A critical vulnerability has been identified in the Messaging System component of Mozilla Firefox. This flaw, rated with the highest possible severity score, allows an attacker to bypass the browser's security sandbox, enabling them to execute arbitrary code on the underlying operating system and achieve a full system compromise. Successful exploitation could lead to complete data loss, installation of malware, or an attacker taking total control of the affected computer.

This vulnerability is a sandbox escape flaw within the inter-process Messaging System of the Firefox browser. An attacker can craft a malicious webpage with specially designed content that, when rendered by a vulnerable version of Firefox, triggers a flaw in how messages are handled between different browser processes. This allows malicious code executing within the sandboxed content process to break out of its restrictions and execute commands with the full permissions of the user running the browser on the host operating system. Exploitation requires tricking a user into visiting a malicious website.

This vulnerability is rated as critical severity with a CVSS score of 10.0, indicating a complete compromise of confidentiality, integrity, and availability. A successful exploit could grant an attacker full control over an employee's workstation, leading to severe business consequences. These include the theft of sensitive corporate data, intellectual property, or employee credentials; deployment of ransomware across the network; financial fraud; and significant reputational damage. Given that web browsers are a primary tool for all employees, the attack surface is extensive, posing a critical risk to the entire organization.

Immediate Action: Update Sandbox escape in the Messaging System Multiple Products to the latest version. Monitor for exploitation attempts and review access logs. This specifically requires that all installations of Mozilla Firefox within the organization are immediately updated to version 147 or a later patched version.

Proactive Monitoring: Security teams should actively monitor for indicators of compromise. This includes watching for unusual outbound network traffic from workstations, particularly to unknown or suspicious domains. Endpoint Detection and Response (EDR) systems should be configured to alert on anomalous processes being spawned by firefox.exe or other browser processes attempting to write to sensitive system directories.

Compensating Controls: If immediate patching is not feasible, organizations should implement compensating controls. These include enforcing the use of an alternative, secure browser, utilizing web filtering and proxy solutions to block access to untrusted websites, ensuring endpoint security solutions are up-to-date with behavioral detection capabilities, and restricting user account privileges to limit post-exploitation damage.

Public Exploit Available: false

This vulnerability represents a critical and immediate threat to the organization. The perfect CVSS score of 10.0 underscores the maximum potential for damage. Although this CVE is not currently listed on the CISA KEV catalog, its severity warrants the same level of urgency. We strongly recommend that all system administrators prioritize the immediate deployment of the patch for Mozilla Firefox across all corporate assets to mitigate the risk of a full system compromise.