Vulnerability-Lookup

CVE-2025-6554 (GCVE-0-2025-6554)

Vulnerability from cvelistv5 – Published: 2025-06-30 21:14 – Updated: 2025-10-21 22:45

CISA KEV

Summary

Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)

Severity

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

SSVC

Exploitation: active Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-843 - Type Confusion

Assigner

Chrome

References

3 references

URL	Tags
https://chromereleases.googleblog.com/2025/06/sta…
https://issues.chromium.org/issues/427663123
https://www.cisa.gov/known-exploited-vulnerabilit…	government-resource

Impacted products

1 product

Vendor	Product	Version
Google	Chrome	Affected: 138.0.7204.96 , < 138.0.7204.96 (custom)

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: 35447716-cd34-43a5-ba43-a33816a67a14

Vulnerability ID: CVE-2025-6554

Status: Confirmed

Status Updated: 2025-07-02 00:00 UTC

Exploited: Yes

Timestamps

First Seen: 2025-07-02

Asserted: 2025-07-02

Scope

Notes: KEV entry: Google Chromium V8 Type Confusion Vulnerability | Affected: Google / Chromium V8 | Description: Google Chromium V8 contains a type confusion vulnerability that could allow a remote attacker to perform arbitrary read/write via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. | Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. | Due date: 2025-07-23 | Known ransomware campaign use (KEV): Unknown | Notes (KEV): https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html?m=1 ; https://nvd.nist.gov/vuln/detail/CVE-2025-6554

Evidence

Type: Vendor Report

Signal: Successful Exploitation

Confidence: 80%

Source: cisa-kev

Details

Cwes	CWE-843
Feed	CISA Known Exploited Vulnerabilities Catalog
Product	Chromium V8
Due Date	2025-07-23
Date Added	2025-07-02
Vendorproject	Google
Vulnerabilityname	Google Chromium V8 Type Confusion Vulnerability
Knownransomwarecampaignuse	Unknown

References

CVE-2025-6554

Created: 2026-02-02 12:25 UTC | Updated: 2026-02-06 07:17 UTC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-6554",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-17T03:55:36.423228Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-07-02",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6554"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T22:45:23.208Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6554"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-07-02T00:00:00.000Z",
            "value": "CVE-2025-6554 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Chrome",
          "vendor": "Google",
          "versions": [
            {
              "lessThan": "138.0.7204.96",
              "status": "affected",
              "version": "138.0.7204.96",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-843",
              "description": "Type Confusion",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-30T21:14:14.799Z",
        "orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
        "shortName": "Chrome"
      },
      "references": [
        {
          "url": "https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html"
        },
        {
          "url": "https://issues.chromium.org/issues/427663123"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
    "assignerShortName": "Chrome",
    "cveId": "CVE-2025-6554",
    "datePublished": "2025-06-30T21:14:14.799Z",
    "dateReserved": "2025-06-23T22:30:37.836Z",
    "dateUpdated": "2025-10-21T22:45:23.208Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2025-6554",
      "cwes": "[\"CWE-843\"]",
      "dateAdded": "2025-07-02",
      "dueDate": "2025-07-23",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html?m=1 ; https://nvd.nist.gov/vuln/detail/CVE-2025-6554",
      "product": "Chromium V8",
      "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
      "shortDescription": "Google Chromium V8 contains a type confusion vulnerability that could allow a remote attacker to perform arbitrary read/write via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.",
      "vendorProject": "Google",
      "vulnerabilityName": "Google Chromium V8 Type Confusion Vulnerability"
    },
    "epss": {
      "cve": "CVE-2025-6554",
      "date": "2026-06-05",
      "epss": "0.0158",
      "percentile": "0.81945"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-6554\",\"sourceIdentifier\":\"chrome-cve-admin@google.com\",\"published\":\"2025-06-30T22:15:29.873\",\"lastModified\":\"2025-10-24T14:11:20.707\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)\"},{\"lang\":\"es\",\"value\":\"Una confusi\u00f3n de tipos en la versi\u00f3n 8 de Google Chrome anterior a la versi\u00f3n 138.0.7204.96 permit\u00eda a un atacante remoto realizar operaciones de lectura y escritura arbitrarias a trav\u00e9s de una p\u00e1gina HTML manipulada. (Severidad de seguridad de Chromium: Alta)\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"cisaExploitAdd\":\"2025-07-02\",\"cisaActionDue\":\"2025-07-23\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"Google Chromium V8 Type Confusion Vulnerability\",\"weaknesses\":[{\"source\":\"chrome-cve-admin@google.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-843\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"138.0.7204.96\",\"matchCriteriaId\":\"5A92F452-E80D-4C80-BE35-7CEC05DC959A\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A2572D17-1DE6-457B-99CC-64AFD54487EA\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"138.0.7204.92\",\"matchCriteriaId\":\"A4D914DA-1710-47F0-BE81-741837318791\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"387021A0-AF36-463C-A605-32EA7DAC172E\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"703AF700-7A70-47E2-BC3A-7FD03B3CA9C1\"}]}]}],\"references\":[{\"url\":\"https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html\",\"source\":\"chrome-cve-admin@google.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://issues.chromium.org/issues/427663123\",\"source\":\"chrome-cve-admin@google.com\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6554\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-6554\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-17T03:55:36.423228Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2025-07-02\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6554\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-07-02T00:00:00+00:00\", \"value\": \"CVE-2025-6554 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6554\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-01T13:04:16.742Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"Google\", \"product\": \"Chrome\", \"versions\": [{\"status\": \"affected\", \"version\": \"138.0.7204.96\", \"lessThan\": \"138.0.7204.96\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html\"}, {\"url\": \"https://issues.chromium.org/issues/427663123\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"cweId\": \"CWE-843\", \"description\": \"Type Confusion\"}]}], \"providerMetadata\": {\"orgId\": \"ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28\", \"shortName\": \"Chrome\", \"dateUpdated\": \"2025-06-30T21:14:14.799Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-6554\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T22:45:23.208Z\", \"dateReserved\": \"2025-06-23T22:30:37.836Z\", \"assignerOrgId\": \"ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28\", \"datePublished\": \"2025-06-30T21:14:14.799Z\", \"assignerShortName\": \"Chrome\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

