CVE 2025 4664 Chrome Flaw With Public Exploit
Query
// CVE-2025-4664 Chrome flaw with public exploit
// https://www.bleepingcomputer.com/news/security/cisa-tags-recently-patched-chrome-bug-as-actively-exploited-zero-day/
// https://www.bleepingcomputer.com/news/security/google-fixes-high-severity-chrome-flaw-with-public-exploit/
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessVersionInfoProductName == "Google Chrome"
| where ProcessVersionInfoProductVersion != "136.0.7103.114"
| summarize arg_max(Timestamp, *) by DeviceId
| summarize VulnerableVersionCount=count() by ProcessVersionInfoProductVersion
| sort by VulnerableVersionCount descExplanation
This KQL query is designed to identify devices running a vulnerable version of Google Chrome that is susceptible to a specific security flaw (CVE-2025-4664) with a known public exploit. Here's a simple breakdown of what the query does:
-
Data Source: It looks at
DeviceProcessEvents, which contains information about processes running on devices. -
Time Frame: It filters the data to include only events from the last 30 days.
-
Product Filter: It specifically focuses on processes related to "Google Chrome".
-
Version Check: It excludes the Chrome version "136.0.7103.114", which is presumably the patched version that is not vulnerable.
-
Latest Event per Device: For each device, it finds the most recent event (using
arg_max) to ensure it captures the latest version of Chrome running on that device. -
Count Vulnerable Versions: It counts how many devices are running each vulnerable version of Chrome.
-
Sort Results: Finally, it sorts the results by the number of devices running each vulnerable version, in descending order, to highlight which versions are most prevalent among the vulnerable devices.
In summary, the query helps identify and prioritize which versions of Chrome are most commonly vulnerable across devices in the network, aiding in targeted patching efforts.
Details

Steven Lim
Released: May 16, 2025
Tables
Keywords
Operators