A critical zero-day vulnerability in Google Chrome is being actively exploited, prompting a nationwide warning from the National Computer Emergency Response Team (CERT). The flaw affects all desktop platforms, windows, macOS, and Linux, and allows attackers to take full control of a system simply by visiting a malicious website.
According to the advisory (NCA-52.121225), the vulnerability enables remote code execution (RCE) with no user interaction beyond loading a webpage. Analysts warn that attackers could bypass Chrome’s sandbox protections, deploy malware, steal sensitive data, and fully compromise affected systems.
The attack stands out for several reasons. It was observed in the wild before public disclosure, meaning hackers exploited it as a zero-day. Its low complexity allows attacks without credentials or special privileges. The potential impact is severe, with full system compromise possible. Chrome’s widespread use for browsing untrusted websites further amplifies the threat.
The vulnerability has been assigned a CVSS score of 9.8 (Critical), placing it among the most serious browser security flaws in recent years.
These signs could indicate an active attack.
The National CERT has issued clear guidance to mitigate risks:
For systems that cannot be patched immediately, users should avoid untrusted websites, disable non-essential extensions, and conduct risky browsing in sandboxed or restricted environments.
This zero-day is not hypothetical. Active exploitation is already occurring, putting unpatched systems at high risk. Prompt updates are the only reliable defense against this Chrome vulnerability. Failure to act could result in widespread malware deployment, data theft, and complete system compromise.