Google has issued an urgent security update for the Chrome browser on Windows, Mac, and Linux, addressing a critical vulnerability that could allow attackers to execute arbitrary code remotely.
Users are strongly advised to update their browsers immediately to protect against potential threats.
The Stable channel has been updated to version 140.0.7339.127/.128 for Windows, 140.0.7339.132/.133 for Mac, and 140.0.7339.127 for Linux.
The update is currently rolling out and will become available to all users over the coming days and weeks. This patch follows the initial release of Chrome 140, which also addressed several other security issues.
CVE ID
Severity
Description
Affected Component
Bug Bounty
CVE-2025-10200
Critical
Use-after-free
Serviceworker
$43,000
CVE-2025-10201
High
Inappropriate implementation
Mojo
$30,000
Critical Use-After-Free Vulnerability
The update resolves two major security flaws, with the most severe being CVE-2025-10200. This vulnerability is rated as critical and is described as a “Use-after-free” bug in the Serviceworker component.
A use-after-free flaw occurs when a program tries to use memory after it has been deallocated, which can lead to crashes, data corruption, or, in the worst case, arbitrary code execution.
An attacker could exploit this vulnerability by crafting a malicious webpage that, when visited by a user, could allow the attacker to run malicious code on the victim’s system.
Security researcher Looben Yang reported this critical flaw on August 22, 2025. In recognition of the severity of the discovery, Google has awarded a bug bounty of $43,000.
High-Severity Mojo Implementation Flaw
The second vulnerability patched in this release is CVE-2025-10201, a high-severity flaw identified as an “Inappropriate implementation in Mojo.”
Mojo is a collection of runtime libraries used for inter-process communication within Chromium, the open-source project that powers Chrome.
Flaws in this component can be particularly dangerous as they can potentially compromise the browser’s sandbox, a key security feature that isolates processes to prevent exploits from affecting the underlying system.
This vulnerability was reported by Sahan Fernando and an anonymous researcher on August 18, 2025. The reporters were awarded a $30,000 bounty for their findings.
Google is rolling out the update gradually, but users can manually check for and apply the update by navigating to Settings > About Google Chrome.
The browser will automatically scan for the latest version and prompt the user to relaunch it to complete the update process.
As is standard practice, Google has restricted access to detailed information about the bugs to prevent attackers from developing exploits before a majority of users have installed the patch. This highlights the importance of applying security updates as soon as they become available.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Adobe has warned of a critical security flaw in its Commerce and Magento Open Source platforms that, if successfully exploited, could allow attackers to take control of customer accounts.
The vulnerability, tracked as CVE-2025-54236 (aka SessionReaper), carries a CVSS score of 9.1 out of a maximum of 10.0. It has been described as an improper input validation flaw. Adobe said it’s not aware of
SAP on Tuesday released security updates to address multiple security flaws, including three critical vulnerabilities in SAP Netweaver that could result in code execution and the upload arbitrary files.
The vulnerabilities are listed below –
CVE-2025-42944 (CVSS score: 10.0) – A deserialization vulnerability in SAP NetWeaver that could allow an unauthenticated attacker to submit a malicious
HONOLULU—China is deliberately attempting to “erode leadership, disrupt vital services, and weaken confidence in government” in Palau, and has sent drugs to wash ashore on the Pacific nation to “weaken our community,” the country’s president said Monday.
Speaking at U.S. Indo-Pacific Command’s International Military Law and Operations conference, Surangel Whipps said his country—one of just a dozen in the world with official diplomatic relations with Taiwan—has also seen economic coercion from China. Whipps described Chinese investors buying up or securing 99-year leases on land and then leaving it empty, as well as a radical dropoff in tourism from China in the last decade.
“A Chinese ambassador told me once, you know, ‘I don’t understand what you’re doing. You need to make the right choice and join the rest of the world and denounce Taiwan. We can give you a million tourists to fill all your hotel rooms.’ And I said, ‘No thank you.’ Sometimes we have to look beyond money. We have to look at what is good for the safety and security of our people long term,” he said.
“We must help our people understand, because of our location, we are under constant threat. I might venture to say that we are already at war, and the best way to combat this is through partnership with like-minded nations who believe that peace comes through strength, and presence is deterrence.”
Whipps’ keynote speech kicked off the four-day event, which drew 200 attendees from 30 different countries—though not China, which was invited, or Taiwan, which was not. The 36th iteration of the conference focused on “legal vigilance and legal diplomacy.”
Adm. Sam Paparo, the leader of U.S. Indo-Pacific Command, spoke immediately after Whipps.
