Detect CVE-2025-14174: Google Chromium Out of Bounds Memory Access Exploitation in Sumo Logic CSE
Detects exploitation of CVE-2025-14174, an out-of-bounds memory access vulnerability in Google Chromium. This vulnerability is actively exploited in the wild (CISA KEV) and can allow attackers to execute arbitrary code or escape the browser sandbox via a crafted web page. Detection focuses on abnormal Chromium process behavior including child process spawning, memory anomalies, and post-exploitation indicators.
MITRE ATT&CK
Sumo Detection Query
_sourceCategory=endpoint/windows OR _sourceCategory=endpoint/crowdstrike
| where (process matches /(?i)chrome\.exe/ OR process matches /(?i)msedge\.exe/ OR process matches /(?i)brave\.exe/ OR process matches /(?i)chromium\.exe/)
| where (childprocess matches /(?i)cmd\.exe/ OR childprocess matches /(?i)powershell\.exe/ OR childprocess matches /(?i)wscript\.exe/ OR childprocess matches /(?i)cscript\.exe/ OR childprocess matches /(?i)mshta\.exe/ OR childprocess matches /(?i)rundll32\.exe/ OR childprocess matches /(?i)regsvr32\.exe/ OR childprocess matches /(?i)certutil\.exe/)
| count by _sourceHost, user, process, childprocess, commandline
| where _count >= 1
| if(commandline matches /(?i)(-enc|-EncodedCommand|IEX|Invoke-Expression)/, 90, if(childprocess matches /(?i)powershell/, 75, 60)) as risk_score
| where risk_score >= 60
| order by risk_score desc
| fields _sourceHost, user, process, childprocess, commandline, risk_score, _countSumo Logic query detecting Chromium browser spawning suspicious child processes associated with exploitation of CVE-2025-14174, with risk scoring based on child process type and command-line indicators.
Data Sources
Required Tables
False Positives & Tuning
- Headless browser environments in automated testing pipelines
- Browser native messaging integrations for enterprise applications
- Developer workstations where browser-launched terminals are common workflow
- Legitimate browser extensions invoking system utilities via native messaging
Other platforms for CVE-2025-14174
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Chromium Renderer Spawning CMD Shell (Simulated)
Expected signal: Process creation event showing chrome.exe as parent of cmd.exe; file write event to C:\Temp\chromium_oob_test.txt
- Test 2Chrome Spawning PowerShell with Encoded Command
Expected signal: Process creation event with chrome.exe parent, powershell.exe child with -EncodedCommand argument visible in command line
- Test 3Linux Chromium Spawning Shell Process
Expected signal: Process creation audit log (auditd or Sysdig) showing chromium-browser as parent of bash process; file write to /tmp/
- Test 4Browser Process Network Connection to C2 Port (Simulated)
Expected signal: Network connection event from chrome.exe to 127.0.0.1:4444; correlated with child process spawn event
Unlock Pro Content
Get the full detection package for CVE-2025-14174 including response playbook, investigation guide, and atomic red team tests.