@blamejs/exceptd-skills 0.12.29 → 0.12.31

package/data/cve-catalog.json

@@ -39,13 +39,15 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.2,
-      "current_floor_enforced_by_test": 0.2,
+      "current_rate": 0.167,
+      "current_floor_enforced_by_test": 0.15,
       "ladder_to_target": [
+        0.15,
         0.2,
         0.3,
         0.4
       ],
+      "floor_correction_note": "v0.12.31 (cycle 11): floor dropped from 0.20 → 0.15 after the cycle-11 intake added six ai_discovered=false entries (PAN-OS, Marimo, Ivanti EPMM, Exchange OWA, Windows LNK APT28, Defender BlueHammer). All six are vendor- or threat-actor-discovered; none carry an AI-tool credit per Hard Rule #1. Catalog observed rate fell from 6/30 (0.200) to 6/36 (0.167); floor is reset below the new observed rate to keep the test honest, and a new 0.15 rung is prepended to the ladder so monotonic non-decreasing is preserved without rewriting prior rungs.",
       "ladder_note": "Test floor advances when each rung is exceeded with a margin (>= floor + 0.05). Surfaces incremental tightening without coincidence-passing failures.",
       "gap_explanation": "Catalog skews toward 2024 vendor-disclosed CVEs (xz-utils, runc, CRI-O, MLflow, containerd, SolarWinds, Citrix, ConnectWise) and Pwn2Own Ireland 2025 entries (Synacktiv, DEVCORE, Summoning Team, CyCraft) where AI-tooling involvement was either not used or not credited in the public disclosure. The 41% figure in AGENTS.md Hard Rule #7 reflects the broader 2025 zero-day population reported by Google Threat Intelligence Group; catalog membership is curated against a different sampling frame (operational impact + framework-coverage need) and so will lag the population-level rate.",
       "discovery_source_enum": [
@@ -66,7 +68,8 @@
         "GHSA-*"
       ],
       "note": "Catalog keys are CVE-* by default. For pre-CVE-assignment advisories under active operational impact, the project accepts OSV-native identifier shapes as the canonical key, with cross-references retained in `aliases`: MAL-* (OSSF Malicious Packages dataset — published into OSV.dev; primary key for malicious-package compromises), GHSA-* (GitHub Advisory Database; primary key when the package is on GitHub and no CVE has issued yet), and SNYK-* (Snyk advisory dataset; primary key for advisories Snyk catalogued before OSV/GHSA ingested them). When MITRE issues a CVE, the entry is renamed in lockstep with the matching zeroday-lessons key; the previous identifier is retained in `aliases` so historical references continue to resolve. Precedent: MAL-2026-3083 added 2026-05-13 (the elementary-data PyPI worm, 1.1M monthly downloads, OSV/OSSF-cataloged before any CVE issued). EPSS coverage does not extend to non-CVE identifiers; epss_score is null with a documenting epss_note on such entries. Upstream pull from OSV.dev: `exceptd refresh --source osv` (added v0.12.10)."
-    }
+    },
+    "last_threat_review": "2026-05-15"
   },
   "CVE-2025-53773": {
     "name": "GitHub Copilot / VS Code 'YOLO mode' Prompt Injection RCE",
@@ -642,7 +645,7 @@
       ]
     },
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Sysdig Threat Research Team — Stefano Chierici and the Sysdig Sage / TRT analysts — surfaced the SQLi via post-disclosure exploitation telemetry; Bishop Fox researchers reproduced and confirmed the auth-path SQLi sink. All named-human research; no AI-discovery attribution from either firm. Source: https://www.sysdig.com/blog/cve-2026-42208-targeted-sql-injection-against-litellms-authentication-path-discovered-36-hours-following-vulnerability-disclosure and https://bishopfox.com/blog/cve-2026-42208-pre-authentication-sql-injection-in-litellm-proxy."