SSA-365200

Vulnerability from csaf_siemens - Published: 2025-10-14 00:00 - Updated: 2026-01-13 00:00

Summary

SSA-365200: Google Chrome Type Confusion Vulnerability in Siemens Products

Notes

Summary: Multiple Siemens products are affected by a type confusion vulnerability in Google Chrome prior to 138.0.7204.96. This could allow a remote attacker to perform arbitrary code execution via a crafted HTML page. Siemens has released a new version for Industrial Edge App Publisher and recommends to update to the latest version. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.

General Recommendations: As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

Additional Resources: For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

Terms of Use: The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.

CVE-2025-6554

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

6.6 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
HyperLynx Siemens / HyperLynx		vers:intdot/<2510.0001	Vendor Fix fix
Industrial Edge App Publisher Siemens / Industrial Edge App Publisher		vers:intdot/<1.23.5	Vendor Fix fix

References

2 references

URL	Category
https://cert-portal.siemens.com/productcert/html/…	self
https://cert-portal.siemens.com/productcert/csaf/…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited. (TLPv2: TLP:CLEAR)",
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Multiple Siemens products are affected by a type confusion vulnerability in Google Chrome prior to 138.0.7204.96. This could allow a remote attacker to perform arbitrary code execution via a crafted HTML page.\n\nSiemens has released a new version for Industrial Edge App Publisher and recommends to update to the latest version. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
        "title": "General Recommendations"
      },
      {
        "category": "general",
        "text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "productcert@siemens.com",
      "name": "Siemens ProductCERT",
      "namespace": "https://www.siemens.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "SSA-365200: Google Chrome Type Confusion Vulnerability in Siemens Products - HTML Version",
        "url": "https://cert-portal.siemens.com/productcert/html/ssa-365200.html"
      },
      {
        "category": "self",
        "summary": "SSA-365200: Google Chrome Type Confusion Vulnerability in Siemens Products - CSAF Version",
        "url": "https://cert-portal.siemens.com/productcert/csaf/ssa-365200.json"
      }
    ],
    "title": "SSA-365200: Google Chrome Type Confusion Vulnerability in Siemens Products",
    "tracking": {
      "current_release_date": "2026-01-13T00:00:00Z",
      "generator": {
        "engine": {
          "name": "Siemens ProductCERT CSAF Generator",
          "version": "1"
        }
      },
      "id": "SSA-365200",
      "initial_release_date": "2025-10-14T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-10-14T00:00:00Z",
          "legacy_version": "1.0",
          "number": "1",
          "summary": "Publication Date"
        },
        {
          "date": "2026-01-13T00:00:00Z",
          "legacy_version": "1.1",
          "number": "2",
          "summary": "Added remediation for HyperLynx"
        }
      ],
      "status": "interim",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:intdot/\u003c2510.0001",
                "product": {
                  "name": "HyperLynx",
                  "product_id": "1"
                }
              }
            ],
            "category": "product_name",
            "name": "HyperLynx"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:intdot/\u003c1.23.5",
                "product": {
                  "name": "Industrial Edge App Publisher",
                  "product_id": "2"
                }
              }
            ],
            "category": "product_name",
            "name": "Industrial Edge App Publisher"
          }
        ],
        "category": "vendor",
        "name": "Siemens"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-6554",
      "cwe": {
        "id": "CWE-843",
        "name": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)",
          "title": "Summary"
        },
        {
          "category": "summary",
          "text": "An attacker would need to modify local files and need access to the application in order to exploit",
          "title": "For HyperLynx"
        }
      ],
      "product_status": {
        "known_affected": [
          "1",
          "2"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Update to V1.23.5 or later version",
          "product_ids": [
            "2"
          ],
          "url": "https://docs.eu1.edge.siemens.cloud/develop_an_application/ieap/download_the_ie_ap.html"
        },
        {
          "category": "vendor_fix",
          "details": "Update to V2510.0001 or later version",
          "product_ids": [
            "1"
          ],
          "url": "https://support.sw.siemens.com/product/861057060"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "2"
          ]
        },
        {
          "cvss_v3": {
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "1"
          ]
        }
      ],
      "title": "CVE-2025-6554"
    }
  ]
}

