A security researcher going by the handle Micky received a record payout from Google. The specialist discovered a bug in Chrome that allows bypassing the browser’s sandbox and earned $250,000 through the bug bounty program.
The vulnerability, assigned CVE-2025-4609, was discovered back in April 2025. It was then fixed in mid-May with the release of Chrome 136 (including in other Chromium-based browsers such as Edge, Opera, Vivaldi, and Brave). Now Google developers have disclosed the details.
The bug affected the ipcz Mojo library — a Chrome component that manages communication between the browser’s internal processes.
Google specialists classified the issue as high severity. They describe CVE-2025-4609 as a “very complex logical bug,” and characterize the researcher’s report as high quality, with solid analysis, noting that it included a working exploit to demonstrate a sandbox escape.
According to the researcher himself, his PoC exploit made it possible to bypass the sandbox and execute a system command (to demonstrate the issue, he launched the calculator) with a success rate of 70–80%. In fact, Micky found a way to manipulate Chrome’s internal processes and duplicate the browser’s parent process in order to run malicious code.
As a rule, exploiting such vulnerabilities requires the victim to visit a malicious site using a vulnerable version of Chrome.
It is worth noting that $250,000 is the maximum amount Google is willing to pay for Chrome sandbox escape vulnerabilities. Moreover, such a payout can only be expected if the bug report is of the highest quality and includes a demonstration of remote code execution.
The reward received by Micky is one of the largest payouts in Google’s bug bounty program to date, second only to the $605,000 award paid in 2022 to the security researcher known as gzobqq for a series of five Android vulnerabilities.
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →