CVE-2024-9680

critical

Description

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0.

References

https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/

https://www.theregister.com/2025/08/11/russias_romcom_among_those_exploiting/

https://www.infosecurity-magazine.com/news/winrar-zero-day-exploited-romcom/

https://www.bleepingcomputer.com/news/security/details-emerge-on-winrar-zero-day-attacks-that-infected-pcs-with-malware/

https://www.infosecurity-magazine.com/news/russian-apt-intensify-cyber/

https://thehackernews.com/2025/04/google-reports-75-zero-days-exploited.html

https://therecord.media/firefox-sandbox-vulnerability-similar-chrome-zero-day

https://www.bleepingcomputer.com/news/security/mozilla-warns-windows-users-of-critical-firefox-sandbox-escape-flaw/

https://www.helpnetsecurity.com/2024/11/26/romcom-backdoor-cve-2024-9680-cve-2024-49039/

https://www.bleepingcomputer.com/news/security/firefox-and-windows-zero-days-exploited-by-russian-romcom-hackers/

https://thehackernews.com/2024/11/romcom-exploits-zero-day-firefox-and.html

https://www.bleepingcomputer.com/news/security/solarwinds-web-help-desk-flaw-is-now-exploited-in-attacks/

https://www.securityweek.com/recent-firefox-zero-day-exploited-against-tor-browser-users/

https://therecord.media/recently-patched-firefox-bug-being-used-against-tor-browser-users

https://therecord.media/mozilla-fixes-critical-firefox-bug-exploited-by-hackers

https://thehackernews.com/2024/10/mozilla-warns-of-active-exploitation-in.html

https://securityaffairs.com/169590/security/mozilla-firefox-actively-exploited-flaw.html

https://www.bleepingcomputer.com/news/security/mozilla-fixes-firefox-zero-day-actively-exploited-in-attacks/

Details

Source: Mitre, NVD

Published: 2024-10-09

Updated: 2024-11-26

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.09511