CVE-2025-2857: New Firefox Sandbox Escape Emerges Following Active Exploitation of CVE-2025-2783
do son 
Mozilla releases urgent security patch for Windows users as researchers uncover another IPC vulnerability echoing a recently exploited Chrome zero-day.
Mozilla has issued a critical patch addressing CVE-2025-2857, a sandbox escape vulnerability in Firefox for Windows that could allow attackers to break out of the browser’s secure environment and potentially execute further malicious actions on a compromised system.
The flaw—discovered by Mozilla developer Andrew McCreight—is a direct follow-up to CVE-2025-2783, a previously exploited zero-day vulnerability in Chrome involving incorrect handle management in Mojo IPC (Inter-Process Communication). Like its predecessor, CVE-2025-2857 stems from mismanagement of system handles that inadvertently grants elevated access to unprivileged child processes, allowing them to escape the browser sandbox.
“Attackers were able to confuse the parent process into leaking handles to unprivileged child processes leading to a sandbox escape,” Mozilla noted in its security advisory.
This vulnerability is exclusive to Windows, with Linux and macOS users unaffected.
The roots of CVE-2025-2857 trace back to CVE-2025-2783, a flaw originally reported by Kaspersky researchers Boris Larin and Igor Kuznetsov. That vulnerability, exploited in the wild, was part of Operation ForumTroll, a technically sophisticated APT campaign that targeted entities in Russia.
Kaspersky characterized the attacks as “indicative of an advanced persistent threat,” noting the exploit’s use in highly targeted operations.
Following the discovery, Firefox engineers audited their own IPC mechanisms and uncovered a similar design flaw, which has now been addressed with the release of Firefox 136.0.4, Firefox ESR 115.21.1, and ESR 128.8.1.
While Firefox was not originally implicated in the attacks linked to CVE-2025-2783, the discovery of similar IPC flaws in its own codebase suggests that multiple browsers may have inherited systemic weaknesses from shared architectural patterns—particularly around Mojo IPC, which originates from Chromium’s architecture.
Sandboxing is a cornerstone of modern browser security, isolating web content from critical system components. A sandbox escape undermines this barrier, enabling attackers to pivot from browser compromise to full system access, especially in targeted attacks involving malicious web content or drive-by downloads.
In response, Mozilla moved swiftly to patch the flaw across all supported branches:
- Firefox 136.0.4
- Firefox ESR 115.21.1
- Firefox ESR 128.8.1
The company credited internal developers for the discovery during a code audit triggered by CVE-2025-2783’s exposure. While no active exploitation of CVE-2025-2857 has been confirmed yet, the vulnerability’s nature—combined with recent APT activity—makes it a critical patching priority.
