Google Chromium V8 Type Confusion Exploitation (CVE-2025-13223)
Detects exploitation attempts targeting CVE-2025-13223, a type confusion vulnerability (CWE-843) in Google Chromium's V8 JavaScript engine. This KEV-listed vulnerability allows remote attackers to execute arbitrary code via a crafted HTML page. Exploitation typically involves a malicious web page triggering memory corruption through confused object type handling in V8, leading to sandbox escape or remote code execution within the browser process.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Product
- Chromium V8
Weakness (CWE)
Timeline
- Disclosed
- November 19, 2025
CVSS
What is CVE-2025-13223 Google Chromium V8 Type Confusion Exploitation (CVE-2025-13223)?
Google Chromium V8 Type Confusion Exploitation (CVE-2025-13223) (CVE-2025-13223) maps to the Initial Access and Execution and Defense Evasion tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Google Chromium V8 Type Confusion Exploitation (CVE-2025-13223), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let suspiciousChromeChildren = DeviceProcessEvents
| where FileName in~ ("chrome.exe", "msedge.exe", "brave.exe")
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "brave.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "msiexec.exe")
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InitiatingProcessId, ProcessId;
let crashDumps = DeviceFileEvents
| where FolderPath has_any ("Crashpad", "CrashDumps", "crash-reports")
| where FileName endswith ".dmp" or FileName endswith ".crash"
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "brave.exe")
| project TimeGenerated, DeviceName, AccountName, FolderPath, FileName, InitiatingProcessFileName;
let networkAfterBrowser = DeviceNetworkEvents
| where InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "rundll32.exe", "mshta.exe")
| where InitiatingProcessParentFileName in~ ("chrome.exe", "msedge.exe", "brave.exe")
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine;
union suspiciousChromeChildren, crashDumps, networkAfterBrowser
| sort by TimeGenerated descDetects suspicious child process spawning from Chromium-based browsers (indicative of V8 type confusion exploitation leading to sandbox escape), browser crash dump generation, and anomalous network activity from processes spawned by browser children. Covers CVE-2025-13223 post-exploitation telemetry.
Data Sources
Required Tables
False Positives
- Legitimate browser automation or test frameworks (Selenium, Playwright) that spawn command interpreters from browser processes
- Developer tools and debugging sessions where chrome.exe spawns child processes intentionally
- Enterprise software that embeds Chromium (Electron apps) and spawns shell processes as part of normal operation
- Crash reporting tools that generate .dmp files during legitimate browser crashes unrelated to exploitation
Sigma rule & cross-platform mapping
The detection logic for Google Chromium V8 Type Confusion Exploitation (CVE-2025-13223) (CVE-2025-13223) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2025-13223
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate V8 Sandbox Escape - Chrome Spawning cmd.exe
Expected signal: Sysmon EventID 1 (ProcessCreate) with ParentImage matching chrome.exe and Image matching cmd.exe; DeviceProcessEvents in MDE showing FileName=cmd.exe with InitiatingProcessFileName=chrome.exe
- Test 2Browser Process Network Beacon Simulation Post-Exploitation
Expected signal: Sysmon EventID 3 (NetworkConnect) with Image=powershell.exe, ParentImage=chrome.exe (or powershell spawned in context of test), DestinationIp=192.0.2.1, DestinationPort=4444; DeviceNetworkEvents with InitiatingProcessFileName=powershell.exe
- Test 3Chrome Crash Dump Generation - Exploitation Indicator Simulation
Expected signal: Sysmon EventID 11 (FileCreate) events for each .dmp file creation in the Crashpad reports directory; DeviceFileEvents with FileName ending in .dmp and FolderPath containing Crashpad
- Test 4Linux - Chromium Renderer Child Process Spawn Simulation
Expected signal: Linux audit log (auditd) or Sysdig/Falco events showing bash or sh spawned with ppid matching chromium-browser process; EDR telemetry (CrowdStrike Falcon for Linux, SentinelOne) recording process lineage
Unlock Pro Content
Get the full detection package for CVE-2025-13223 including response playbook, investigation guide, and atomic red team tests.