Firefox and Windows zero days chained to deliver the RomCom backdoor

ESET researchers have uncovered two previously unknown vulnerabilities in several Mozilla products and in Windows, with both flaws under active exploitation by RomCom, a Russia-aligned group known for opportunistic campaigns against selected business verticals and targeted espionage operations alike.

• CVE-2024-9680 is a use-after-free bug that allows vulnerable versions of Firefox, Thunderbird, and the Tor Browser to execute code in the restricted context of the browser. Mozilla patched the vulnerability on October 9^th, 2024.
• CVE‑2024‑49039 is a privilege escalation bug in Windows that allows code to run outside of Firefox’s sandbox. Microsoft released a patch for this second vulnerability on November 12^th, 2024.

Chaining the two flaws allows bad actors to run arbitrary code in the context of the logged-in user – and without any user interaction required in a so-called zero-click attack. In campaigns observed by ESET, this led to the installation of RomCom’s eponymous backdoor on the victim’s computer. The backdoor can execute commands and download additional modules to the victim’s machine.

What exactly does the compromise chain involve and what else is there to know about the vulnerabilities and the exploits abusing them? Find out inthe video by ESET Chief Security Evangelist Tony Anscombe and be sure to also read the full blogpost.