“It is my sad duty to report that we are not in an era of peace,” Paparo said. “We are in an era of contested peace. It’s a peace we must win every single day. Aggression from China, Russia, North Korea and Iran is accelerating.”
That aggression is illustrated by the “steady tempo of gray zone operations, maritime coercion, cyber attacks, disinformation, illegal, unregulated, unreported fishing, and legal warfare in our own backyard,” the admiral said. “We see it in China’s shifting strategy from ‘bide our time and hide our capabilities’ to ‘be ready and dare to fight.’ We see it in China’s regular acts of coercion and aggression against the Philippines and in the Philippines’ exclusive economic zone…We see in China's claim to a maritime law that no one else agrees to and no one else recognizes, and we see it in China's pervasive use of legal warfare as a tool for coercion and a pretext for aggression.”
Paparo and Whipps both stressed the importance of partnerships and collaboration, particularly for deterrence.
“Deterrence, it is exponential when it is exercised together. It’s a shared responsibility among all of us,” Paparo said. “Two allies doesn’t yield 2x deterrence. It yields 4x. Three allies yields 9x.”
In a world of evolving threats, the security of an organization’s internal network is just as important as its external defenses. An internal network penetration test simulates a real-world attack from a threat actor who has already gained a foothold inside the network, exposing vulnerabilities that could lead to privilege escalation and data exfiltration. This […]
Microsoft has released its September 2025 Patch Tuesday update, addressing a total of 81 security vulnerabilities across its product portfolio. This extensive release includes fixes for two zero-day vulnerabilities that are actively being exploited. Among the patched flaws, ten are rated as “Critical,” while the remaining 71 are classified as “Important.” The updates cover a […]
Every SOC analyst knows the frustration. Your SIEM generates hundreds, sometimes thousands of alerts daily.
Each alert demands attention, but with limited time and resources, how do you prioritize effectively? Investigating each alert in isolation leaves teams reactive, overwhelmed, and ultimately vulnerable to sophisticated attacks that blend into the background noise.
The Alert Triage Dilemma: Drowning in Data, Starving for Context
The challenge isn’t just volume; it’s context. An IP address flagged in your network might seem innocuous until you discover it’s been actively targeting companies in your industry for weeks.
A file hash that appears benign could be part of a broader campaign that’s already compromised your competitors. Without this broader intelligence picture, even skilled analysts operate with one hand tied behind their back.
Threat actors can establish persistence, exfiltrate data, and disappear within hours, sometimes minutes. Your detection capabilities need to match this velocity, identifying threats not just accurately, but immediately upon first contact.
This is where the concept of collective defense becomes invaluable. While your organization may be seeing a particular indicator for the first time, the global security community may have encountered it repeatedly.
The challenge lies in accessing this collective knowledge in actionable, real-time formats that integrate seamlessly into your existing workflows. This is the challenge that services like ANY.RUN’s Threat Intelligence Lookup accept.
Threat Intelligence Lookup main page: search IOCs, explore TTPs, use YARA rules
Industry as a Target: You’re Not Alone in Their Crosshairs
Attackers rarely target individual companies in isolation. They target industries, supply chains, and geographic regions. If you’re in financial services and your competitors are under attack, you’re likely next.
If you’re a healthcare provider and similar organizations in your region are being compromised, consider yourself on borrowed time.
Threat actors invest significant resources in understanding specific industry verticals, developing specialized tools and techniques optimized for particular business environments.
Once they’ve honed their approach against one target in your sector, they’ll systematically apply these proven methods across similar organizations.
Why Outside Incident Data Is Priceless
Intelligence about attacks against industry peers isn’t just interesting context. It’s predictive intelligence.
When analysts understand the complete scope of ongoing campaigns against their sector, they can proactively hunt for early indicators rather than wait for attacks to fully manifest in their environment.
Your SOC sees what happens in your network. But attackers are reusing domains, IPs, samples, and behaviors across many victims.
Having access to incident data from other companies gives you a shortcut: instead of spending hours figuring out if an alert is malicious, you can check instantly against real-world attack data.
ANY.RUN Threat Intelligence Lookup: Instant IOC Validation
With Threat Intelligence Lookup, SOC analysts can:
Enter an IOC (hash, IP, domain, URL, or file).
Instantly see whether it appeared in real-world attacks observed across thousands of SOCs.
Get context such as malware family, behavior, and timestamps of activity.