WID-SEC-W-2025-1436

Vulnerability from csaf_certbund - Published: 2025-06-30 22:00 - Updated: 2025-07-27 22:00

Summary

Google Chrome / Microsoft Edge: Schwachstelle ermöglicht Codeausführung

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Chrome ist ein Internet-Browser von Google. Edge ist ein Internet-Browser von Microsoft.

Angriff: Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Google Chrome / Microsoft Edge ausnutzen, um beliebigen Programmcode auszuführen.

Betroffene Betriebssysteme: - Linux - Sonstiges - UNIX - Windows

CVE-2025-6554

Affected products

Known affected 9 products

Product	Identifier	Version
Open Source Grafana Synthetic Monitoring Agent <0.38.3 Open Source / Grafana		Synthetic Monitoring Agent <0.38.3
Open Source Grafana Image Renderer <3.12.9 Open Source / Grafana		Image Renderer <3.12.9
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
IGEL OS IGEL	`cpe:/o:igel:os:-`	—
Microsoft Edge <138.0.3351.65 Microsoft / Edge		<138.0.3351.65
Google Chrome <138.0.7204.96 Google / Chrome		<138.0.7204.96
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Fedora Linux Fedora	`cpe:/o:fedoraproject:fedora:-`	—
Google Chrome <138.0.7204.63 Android Google / Chrome		<138.0.7204.63 Android

