Critical Mozilla Firefox & Thunderbird Vulnerabilities Allow Arbitrary Code Execution
What Happened — Mozilla disclosed multiple CVEs affecting Firefox, Firefox ESR, Thunderbird and Thunderbird ESR that could enable arbitrary code execution via drive‑by compromise or sandbox escape. The most severe flaws allow an attacker to run code with the privileges of the compromised user, potentially installing programs, modifying data, or creating new admin accounts.
Why It Matters for TPRM —
- High‑severity flaws in widely deployed browsers and email clients create a direct attack surface on third‑party endpoints.
- Exploitation could lead to credential theft, data exfiltration, or lateral movement within a partner’s network.
- Unpatched versions remain in use across government, enterprise and SaaS environments, increasing supply‑chain risk.
Who Is Affected — Large and medium government agencies, large and medium enterprises, and any organization that permits Firefox or Thunderbird use on employee workstations (including MSP‑managed environments).
Recommended Actions —
- Verify that all endpoints run Firefox 150.0.1 or later and Thunderbird 150.0.1 or later (or the corresponding ESR releases).
- Prioritize patching for privileged accounts and systems handling sensitive data.
- Review browser hardening policies (e.g., disable unnecessary plugins, enforce least‑privilege execution).
- Monitor vendor advisories for any emerging exploitation indicators.
Technical Notes — The advisory lists CVE‑2026‑7320 (Audio/Video boundary condition), CVE‑2026‑7321 (WebRTC sandbox escape), CVE‑2026‑7322/7323/7324 (memory‑safety bugs). Attack vector is a drive‑by compromise via malicious web content; exploitation requires no user interaction beyond visiting a compromised site. Source: CIS Advisory 2026‑039