Vulnerability
Threat Guidances
iOS
Android
June 11, 2025

MultiApp-MultiCVE-2025-4609-4664

Image of a combined Chrome and Edge

Lookout Coverage and Recommendation for Admins

Lookout customers will see them tracked as MultiApp-MultiCVE-2025-4609-4664 in their administrator console. To ensure your devices are protected, Lookout admins should take the following steps in their Lookout console:

  • Enable the Application Vulnerability policy, which detects when a vulnerable app version is installed on the device. 
  • Lookout will publish coverage on June 5th 2025 after which alerts will be generated based on the admin's risk, response, and escalation setup. 
  • Any device with vulnerable versions of Chrome (below 136.0.7103.125) or Edge (below 136.0.3240.76) will receive an alert if detected after that date. 
  • Enable Lookout Phishing & Content Protection (PCP) to protect mobile users from malicious phishing campaigns that are built to exploit these vulnerabilities.

Overview 

Google has recently disclosed two critical vulnerabilities in its Chrome web browser. CVE-2025-4609 is described as a high-severity vulnerability in Chrome’s Mojo IPC system. It involves incorrect handle usage under unspecified conditions, potentially creating a security loophole. Meanwhile, CVE-2025-4664 is a critical zero-day vulnerability, actively exploited in the wild. It involves insufficient policy enforcement in the Chromium Loader-a component also used in Microsoft Edge. A remote attacker could exploit the security defect to leak cross-origin data via a maliciously crafted HTML page. Google Chrome on Android is patched in versions 136.0.7103.125 and above. MS Edge is patched in versions 136.0.3240.76 and above.

Lookout Analysis

Vulnerabilities like these can have an outsized impact on mobile fleets, especially when they exist in everyday apps such as mobile browsers. In addition to gaining remote access to vulnerable devices, successful exploits in browsers also frequently grant the attacker access to the same permissions as the browsers. 

Each of the disclosed vulnerabilities can be exploited via a maliciously crafted webpage, which means that attackers can deliver them as URLs in the same way they would deliver phishing attacks on mobile devices. This means they would likely socially engineer an individual through SMS, iMessage, WhatsApp, Telegram, Instagram, LinkedIn, or any of the countless messaging and social media apps on mobile devices. A successful attack could lead to continued data leakage and risk for enterprise organizations.

Authors

Lookout

Endpoint Security
Threat Type
Vulnerability
Entry Type
Threat Guidances
Platform(s) Affected
iOS
Platform(s) Affected
Android
Platform(s) Affected
Vulnerability
Threat Guidances
iOS
Android

Related Content

Scattered Spider

Scattered Spider, aka UNC3944, was able to successfully target and gain access to the infrastructure of Caesars Entertainment in its latest campaign

Read Threat Article

MultiApp-MultiCVE-2025-4609-4664

Google disclosed two vulnerabilities in Chrome, while a new zero-day was discovered in versions of Microsoft Edge

Read Threat Article

CVE-2025-31200-31201 Update

CISA recently added guidance to CVE-2025-31200, a memory corruption issue, and CVE-2025-31201, an arbitrary read and write issue.

Read Threat Article
A woman using her phone and laptop on a train ride.

Lookout Mobile Endpoint Security

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Advanced mobile Endpoint Detection & Response powered by data from 185M+ apps and 200M+ devices on iOS, Android, ChromeOS.

Try Lookout for Free Today
Schedule Demo
HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell