CVE-2025-14733 CrowdStrike LogScale · LogScale

Detect CVE-2025-14733: WatchGuard Firebox Out-of-Bounds Write Exploitation in CrowdStrike LogScale

Detects exploitation attempts targeting CVE-2025-14733, an out-of-bounds write vulnerability (CWE-787) in WatchGuard Firebox devices. This vulnerability is actively exploited in the wild (CISA KEV) and may allow remote code execution or device compromise. Detection focuses on anomalous management interface activity, unexpected process crashes, and network indicators consistent with exploitation.

MITRE ATT&CK

Tactic
Initial Access Execution Impact

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName IN ("NetworkConnectIP4", "NetworkConnectIP6", "ProcessRollup2", "SyntheticProcessRollup2")
| $vendor = "WatchGuard" OR $product = "Firebox" OR ComputerName = /.*firebox.*/i OR ComputerName = /.*watchguard.*/i
| (
    CommandLine = /crash|segfault|SIGSEGV|core.dump|out.of.bounds|buffer.overflow|heap.corruption|stack.smashing/i
    OR
    (
      RemotePort IN [443, 4117, 4118, 8080]
      AND event_simpleName IN ("NetworkConnectIP4", "NetworkConnectIP6")
    )
  )
| groupby([ComputerName, UserName, RemoteAddressIP4, RemotePort, CommandLine])
| sort(count(), order=desc)
critical severity medium confidence

CrowdStrike Falcon query detecting WatchGuard Firebox network connections to management ports and process anomalies indicative of CVE-2025-14733 out-of-bounds write exploitation.

Data Sources

CrowdStrike Falcon EDRNetwork telemetry

Required Tables

NetworkConnectIP4NetworkConnectIP6ProcessRollup2

False Positives & Tuning

  • Legitimate CrowdStrike-monitored systems performing authorized management of WatchGuard devices
  • Security operations tools connecting to Firebox management interfaces for health monitoring
  • Firmware update utilities triggering process-level events during planned maintenance
  • Authorized penetration testers running exploit simulations against WatchGuard infrastructure

Other platforms for CVE-2025-14733

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate WatchGuard Management Interface Reconnaissance

    Expected signal: Network connection logs showing SYN packets to ports 4117, 4118, 8080, and 443 from the attacker IP; IDS alerts on service enumeration; Firebox access logs showing connection attempts

  2. Test 2Malformed HTTP Request to Firebox Management Interface

    Expected signal: Firebox crash or exception log entries; process termination events for web management daemon; syslog SIGSEGV or abnormal exit entries; network connection termination without proper HTTP response

  3. Test 3Post-Exploitation: Simulate Unauthorized Admin Account Creation Check

    Expected signal: WatchGuard audit log entry for admin account creation; API access logs showing POST to user management endpoint; SIEM alert on privileged account creation on network device

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-14733 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0040Impact

Related Techniques

T1190Exploit Public-Facing ApplicationT1133External Remote ServicesT1498Network Denial of Service

Same Tactic: Initial Access

Popular Detections