CVE-2025-9867 is a vulnerability identified in the Downloads component of Google Chrome on Android devices, specifically affecting versions prior to 140.0.7339.80. The issue stems from an inappropriate implementation within the Downloads feature that allows a remote attacker to conduct UI spoofing attacks by crafting malicious HTML pages. UI spoofing involves deceiving the user by presenting fake or misleading user interface elements, potentially tricking users into performing unintended actions such as entering sensitive information or downloading malicious files. This vulnerability does not require the attacker to have prior authentication or elevated privileges; it can be exploited remotely through a crafted web page viewed in the vulnerable Chrome browser. Although the Chromium security team has rated this vulnerability as Medium severity, it is important to note that UI spoofing can be a stepping stone for more complex social engineering or phishing attacks. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet. The vulnerability is specific to the Android platform, affecting Chrome versions before 140.0.7339.80, and does not appear to impact desktop or iOS versions of Chrome. The lack of a patch link suggests that a fix may be forthcoming or recently released but not yet documented in this source.

For European organizations, this vulnerability poses a moderate risk primarily through social engineering and phishing campaigns targeting employees using Android devices with outdated Chrome versions. Successful exploitation could lead to users being deceived into divulging credentials, installing malware, or performing unauthorized actions, potentially compromising organizational security. While the vulnerability itself does not directly allow code execution or data exfiltration, the UI spoofing can facilitate more damaging attacks by lowering user suspicion. Given the widespread use of Chrome on Android across Europe, especially in mobile-first or bring-your-own-device (BYOD) environments, the risk is amplified in sectors with high reliance on mobile communications, such as finance, healthcare, and government. The absence of known exploits in the wild reduces immediate threat levels but does not eliminate the risk of future exploitation. Additionally, the medium severity rating indicates that while the vulnerability is not critical, it should be addressed promptly to prevent exploitation chains that could lead to significant breaches.

European organizations should implement targeted mitigation strategies beyond generic patching advice. First, ensure that all Android devices used within the organization are updated to Chrome version 140.0.7339.80 or later, deploying mobile device management (MDM) solutions to enforce browser updates and compliance. Second, educate users about the risks of UI spoofing and encourage vigilance when interacting with download prompts or unfamiliar web pages, emphasizing verification of URLs and download sources. Third, implement network-level protections such as web filtering and URL reputation services to block access to known malicious sites that could host crafted HTML pages exploiting this vulnerability. Fourth, consider deploying endpoint security solutions capable of detecting phishing and social engineering attempts that leverage UI spoofing. Finally, monitor security advisories from Google for official patches and updates, and integrate vulnerability scanning tools that can detect outdated Chrome versions on managed devices.