CVE-2025-11213 is a security vulnerability identified in the Omnibox feature of Google Chrome on Android devices running versions prior to 141.0.7390.54. The Omnibox is the combined address and search bar in Chrome, responsible for displaying URLs and search queries. The vulnerability stems from an inappropriate implementation that allows a remote attacker to craft a malicious HTML page which, when visited by a user who performs specific UI gestures, can cause the Omnibox to display a spoofed domain. This domain spoofing can deceive users into believing they are visiting a legitimate website when they are not, increasing the risk of phishing and credential theft. Exploitation requires the attacker to lure the user to the malicious page and convince them to perform certain gestures, indicating user interaction is necessary. No authentication is required to exploit this vulnerability, but the attack vector relies heavily on social engineering. The vulnerability does not currently have a CVSS score, but Chromium has assigned it a medium severity rating. There are no known exploits in the wild at the time of publication. The vulnerability affects only the Android version of Chrome prior to 141.0.7390.54, and Google has presumably released a fixed version in 141.0.7390.54 or later. The lack of a CVSS score limits precise severity quantification, but the nature of domain spoofing combined with user interaction suggests a moderate risk profile.

For European organizations, the primary impact of CVE-2025-11213 lies in the increased risk of phishing attacks and social engineering campaigns targeting employees and customers using Chrome on Android devices. Successful exploitation could lead to credential theft, unauthorized access to sensitive systems, and potential data breaches. Organizations with mobile-first workforces or those relying heavily on Chrome for Android for accessing corporate resources are particularly vulnerable. The domain spoofing could undermine user trust in legitimate communications and websites, potentially causing reputational damage and financial losses. Since the attack requires user interaction, the impact is somewhat mitigated by user awareness but remains significant given the widespread use of Chrome on Android in Europe. The vulnerability could also be leveraged in targeted attacks against sectors such as finance, government, and critical infrastructure, where phishing is a common initial attack vector. Overall, the threat could disrupt confidentiality and integrity of user credentials and data, though it does not directly impact system availability.

European organizations should immediately ensure that all Chrome installations on Android devices are updated to version 141.0.7390.54 or later, where the vulnerability is patched. Mobile device management (MDM) solutions should be used to enforce timely updates and restrict installation of outdated browser versions. User training programs should emphasize caution when interacting with unfamiliar web pages and performing unusual UI gestures, highlighting the risks of domain spoofing. Implementing multi-factor authentication (MFA) can reduce the impact of credential theft resulting from phishing. Organizations should monitor for phishing campaigns exploiting domain spoofing techniques and employ email filtering and web gateway solutions to block malicious URLs. Security teams should review and enhance incident response plans to quickly address potential phishing incidents. Additionally, consider deploying browser security extensions or enterprise policies that limit navigation to trusted domains or warn users about suspicious URLs. Regular security awareness campaigns tailored to mobile device usage can further reduce exploitation likelihood.