UPDATED: Zero-Day RCE Vulnerabilities Released for Mozilla Firefox

UPDATE (3/7/2022): CISA has added both vulnerabilities to the Known Exploited Vulnerabilities catalog, and notes “These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.”

CISA is requiring all FCEB agencies to patch both Firefox vulnerabilities by March 21, just two weeks from today. CISA also urges all organizations to reduce their exposure to cyberattacks by prioritizing remediation of cataloged vulnerabilities.


Mozilla released an out-of-band patch for Firefox that addresses two critical vulnerabilities (CVE-2022-26485 and CVE-2022-26486). Both are actively exploited in the wild as zero-days. Both are use-after-free issues in the browser’s XSLT processing and WebGPU IPC frameworks, respectively.

The first vulnerability is being exploited to enable remote code execution, allowing attackers to run code on a target system to run malware or other code from a malicious website. The second vulnerability is used for sandbox escape. Together, these vulnerabilities allow the attacker to escape the security confines from the browser and exploit the target system fully.

Given this is an actively exploited zero-day, it’s recommended that IT admins prioritize patching this vulnerability within 24 hours to reduce exposure to malicious actors.

Recommended Remediation

The first vulnerability is already being exploited in the wild. The second can be used in concert with other RCEs to introduce malware, bypassing security protections. These vulnerabilities are fixed in the following versions: Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3, Focus 97.3, and Thunderbird 91.6.2, so we suggest you update quickly to eliminate risk.

All of the above software should be patched immediately. For Firefox, Firefox ESR, and Thunderbird, you can fix vulnerabilities fast with Automox by using a patch-all policy for Windows and Mac (which will patch every third-party software we support on these OSes). Patch all policies ensure you fix vulnerabilities fast in the most common and highest risk applications in your environment.

We recommend you set up these policies on a recurring schedule to eliminate your immediate and future risk, as not all distributions have released patches as of Monday morning.


  1. Where can I find information about CISA’s recent “Shields Up” guidance for organizations?

  2. Can you point me to other pressing vulnerabilities to remediate?

  3. Where can I read about patching my system against state-sponsored cyber attack operations?

    Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.

Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.

Dive deeper into this topic

loading...