CVE-2025-14174 Elastic Security · Elastic

Detect CVE-2025-14174: Google Chromium Out of Bounds Memory Access Exploitation in Elastic Security

Detects exploitation of CVE-2025-14174, an out-of-bounds memory access vulnerability in Google Chromium. This vulnerability is actively exploited in the wild (CISA KEV) and can allow attackers to execute arbitrary code or escape the browser sandbox via a crafted web page. Detection focuses on abnormal Chromium process behavior including child process spawning, memory anomalies, and post-exploitation indicators.

MITRE ATT&CK

Tactic
Initial Access Execution Privilege Escalation

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name, process.parent.entity_id with maxspan=2m
  [process where process.name in~ ("chrome.exe", "msedge.exe", "brave.exe", "chromium.exe") and event.type == "start"]
  [process where process.parent.name in~ ("chrome.exe", "msedge.exe", "brave.exe", "chromium.exe")
    and process.name in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe")
    and event.type == "start"
  ]
  [any where (
    (event.category == "network" and destination.port in (4444, 1337, 8080, 9001, 31337))
    or
    (event.category == "file" and file.path like "*\\AppData\\Roaming\\*" and file.extension in ("exe", "dll", "ps1", "vbs", "bat"))
  )]
critical severity high confidence

EQL sequence rule detecting the full exploitation chain: Chromium process start, suspicious child process spawn, followed by either C2 network connection or dropped payload file — all within a 2-minute window.

Data Sources

Elastic EndpointElastic AgentWinlogbeat

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.network-*logs-endpoint.events.file-*

False Positives & Tuning

  • Browser automation in CI/CD pipelines that subsequently make network connections
  • Browser extensions using native messaging with network-connected helper applications
  • Developer tooling that chains browser launch with build scripts and local servers
  • Legitimate software updaters spawned by browser processes

Other platforms for CVE-2025-14174

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Chromium Renderer Spawning CMD Shell (Simulated)

    Expected signal: Process creation event showing chrome.exe as parent of cmd.exe; file write event to C:\Temp\chromium_oob_test.txt

  2. Test 2Chrome Spawning PowerShell with Encoded Command

    Expected signal: Process creation event with chrome.exe parent, powershell.exe child with -EncodedCommand argument visible in command line

  3. Test 3Linux Chromium Spawning Shell Process

    Expected signal: Process creation audit log (auditd or Sysdig) showing chromium-browser as parent of bash process; file write to /tmp/

  4. Test 4Browser Process Network Connection to C2 Port (Simulated)

    Expected signal: Network connection event from chrome.exe to 127.0.0.1:4444; correlated with child process spawn event

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-14174 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0004Privilege Escalation

Related Techniques

T1203Exploitation for Client ExecutionT1059Command and Scripting InterpreterT1055Process Injection

Same Tactic: Initial Access

Popular Detections