Detect CVE-2025-14174: Google Chromium Out of Bounds Memory Access Exploitation in Splunk
Detects exploitation of CVE-2025-14174, an out-of-bounds memory access vulnerability in Google Chromium. This vulnerability is actively exploited in the wild (CISA KEV) and can allow attackers to execute arbitrary code or escape the browser sandbox via a crafted web page. Detection focuses on abnormal Chromium process behavior including child process spawning, memory anomalies, and post-exploitation indicators.
MITRE ATT&CK
SPL Detection Query
index=endpoint sourcetype=crowdstrike:events:sensor OR sourcetype=sysmon
(process_name="chrome.exe" OR process_name="msedge.exe" OR process_name="brave.exe" OR process_name="chromium.exe")
| eval is_suspicious_child=if(match(child_process_name, "(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe)"), 1, 0)
| where is_suspicious_child=1
| eval encoded_cmd=if(match(child_process_cmdline, "(?i)(-enc|-EncodedCommand|IEX|Invoke-Expression)"), 1, 0)
| eval risk_score=case(
encoded_cmd=1, 90,
match(child_process_name, "(?i)powershell\.exe"), 75,
match(child_process_name, "(?i)cmd\.exe"), 65,
true(), 50
)
| where risk_score >= 50
| stats count as spawn_count, values(child_process_name) as child_procs, values(child_process_cmdline) as cmdlines, max(risk_score) as max_risk by host, user, process_name, process_id, _time
| where spawn_count >= 1
| sort - max_risk
| table _time, host, user, process_name, child_procs, cmdlines, spawn_count, max_riskDetects Chromium browser processes spawning suspicious child processes indicative of CVE-2025-14174 exploitation. Aggregates spawn events and scores by command-line indicators of post-exploitation activity.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Automated browser testing frameworks spawning native processes
- Browser-integrated developer tools invoking build scripts
- Enterprise software with legitimate browser-to-native-app integration
- Chrome Native Messaging hosts for password managers or security tools
Other platforms for CVE-2025-14174
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Chromium Renderer Spawning CMD Shell (Simulated)
Expected signal: Process creation event showing chrome.exe as parent of cmd.exe; file write event to C:\Temp\chromium_oob_test.txt
- Test 2Chrome Spawning PowerShell with Encoded Command
Expected signal: Process creation event with chrome.exe parent, powershell.exe child with -EncodedCommand argument visible in command line
- Test 3Linux Chromium Spawning Shell Process
Expected signal: Process creation audit log (auditd or Sysdig) showing chromium-browser as parent of bash process; file write to /tmp/
- Test 4Browser Process Network Connection to C2 Port (Simulated)
Expected signal: Network connection event from chrome.exe to 127.0.0.1:4444; correlated with child process spawn event
Unlock Pro Content
Get the full detection package for CVE-2025-14174 including response playbook, investigation guide, and atomic red team tests.