U.S. CISA Adds Google Chromium Flaw to Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Google Chromium flaw to its list of known exploited vulnerabilities, highlighting the growing concern of zero-day attacks on web browsers.

In a move aimed at bolstering the security posture of federal agencies and private organizations alike, CISA has included the CVE-2025-10585 vulnerability in its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, which has already been exploited in the wild, is a type confusion issue in the V8 JavaScript and WebAssembly engine.

According to Google's Threat Analysis Group (TAG), the vulnerability was discovered on September 16, 2025. However, it wasn't until mid-September that security updates were released to address four vulnerabilities in the Chrome web browser, including CVE-2025-10585.

"Google is aware that an exploit for CVE-2025-10585 exists in the wild," reads the advisory published by Google. This warning serves as a stark reminder of the ever-evolving threat landscape and the importance of proactive vulnerability management.

The Vulnerability: A Type Confusion Issue

CVE-2025-10585 is a type confusion issue, which occurs when software misinterprets a piece of memory as the wrong type of object. This can lead to malicious code execution, corrupting memory or crashing the program.

A Growing Concern for Web Browsers

With this addition to the KEV catalog, experts warn that web browsers are increasingly becoming targets for sophisticated attacks. The zero-day vulnerability CVE-2025-10585 is just the latest in a series of Chrome vulnerabilities to be actively exploited in 2025.

CISA's Guidance for Federal Agencies and Private Organizations

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies must address identified vulnerabilities by a specified deadline. In this case, CISA orders federal agencies to fix CVE-2025-10585 by October 14, 2025.

Experts also recommend that private organizations review the KEV catalog and address the vulnerabilities in their infrastructure. With the increasing sophistication of cyber threats, proactive vulnerability management is essential for protecting networks against attacks exploiting known exploited vulnerabilities.

A Call to Action

The addition of CVE-2025-10585 to the KEV catalog serves as a stark reminder of the importance of staying vigilant in the face of emerging threats. As cybersecurity professionals and organizations, it's crucial that we remain proactive in identifying and addressing vulnerabilities like this one.