injection attempts. Review web proxy and DNS logs for connections to unknown or recently registered malicious domains.

Compensating Controls: If immediate patching is not feasible, the following temporary controls can reduce risk:

• Enforce strict web filtering policies to block access to uncategorized or known malicious websites.
• Ensure EDR and antivirus solutions are up-to-date and configured to detect and block common browser exploitation techniques.
• Educate users on the risks of clicking links from untrusted sources.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the ease of exploitation via a malicious website, CVE-2025-13720 must be treated as a critical priority. We strongly recommend that the immediate patching of all vulnerable Google Chrome instances be completed within the organization's critical vulnerability remediation window. Although not currently listed on the CISA KEV catalog, its severity makes it a likely candidate for future inclusion and a high-value target for threat actors. Proactive patching is the most effective defense against potential exploitation.