CVE-2025-14174: Google Chromium Out of Bounds Memory Access Exploitation
Detects exploitation of CVE-2025-14174, an out-of-bounds memory access vulnerability in Google Chromium. This vulnerability is actively exploited in the wild (CISA KEV) and can allow attackers to execute arbitrary code or escape the browser sandbox via a crafted web page. Detection focuses on abnormal Chromium process behavior including child process spawning, memory anomalies, and post-exploitation indicators.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Product
- Chromium
Timeline
- Disclosed
- December 12, 2025
CVSS
What is CVE-2025-14174 CVE-2025-14174: Google Chromium Out of Bounds Memory Access Exploitation?
CVE-2025-14174: Google Chromium Out of Bounds Memory Access Exploitation (CVE-2025-14174) maps to the Initial Access and Execution and Privilege Escalation tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2025-14174: Google Chromium Out of Bounds Memory Access Exploitation, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel, Azure Monitor. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let chromiumProcesses = dynamic(["chrome.exe", "msedge.exe", "brave.exe", "chromium.exe"]);
let suspiciousChildProcs = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe"]);
DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where InitiatingProcessFileName has_any (chromiumProcesses)
| where FileName has_any (suspiciousChildProcs)
| where InitiatingProcessParentFileName !has "explorer.exe" or isempty(InitiatingProcessParentFileName)
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InitiatingProcessId, ProcessId
| join kind=leftouter (
DeviceNetworkEvents
| where TimeGenerated > ago(7d)
| where InitiatingProcessFileName has_any (chromiumProcesses)
| where RemotePort in (4444, 1337, 8080, 9001, 31337)
| project TimeGenerated, DeviceName, InitiatingProcessId, RemoteIP, RemotePort, RemoteUrl
) on DeviceName, $left.InitiatingProcessId == $right.InitiatingProcessId
| extend RiskScore = case(
FileName =~ "powershell.exe" and ProcessCommandLine has_any ("-enc", "-EncodedCommand", "IEX", "Invoke-Expression"), 90,
FileName =~ "cmd.exe" and ProcessCommandLine has "/c", 70,
isnotempty(RemoteIP), 80,
50
)
| where RiskScore >= 50
| order by RiskScore descDetects Chromium browser processes spawning suspicious child processes that may indicate exploitation of CVE-2025-14174. Correlates with outbound network connections on known C2 ports from Chromium renderer processes.
Data Sources
Required Tables
False Positives
- Legitimate browser automation tools (Selenium, Playwright) that spawn command-line processes
- Enterprise browser management solutions that invoke scripts via browser context
- Developer environments where Chrome extensions legitimately invoke native messaging hosts
- IT admin tasks executed via browser-based remote management consoles
Sigma rule & cross-platform mapping
The detection logic for CVE-2025-14174: Google Chromium Out of Bounds Memory Access Exploitation (CVE-2025-14174) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2025-14174
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Chromium Renderer Spawning CMD Shell (Simulated)
Expected signal: Process creation event showing chrome.exe as parent of cmd.exe; file write event to C:\Temp\chromium_oob_test.txt
- Test 2Chrome Spawning PowerShell with Encoded Command
Expected signal: Process creation event with chrome.exe parent, powershell.exe child with -EncodedCommand argument visible in command line
- Test 3Linux Chromium Spawning Shell Process
Expected signal: Process creation audit log (auditd or Sysdig) showing chromium-browser as parent of bash process; file write to /tmp/
- Test 4Browser Process Network Connection to C2 Port (Simulated)
Expected signal: Network connection event from chrome.exe to 127.0.0.1:4444; correlated with child process spawn event
Unlock Pro Content
Get the full detection package for CVE-2025-14174 including response playbook, investigation guide, and atomic red team tests.