The Internet Explorer (IE) mode in Microsoft Edge serves a vital role for organizations, allowing them to render older Internet Explorer 11-based websites and applications within the modern Edge browser. This feature is designed to simplify the IT environment, ensuring continued access to essential legacy services while standardizing on a single, modern platform for newer web applications.
The vulnerability came to light in August 2025 when threat actors began actively exploiting it. While Microsoft did not immediately release technical specifics regarding the attackers’ identity or the full extent of the operations, the method of exploitation was confirmed. It relied on a combination of social engineering tactics and the use of unpatched zero-day flaws within Internet Explorer’s legacy Chakra JavaScript engine.
The attack chain was highly sophisticated, starting with tricking users into visiting a spoofed, official-looking website. From there, the attackers convinced the victims to manually reload the page in IE mode using a flyout prompt. Once the page was rendered using the vulnerable legacy engine, the threat actors executed a two-stage process outlined in the official advisory.
First, the attackers leveraged the Chakra exploit to achieve remote code execution (RCE), and then they utilized a secondary exploit to escalate privileges outside of the confined browser environment. This allowed them to gain complete device control, enabling them to install persistent malware, move laterally across networks, or steal valuable corporate and personal data.
In response to these critical, active exploits, Microsoft swiftly implemented a major policy change to mitigate future risk. They removed the easy-access buttons for IE mode for all non-commercial users. Going forward, enabling IE mode now requires an explicit, site-by-site process through the browser’s Settings > Default Browser menu. This restriction significantly reduces the surface area for exploitation, balancing the need for legacy support with robust, modern security while maintaining a clear, auditable pathway for genuine business requirements.
Reference:
