Detect CVE-2025-14174: Google Chromium Out of Bounds Memory Access Exploitation in Google Chronicle
Detects exploitation of CVE-2025-14174, an out-of-bounds memory access vulnerability in Google Chromium. This vulnerability is actively exploited in the wild (CISA KEV) and can allow attackers to execute arbitrary code or escape the browser sandbox via a crafted web page. Detection focuses on abnormal Chromium process behavior including child process spawning, memory anomalies, and post-exploitation indicators.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2025_14174_chromium_oob_exploit {
meta:
author = "df00tech Detection Engineering"
description = "Detects potential exploitation of CVE-2025-14174 Chromium OOB memory access via suspicious child process spawning"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-14174"
yara_version = "YL2.0"
rule_version = "1.0"
events:
$browser.metadata.event_type = "PROCESS_LAUNCH"
$browser.principal.process.file.full_path = /(?i)(chrome\.exe|msedge\.exe|brave\.exe|chromium\.exe)$/
$child.metadata.event_type = "PROCESS_LAUNCH"
$child.principal.process.file.full_path = /(?i)(chrome\.exe|msedge\.exe|brave\.exe|chromium\.exe)$/
$child.target.process.file.full_path = /(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe)$/
$browser.principal.hostname = $child.principal.hostname
$browser.target.process.pid = $child.principal.process.parent_pid
$browser.metadata.event_timestamp.seconds < $child.metadata.event_timestamp.seconds
$child.metadata.event_timestamp.seconds - $browser.metadata.event_timestamp.seconds < 120
condition:
$browser and $child
}Chronicle YARA-L rule detecting Chromium browser process spawning suspicious system utilities within a 2-minute window, indicating potential exploitation of the CVE-2025-14174 out-of-bounds memory access vulnerability.
Data Sources
Required Tables
False Positives & Tuning
- Browser automation frameworks used in DevOps pipelines
- Chrome Remote Desktop or similar tools that may spawn shells
- Enterprise browser kiosk configurations with managed script execution
- Native messaging host applications that are part of legitimate software suites
Other platforms for CVE-2025-14174
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Chromium Renderer Spawning CMD Shell (Simulated)
Expected signal: Process creation event showing chrome.exe as parent of cmd.exe; file write event to C:\Temp\chromium_oob_test.txt
- Test 2Chrome Spawning PowerShell with Encoded Command
Expected signal: Process creation event with chrome.exe parent, powershell.exe child with -EncodedCommand argument visible in command line
- Test 3Linux Chromium Spawning Shell Process
Expected signal: Process creation audit log (auditd or Sysdig) showing chromium-browser as parent of bash process; file write to /tmp/
- Test 4Browser Process Network Connection to C2 Port (Simulated)
Expected signal: Network connection event from chrome.exe to 127.0.0.1:4444; correlated with child process spawn event
Unlock Pro Content
Get the full detection package for CVE-2025-14174 including response playbook, investigation guide, and atomic red team tests.