CVE-2025-14174 CrowdStrike LogScale · LogScale

Detect CVE-2025-14174: Google Chromium Out of Bounds Memory Access Exploitation in CrowdStrike LogScale

Detects exploitation of CVE-2025-14174, an out-of-bounds memory access vulnerability in Google Chromium. This vulnerability is actively exploited in the wild (CISA KEV) and can allow attackers to execute arbitrary code or escape the browser sandbox via a crafted web page. Detection focuses on abnormal Chromium process behavior including child process spawning, memory anomalies, and post-exploitation indicators.

MITRE ATT&CK

Tactic
Initial Access Execution Privilege Escalation

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| ParentBaseFileName in ("chrome.exe", "msedge.exe", "brave.exe", "chromium.exe")
| FileName in ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe")
| eval RiskScore = case(
    CommandLine = /(?i)(-enc|-EncodedCommand|IEX|Invoke-Expression)/ AND FileName = "powershell.exe", "90-Critical",
    FileName = "powershell.exe", "75-High",
    FileName = "cmd.exe" AND CommandLine = /\/c\s/i, "65-High",
    true(), "50-Medium"
  )
| where RiskScore != ""
| table _time, ComputerName, UserName, ParentBaseFileName, ParentProcessId, FileName, CommandLine, RiskScore
| sort - RiskScore
| limit 200
critical severity medium confidence

CrowdStrike Falcon LogScale query using event simpleName to identify Chromium browser processes spawning shell interpreters and system utilities consistent with CVE-2025-14174 exploitation, with risk scoring by command-line characteristics.

Data Sources

CrowdStrike Falcon EDRCrowdStrike Falcon LogScale

Required Tables

#event_simpleName=ProcessRollup2

False Positives & Tuning

  • Automated browser testing in development environments monitored by Falcon
  • Browser-based RPA (Robotic Process Automation) tools spawning shell commands
  • Legitimate Chrome extensions using native messaging to launch helper processes
  • Managed browser deployments where IT tooling invokes scripts via browser context

Other platforms for CVE-2025-14174

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Chromium Renderer Spawning CMD Shell (Simulated)

    Expected signal: Process creation event showing chrome.exe as parent of cmd.exe; file write event to C:\Temp\chromium_oob_test.txt

  2. Test 2Chrome Spawning PowerShell with Encoded Command

    Expected signal: Process creation event with chrome.exe parent, powershell.exe child with -EncodedCommand argument visible in command line

  3. Test 3Linux Chromium Spawning Shell Process

    Expected signal: Process creation audit log (auditd or Sysdig) showing chromium-browser as parent of bash process; file write to /tmp/

  4. Test 4Browser Process Network Connection to C2 Port (Simulated)

    Expected signal: Network connection event from chrome.exe to 127.0.0.1:4444; correlated with child process spawn event

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-14174 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0004Privilege Escalation

Related Techniques

T1203Exploitation for Client ExecutionT1059Command and Scripting InterpreterT1055Process Injection

Same Tactic: Initial Access

Popular Detections