Validate whether an alert points to a real, ongoing threat — or just background noise
This shifts alert triage from manual, time-consuming validation to fast, confident decision-making backed by live attack evidence.
Start using TI Lookup for free to make quick decisions on possible threats: Sign up to start.
The source of the threat data explorable by TI Lookup is ANY.RUN’s Interactive Sandbox.
It is used daily by over 15,000 SOCs worldwide: analysts at these organizations detonate suspicious files, investigate malware behavior, and analyze attack campaigns using ANY.RUN’s cloud-based environment. This creates an unprecedented repository of live attack intelligence.
For threat analysts and hunters, ANY.RUN’s Threat Intelligence Lookup provides:
Faster triage: Instantly confirm whether an alert IOC is tied to a live attack.
Reduced fatigue: Cut hours of manual investigation by checking IOCs in seconds.
Higher detection confidence: Spot adversaries using the same infrastructure elsewhere.
Better hunting: Pivot on related IOCs and uncover hidden connections in your environment.
Collective defense: Leverage the insights of 15,000 SOCs worldwide to strengthen your own.
TI Lookup in Action: How to Use It
ANY.RUN’s Threat Intelligence Lookup is available on a free plan with limited search parameters allowing to complete basic analyst tasks.
Let’s take the above-mentioned use case to see how it works: a dubious IP address detected in your system. Look it up and get an instant verdict:
An IP lookup results with a quick verdict and additional IOCs
We can see that the IP has been flagged as malicious and has been spotted in most recent incidents. For more context, we can switch to the “Analyses” tab and quickly discover that it belongs to Agent Tesla spyware:
Malware samples analyzed in the Sandbox, found by IP search
Premium Capabilities for Advanced Security Operations
When you are ready for a level-up, the Premium plan transforms TI Lookup into a comprehensive security intelligence platform:
Advanced Search Operations: Over 40 search parameters with complex operators (AND, OR, NOT) enable precise threat hunting and investigation workflows.
Complete Attack Visibility: Access to all available analysis sessions rather than just the 20 most recent, providing comprehensive historical context.
Private Intelligence: Conduct confidential searches and investigations without visibility to other users, protecting sensitive security operations.
Continuous Monitoring: Search Updates feature provides automated alerts when new threats match your specified criteria, ensuring your team stays ahead of emerging campaigns.
Expert Analysis: TI Reports from ANY.RUN’s analyst team deliver strategic insights on attack trends and threat actor activities across industries.
Here is an example of a lookup search query you can use on Premium plan: more search parameters (registryKey, registryValue) and operators (NOT) are available; over 500 sandbox sessions found so that an analyst can observe certain malware behavior.
Malware samples demonstrating certain behavior found via TI Lookup
Request full access to TI Lookup for actionable threat investigation: Contact ANY.RUN now
Embrace the Power of Collective Defense
The modern threat landscape demands a fundamental shift from isolated defense to collective intelligence. No single organization, regardless of size or resources, can match the comprehensive threat visibility that emerges from global collaboration.
ANY.RUN’s Threat Intelligence Lookup represents this collaborative approach in action: instant access to intelligence derived from 15,000 SOCs struggling to analyze and understand active threats.
In a world where attackers share techniques, tools, and targets across the global threat landscape, defenders must respond with equal coordination and real-time intelligence sharing.
ANY.RUN’s Threat Intelligence Lookup provides the immediate access infrastructure to make this collective defense practical and operational.
HONOLULU—”The Indo-Pacific is the priority theater of the United States of America.”
This sentence, spoken Monday by U.S. Indo-Pacific Command leader Adm. Samuel Paparo, is a common refrain here on the island that’s home to not just INDOPACOM but U.S. Army Pacific, Pacific Fleet, Pacific Air Forces, Marine Corps Forces Pacific, and U.S. Space Forces-Indo-Pacific.
And despite reports that defending the homeland is the Pentagon’s new top priority, Paparo said he’s not concerned about a shift in attention.
“I'm not,” he said. “I mean, one, because the homeland is in the Pacific.”
Guam and the Northern Mariana Islands—both U.S. territories—are in the western Pacific, while Hawaii is in the central Pacific, Paparo said. And the U.S. operates under the Compacts of Free Association, he said, “a covenant between the United States, Palau, Federated States of Micronesia, Republic of Marshall Islands” under which the United States is “responsible for their national defense.”
“Defense in depth means the Pacific is a priority theater, because four of the five priority threats to the United States of America—to the security, freedom, and well-being of the United States—traverse the Indo-Pacific geography,” he said.