References

14 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
http://chromereleases.googleblog.com/2025/06/stab…	external
https://chromereleases.googleblog.com/2025/06/chr…	external
https://learn.microsoft.com/en-us/deployedge/micr…	external
https://lists.debian.org/debian-security-announce…	external
https://www.cisa.gov/known-exploited-vulnerabilit…	external
https://kb.igel.com/security-safety/current/isn-2…	external
https://grafana.com/blog/2025/07/02/grafana-secur…	external
https://bodhi.fedoraproject.org/updates/FEDORA-20…	external
https://bodhi.fedoraproject.org/updates/FEDORA-20…	external
https://bodhi.fedoraproject.org/updates/FEDORA-EP…	external
https://bodhi.fedoraproject.org/updates/FEDORA-EP…	external
https://lists.opensuse.org/archives/list/security…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Chrome ist ein Internet-Browser von Google.\r\nEdge ist ein Internet-Browser von Microsoft.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Google Chrome / Microsoft Edge ausnutzen, um beliebigen Programmcode auszuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1436 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1436.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1436 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1436"
      },
      {
        "category": "external",
        "summary": "Chrome Stable Channel Update for Desktop vom 2025-06-30",
        "url": "http://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html"
      },
      {
        "category": "external",
        "summary": "Chrome for Android Update for Desktop vom 2025-06-30",
        "url": "https://chromereleases.googleblog.com/2025/06/chrome-for-android-update_30.html"
      },
      {
        "category": "external",
        "summary": "Release notes for Microsoft Edge Security Updates vom 2025-07-01",
        "url": "https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security#july-1-2025"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-5955 vom 2025-07-02",
        "url": "https://lists.debian.org/debian-security-announce/2025/msg00119.html"
      },
      {
        "category": "external",
        "summary": "CISA Known Exploited Vulnerabilities Catalog vom 2025-07-02",
        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
      },
      {
        "category": "external",
        "summary": "IGEL Security Notice ISN-2025-26 vom 2025-07-02",
        "url": "https://kb.igel.com/security-safety/current/isn-2025-26-chromium-vulnerability-exploited-in-th"
      },
      {
        "category": "external",
        "summary": "Grafana Security Update vom 2025-07-02",
        "url": "https://grafana.com/blog/2025/07/02/grafana-security-update-critical-severity-security-release-for-cve-2025-5959-cve-2025-6554-cve-2025-6191-and-cve-2025-6192-in-grafana-image-renderer-plugin-and-synthetic-monitoring-agent/"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2025-87AF8315FF vom 2025-07-04",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2025-87af8315ff"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2025-C05AE72339 vom 2025-07-04",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2025-c05ae72339"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-EPEL-2025-4A1990D54D vom 2025-07-04",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-4a1990d54d"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-EPEL-2025-739B3D89C8 vom 2025-07-04",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-739b3d89c8"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:0232-1 vom 2025-07-27",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SRY3ON5ZRBRRZZGYMXR2GAV7A7USZXG6/"
      }
    ],
    "source_lang": "en-US",
    "title": "Google Chrome / Microsoft Edge: Schwachstelle erm\u00f6glicht Codeausf\u00fchrung",
    "tracking": {
      "current_release_date": "2025-07-27T22:00:00.000+00:00",
      "generator": {
        "date": "2025-07-28T08:00:57.994+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2025-1436",
      "initial_release_date": "2025-06-30T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-06-30T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-07-01T22:00:00.000+00:00",
          "number": "2",
          "summary": "Microsoft Edge hnzugef\u00fcgt"
        },
        {
          "date": "2025-07-02T22:00:00.000+00:00",
          "number": "3",
          "summary": "Schwachstelle wird ausgenutzt"
        },
        {
          "date": "2025-07-03T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Fedora aufgenommen"
        },
        {
          "date": "2025-07-27T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von openSUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "5"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Fedora Linux",
            "product": {
              "name": "Fedora Linux",
              "product_id": "74185",
              "product_identification_helper": {
                "cpe": "cpe:/o:fedoraproject:fedora:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Fedora"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c138.0.7204.96",
                "product": {
                  "name": "Google Chrome \u003c138.0.7204.96",
                  "product_id": "T044967"
                }
              },
              {
                "category": "product_version",
                "name": "138.0.7204.96",
                "product": {
                  "name": "Google Chrome 138.0.7204.96",
                  "product_id": "T044967-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:google:chrome:138.0.7204.96"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c138.0.7204.63 Android",
                "product": {
                  "name": "Google Chrome \u003c138.0.7204.63 Android",
                  "product_id": "T044970"
                }
              },
              {
                "category": "product_version",
                "name": "138.0.7204.63 Android",
                "product": {
                  "name": "Google Chrome 138.0.7204.63 Android",
                  "product_id": "T044970-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:google:chrome:138.0.7204.63::android"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Chrome"
          }
        ],
        "category": "vendor",
        "name": "Google"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "IGEL OS",
            "product": {
              "name": "IGEL OS",
              "product_id": "T017865",
              "product_identification_helper": {
                "cpe": "cpe:/o:igel:os:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "IGEL"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c138.0.3351.65",
                "product": {
                  "name": "Microsoft Edge \u003c138.0.3351.65",
                  "product_id": "T044976"
                }
              },
              {
                "category": "product_version",
                "name": "138.0.3351.65",
                "product": {
                  "name": "Microsoft Edge 138.0.3351.65",
                  "product_id": "T044976-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:edge:138.0.3351.65"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Edge"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Image Renderer \u003c3.12.9",
                "product": {
                  "name": "Open Source Grafana Image Renderer \u003c3.12.9",
                  "product_id": "T045007"
                }
              },
              {
                "category": "product_version",
                "name": "Image Renderer 3.12.9",
                "product": {
                  "name": "Open Source Grafana Image Renderer 3.12.9",
                  "product_id": "T045007-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:grafana:grafana:image_renderer__3.12.9"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Synthetic Monitoring Agent \u003c0.38.3",
                "product": {
                  "name": "Open Source Grafana Synthetic Monitoring Agent \u003c0.38.3",
                  "product_id": "T045008"
                }
              },
              {
                "category": "product_version",
                "name": "Synthetic Monitoring Agent 0.38.3",
                "product": {
                  "name": "Open Source Grafana Synthetic Monitoring Agent 0.38.3",
                  "product_id": "T045008-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:grafana:grafana:synthetic_monitoring_agent__0.38.3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Grafana"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-6554",
      "product_status": {
        "known_affected": [
          "T045008",
          "T045007",
          "2951",
          "T017865",
          "T044976",
          "T044967",
          "T027843",
          "74185",
          "T044970"
        ]
      },
      "release_date": "2025-06-30T22:00:00.000+00:00",
      "title": "CVE-2025-6554"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-6554 (GCVE-0-2025-6554)

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Vendor Report Successful Exploitation Confidence: 80% Source: cisa-kev

Details

References

SSA-365200

WID-SEC-W-2025-1436

Tags

Sightings

Nomenclature