Microsoft Edge Security Update July 2025 | Chromium 0-Day CVE-2025-6554 Fixed
Microsoft has patched a critical 0-day Chromium vulnerability (CVE-2025-6554) actively exploited in the wild. Learn how Edge users can protect themselves with version 138.0.3351.65.
Microsoft has released an emergency update for its Edge browser, addressing a critical zero-day vulnerability that’s already being used in real-world cyberattacks. The newly released Edge Stable Channel version 138.0.3351.65 (as of July 1, 2025) includes security fixes inherited from Chromium, notably CVE-2025-6554, and an Edge-specific issue tracked as CVE-2025-49713.
These vulnerabilities present high-severity risks, including the possibility of arbitrary code execution, making it essential for all users to update immediately.
What Is the Chromium Vulnerability (CVE-2025-6554)?
The core vulnerability patched in this Edge release is CVE-2025-6554, a type confusion flaw found in the V8 JavaScript engine, which is used by Chromium-based browsers like Google Chrome, Microsoft Edge, and Opera.
This flaw allows attackers to manipulate memory via crafted HTML pages, enabling them to execute arbitrary read/write operations on the victim's machine.
Why It Matters:
-
The vulnerability is already being exploited in the wild.
-
It impacts not just Edge, but all Chromium-based browsers.
-
Users who visit malicious websites with outdated versions of the browser could become victims of full system compromise.
What Is the Edge-Specific Vulnerability (CVE-2025-49713)?
In addition to CVE-2025-6554, Microsoft patched CVE-2025-49713, a flaw specific to Microsoft Edge’s proprietary features. Although Microsoft hasn’t disclosed the full technical details, it’s rated high severity with a CVSS score of 8.8, suggesting serious exploitation potential.
Technical Overview of the Two CVEs
| CVE ID | Affected Component | Description | Impact | CVSS Score |
|---|---|---|---|---|
| CVE-2025-6554 | Chromium V8 Engine | Type confusion vulnerability enabling remote code execution | Arbitrary read/write | 8.1 (High) |
| CVE-2025-49713 | Microsoft Edge-Specific | Proprietary implementation flaw in Edge | Unknown execution path risk | 8.8 (High) |
Why Is This Patch Critical?
Zero-day vulnerabilities like CVE-2025-6554 are high-value tools for attackers because they exist before a fix is available. These are often used in:
-
Targeted attacks against enterprises and government agencies
-
Mass drive-by downloads from malicious websites
-
Credential harvesting and malware delivery
The presence of confirmed in-the-wild exploitation means attackers are actively using this vulnerability to breach systems right now.
How to Update Microsoft Edge
Microsoft recommends that all users update to version 138.0.3351.65 or later. To check your version:
-
Open Edge
-
Go to
edge://settings/help -
If an update is available, it will begin installing automatically
Once installed, restart your browser to apply the changes. The update process is fast and requires no technical skills.
Who Is at Risk?
-
All Microsoft Edge users who have not yet updated
-
Users of Chromium-based browsers, including Opera and Brave, if they haven’t received the Chromium fix yet
-
Any individual or organization that accesses unknown websites, particularly from email links or phishing campaigns
How Can Attackers Exploit This?
The attack method involves:
-
Hosting a malicious HTML page
-
Triggering a type confusion error in the JavaScript engine
-
Gaining control over system memory
-
Injecting or executing arbitrary code
This could lead to:
-
System takeover
-
Data exfiltration
-
Malware installation
Key Takeaways
-
Two major vulnerabilities patched in Microsoft Edge
-
CVE-2025-6554 is being exploited in the wild
-
Immediate update is strongly advised for all users
-
Both individual users and enterprises must act to secure their systems
Conclusion
This update is not just routine maintenance—it’s a defensive firewall against active cyber threats. Delaying the patch could leave systems open to zero-day attacks, which are notoriously hard to detect and often devastating in their impact.
Microsoft has acted quickly in response to the Chromium discovery, and it's now up to users and system admins to follow through with immediate patching.
If you manage a network or IT infrastructure, consider automating updates, enabling browser isolation, and enforcing web content filtering to further reduce the risk of future browser-based attacks.
FAQs
What is CVE-2025-6554 in Microsoft Edge?
CVE-2025-6554 is a critical zero-day vulnerability in the Chromium V8 engine that allows attackers to perform arbitrary read/write operations through malicious HTML content.
Is the Chromium vulnerability being actively exploited?
Yes, both Google and Microsoft confirmed that the CVE-2025-6554 vulnerability is currently being used in real-world attacks.
Which browsers are affected by CVE-2025-6554?
Chromium-based browsers such as Microsoft Edge, Google Chrome, Opera, Brave, and others are affected.
What version of Edge fixes the vulnerability?
Microsoft Edge version 138.0.3351.65 includes the critical patch for CVE-2025-6554.
How can I check my Microsoft Edge version?
Open Edge, navigate to edge://settings/help, and your version will be displayed there. It will auto-update if needed.
What is CVE-2025-49713?
CVE-2025-49713 is a Microsoft Edge-specific vulnerability patched in the same update, with a CVSS score of 8.8.
What is a zero-day vulnerability?
A zero-day vulnerability is a software flaw discovered and exploited by attackers before the vendor releases a fix.
Is manual updating required for Edge?
No, Edge typically auto-updates, but you can force the update by going to edge://settings/help.
Can attackers gain full control using this exploit?
Yes, attackers may execute arbitrary code on your system if you visit a malicious website using an unpatched browser.
Are other Chromium-based browsers patched?
Most vendors are expected to release or have already released patches. Users should check official announcements from their browser providers.
Should enterprises prioritize this patch?
Absolutely. Enterprise environments should immediately deploy Edge version 138.0.3351.65 across all managed devices.
What is the CVSS score of the vulnerability?
CVE-2025-6554 has a CVSS v3.1 base score of 8.1, indicating high severity.
Was financial data compromised?
There are no reports of financial data exposure, but attackers may access sensitive user data via browser exploitation.
Is antivirus software enough to protect against this?
Antivirus helps but will not stop zero-day browser exploits. Updating the browser is essential.
What is Microsoft’s official fix?
Microsoft included patches from the Chromium team and additional Edge fixes in version 138.0.3351.65.
Does the update require restarting the browser?
Yes, after the update is installed, restarting Edge ensures the patch is active.
Can this exploit be used in phishing attacks?
Yes. Attackers may use phishing emails to lure users to malicious websites exploiting this flaw.
Is this the first time Edge faced a zero-day exploit?
No, but this is among the few vulnerabilities confirmed to be actively exploited at the time of discovery.
What should IT admins do now?
Immediately push the latest Edge version to all endpoints and verify patch compliance across the environment.
Is the Chromium V8 engine used in other apps?
Yes, some Electron-based applications also use Chromium; developers should verify their software isn’t exposed.
Will older versions of Edge receive the patch?
Only supported versions will receive updates. Unsupported builds must be updated manually.
Can this be used to steal passwords?
Yes, with memory access, attackers could potentially access saved credentials or manipulate browser behavior.
How often should browsers be updated?
Ideally, enable auto-updates. Check browser settings weekly to ensure you have the latest version.
Is Chrome affected the same way?
Yes, Chrome uses the same Chromium engine. Google has already issued a patch for Chrome.
What is a type confusion vulnerability?
It’s a bug where software misinterprets the type of a data structure in memory, which attackers can exploit to run malicious code.
How do I know if I’ve been targeted?
You may not immediately know. Look out for strange browser behavior, unknown extensions, or pop-ups.
What should individual users do?
Update Microsoft Edge now, avoid suspicious websites, and consider enabling browser sandboxing.
Is Microsoft investigating the origin of the attacks?
Yes, Microsoft is working with researchers and the security community to track ongoing exploits.
Do mobile versions of Edge need updating?
Yes, Android and iOS versions also use Chromium components and should be updated via app stores.
Can ransomware be deployed through this?
Potentially, yes. Exploiting the browser vulnerability could be the entry point for a ransomware infection.
How can I reduce future risks?
Enable automatic browser updates, run endpoint protection tools, and avoid clicking unknown links.
![Top 10 Ethical Hackers in the World [2025]](https://www.webasha.com/blog/uploads/images/202408/image_100x75_66c2f983c207b.webp)
![[2025] Top 100+ VAPT Interview Questions and Answers](https://www.webasha.com/blog/uploads/images/image_100x75_6512b1e4b64f7.jpg)