The president of Palau, Surangel Whipps, said his country fell victim to a cyberattack they attribute to China shortly after renewing the COFA in March 2024. But, asked whether he was concerned about the possibility of the Trump administration turning inward and away from allies, Whipps said he believes the administration “is just trying to refocus and trying to find better ways that they can help us, and they’re carrying through on those commitments.”
Defense Secretary Pete Hegseth in June told the Senate Appropriations Committee that the Pentagon is operating under an interim National Defense Strategy “focused on defending the homeland,” because previous planning guidance “had the wrong priorities, or some of the wrong priorities.”
Microsoft has released its September 2025 Patch Tuesday updates, addressing a total of 81 security vulnerabilities across its product suite. The security patches cover a wide range of software, including Windows, Microsoft Office, Azure, and SQL Server.
Among the fixes are 22 Remote Code Execution (RCE) vulnerabilities, making this a significant update for system administrators. Of the 81 flaws, 8 are rated as Critical, with the remaining 73 classified as Important in severity.
Impact
Count
Elevation of Privilege (EoP)
38
Remote Code Execution (RCE)
22
Information Disclosure
14
Denial of Service (DoS)
4
Security Feature Bypass
2
Spoofing
1
Total
81
The vulnerabilities cover various categories, with Remote Code Execution (RCE), Elevation of Privilege (EoP), and Information Disclosure being the most frequently addressed types in this month’s release.
Critical Remote Code Execution Flaws
This month’s update resolves several critical RCE vulnerabilities that could allow attackers to execute arbitrary code on affected systems. Among the most severe are multiple race condition flaws in the Graphics Kernel (CVE-2025-55226, CVE-2025-55236) and the Windows Graphics Component (CVE-2025-55228), which an authorized attacker could exploit to execute code locally.
Microsoft Office also received a critical patch for a heap-based buffer overflow vulnerability (CVE-2025-54910) that enables local code execution.
Additionally, a critical RCE vulnerability in Windows Hyper-V (CVE-2025-55224) was fixed. This flaw, stemming from a race condition, could allow a local attacker to execute arbitrary code. These types of vulnerabilities are particularly dangerous as they can often be exploited to gain initial access or move laterally within a network.
Widespread Elevation of Privilege and Other Flaws
A significant portion of the September update is dedicated to fixing Elevation of Privilege vulnerabilities across the Windows ecosystem. A critical EoP flaw in Windows NTLM (CVE-2025-54918) could allow an authorized attacker to elevate their privileges over the network.
Other important EoP vulnerabilities were patched in PowerShell Direct (CVE-2025-49734), Windows Ancillary Function Driver for WinSock (CVE-2025-54099), and the Windows Kernel (CVE-2025-54110).
The update also addresses numerous information disclosure vulnerabilities, particularly in the Windows Routing and Remote Access Service (RRAS), with six distinct CVEs (CVE-2025-53797, CVE-2025-53798, CVE-2025-54095, CVE-2025-54096, CVE-2025-54097, CVE-2025-55225) related to buffer over-read and out-of-bounds read issues.
While not as severe as RCEs, these flaws can leak sensitive memory information that aids attackers in crafting more complex exploits.
Patches for SharePoint, Azure, and Excel
Beyond the core operating system, Microsoft has patched critical and important flaws in its enterprise and productivity software.
A significant RCE vulnerability in Microsoft SharePoint (CVE-2025-54897) was addressed, which could be exploited by an authorized attacker over the network through the deserialization of untrusted data.
Microsoft Excel received a barrage of fixes for seven different RCE vulnerabilities (CVE-2025-54896, CVE-2025-54898, CVE-2025-54899, CVE-2025-54900, CVE-2025-54902, CVE-2025-54903, CVE-2025-54904).
These flaws, mostly related to use-after-free and out-of-bounds read issues, allow an attacker to execute code locally if a user opens a specially crafted file.
Several Elevation of Privilege vulnerabilities were also patched in Azure services, including Azure Arc (CVE-2025-55316) and the Azure Connected Machine Agent (CVE-2025-49692).
Microsoft urges all customers to apply the September 2025 security updates promptly to protect their systems from potential exploitation. Administrators should prioritize patching the critical RCE and Elevation of Privilege vulnerabilities to mitigate the most severe risks.
Of the 81 vulnerabilities addressed in Microsoft’s September 2025 Patch Tuesday, none were reported as publicly disclosed or actively exploited. The release includes patches for 8 Critical and 73 Important severity flaws.
Below is a comprehensive table of all vulnerabilities fixed in this update:
