Microsoft Edge Alert: Two High-Severity Flaws (CVE-2025-6554, CVE-2025-49713) Allow Remote Code Execution, One Actively Exploited

Microsoft has released Edge Stable Channel Version 138.0.3351.65, an update that addresses critical browser vulnerabilities impacting Chromium-based Microsoft Edge. The patch includes fixes for two high-severity flaws—one of which is already being exploited in the wild, and the other involving remote code execution (RCE) triggered via crafted user interaction.

Reported by the Chromium security team and actively exploited, CVE-2025-6554 is a type confusion vulnerability in the V8 JavaScript engine that powers both Google Chrome and Microsoft Edge. In essence, this flaw allows a malicious website to manipulate memory boundaries, enabling the attacker to read or write arbitrary memory locations. This could lead to sandbox escape, information theft, or even full remote code execution—depending on how the vulnerability is chained.

In addition to the Chromium fix, Microsoft has addressed CVE-2025-49713, a Microsoft Edge–specific vulnerability with a CVSS score of 8.8. This flaw allows an attacker to execute remote code if they can convince a user to click a malicious link or open a compromised attachment.

“This attack requires an authenticated client to click a link so that an unauthenticated attacker can initiate remote code execution,” Microsoft explains.

The attack scenario mirrors social engineering techniques: the attacker sends a phishing email, instant message, or document designed to lure the user into loading a malicious site. Once the bait is taken, the attacker can execute arbitrary code on the victim’s machine—potentially installing malware, stealing credentials, or pivoting within a corporate network.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply