CVE-2025-14174 IBM QRadar · QRadar

Detect CVE-2025-14174: Google Chromium Out of Bounds Memory Access Exploitation in IBM QRadar

Detects exploitation of CVE-2025-14174, an out-of-bounds memory access vulnerability in Google Chromium. This vulnerability is actively exploited in the wild (CISA KEV) and can allow attackers to execute arbitrary code or escape the browser sandbox via a crafted web page. Detection focuses on abnormal Chromium process behavior including child process spawning, memory anomalies, and post-exploitation indicators.

MITRE ATT&CK

Tactic
Initial Access Execution Privilege Escalation

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') as event_time,
       sourceip,
       username,
       "Process Name" as parent_process,
       "Command" as child_command,
       LOGSOURCENAME(logsourceid) as log_source,
       magnitude
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'CrowdStrike Falcon')
  AND LOWER("Process Name") LIKE ANY ('%chrome.exe%', '%msedge.exe%', '%brave.exe%', '%chromium.exe%')
  AND LOWER("Command") LIKE ANY ('%cmd.exe%', '%powershell.exe%', '%wscript.exe%', '%mshta.exe%', '%rundll32.exe%', '%regsvr32.exe%', '%certutil.exe%')
  AND starttime > NOW() - 7 DAYS
ORDER BY starttime DESC
LIMIT 500
critical severity medium confidence

QRadar AQL query identifying Chromium browser processes that have spawned potentially malicious child processes, consistent with browser exploitation via CVE-2025-14174.

Data Sources

QRadar SIEMWindows Security Event LogCrowdStrike Falcon

Required Tables

events

False Positives & Tuning

  • Browser-based enterprise management portals that legitimately invoke shell commands
  • Automated Selenium or similar test suites running in monitored environments
  • Software with browser-to-desktop app protocol handlers
  • IT management software that uses browser as a frontend for system operations

Other platforms for CVE-2025-14174

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Chromium Renderer Spawning CMD Shell (Simulated)

    Expected signal: Process creation event showing chrome.exe as parent of cmd.exe; file write event to C:\Temp\chromium_oob_test.txt

  2. Test 2Chrome Spawning PowerShell with Encoded Command

    Expected signal: Process creation event with chrome.exe parent, powershell.exe child with -EncodedCommand argument visible in command line

  3. Test 3Linux Chromium Spawning Shell Process

    Expected signal: Process creation audit log (auditd or Sysdig) showing chromium-browser as parent of bash process; file write to /tmp/

  4. Test 4Browser Process Network Connection to C2 Port (Simulated)

    Expected signal: Network connection event from chrome.exe to 127.0.0.1:4444; correlated with child process spawn event

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-14174 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0004Privilege Escalation

Related Techniques

T1203Exploitation for Client ExecutionT1059Command and Scripting InterpreterT1055Process Injection

Same Tactic: Initial Access

Popular Detections