+    "discovery_attribution_note": "Tencent YunDing Security Lab is the credited discoverer per the LiteLLM GHSA-r75f-5x8p-qvmc advisory and confirmed by downstream The Hacker News / Tenable / cve.news coverage. Sysdig TRT (Stefano Chierici + Sysdig Sage analysts) published the post-disclosure 36-hour-to-exploitation telemetry; Bishop Fox reproduced the auth-path SQLi sink. All named-human research; no AI-discovery attribution from any of the three teams. Sources: https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc and https://www.sysdig.com/blog/cve-2026-42208-targeted-sql-injection-against-litellms-authentication-path-discovered-36-hours-following-vulnerability-disclosure and https://bishopfox.com/blog/cve-2026-42208-pre-authentication-sql-injection-in-litellm-proxy."
   },
   "CVE-2026-43284": {
     "name": "Dirty Frag (ESP/IPsec component)",
@@ -959,6 +962,7 @@
     "cisa_kev_date": null,
     "cisa_kev_pending": true,
     "cisa_kev_pending_reason": "Attack disclosed 2026-05-11. Active in-the-wild exploitation of 42 @tanstack/* packages with combined ~150M weekly downloads. CISA KEV listing expected within standard review window.",
+    "kev_scope_note": "CISA KEV historically excludes ecosystem-package compromises (npm/PyPI worms, malicious-package backdoors) — its scope is federally-deployable products with CVE assignments. The Mini Shai-Hulud parent (CVE-2026-45321) and TanStack variant are NOT listed in KEV as of 2026-05-15 despite confirmed in-the-wild exploitation. `cisa_kev: false` is correct; `active_exploitation: confirmed` reflects the actual wormable state. Operators should consume CISA-KEV-style guidance from OpenSSF MAL feed + ecosystem-specific advisories (Snyk/Wiz/Phylum/Socket) for this class.",
     "poc_available": true,
     "poc_description": "Confirmed in-the-wild — 84 malicious versions published across 42 @tanstack/* packages between 2026-05-11 19:20-19:26 UTC. The worm itself IS the PoC; payload analysis published by multiple researchers within 20 minutes.",
     "ai_discovered": false,
@@ -1483,7 +1487,7 @@
     "attack_refs": [
       "T1611"
     ],
-    "rwep_score": 75,
+    "rwep_score": 80,
     "rwep_factors": {
       "cisa_kev": 25,
       "poc_available": 20,
@@ -1506,7 +1510,8 @@
       "https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Discovered by Rory McNamara of Snyk Security Labs as part of the four-vulnerability Leaky Vessels disclosure (CVE-2024-21626 + CVE-2024-23651/23652/23653) published January 2024. Named human researcher; no AI-tool credited. Source: https://labs.snyk.io/resources/leaky-vessels-docker-runc-container-breakout-vulnerabilities/."
+    "discovery_attribution_note": "Discovered by Rory McNamara of Snyk Security Labs as part of the four-vulnerability Leaky Vessels disclosure (CVE-2024-21626 + CVE-2024-23651/23652/23653) published January 2024. Named human researcher; no AI-tool credited. Source: https://labs.snyk.io/resources/leaky-vessels-docker-runc-container-breakout-vulnerabilities/.",
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: +5 (75 -> 80)."
   },
   "CVE-2024-3094": {
     "_draft": true,
@@ -1559,7 +1564,7 @@
       "poc_available": 20,
       "ai_factor": 0,
       "active_exploitation": 10,
-      "blast_radius": 40,
+      "blast_radius": 30,
       "patch_available": -15,
       "live_patch_available": 0,
       "reboot_required": 0
@@ -1577,7 +1582,8 @@
       "https://research.swtch.com/xz-script"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Discovered by Andres Freund (Microsoft engineer, PostgreSQL developer) on 2024-03-28 via a 0.5-second SSH-login latency regression traced to liblzma symbol resolution; reported to oss-security. Named human researcher; no AI tooling involved. Source: https://en.wikipedia.org/wiki/XZ_Utils_backdoor."
+    "discovery_attribution_note": "Discovered by Andres Freund (Microsoft engineer, PostgreSQL developer) on 2024-03-28 via a 0.5-second SSH-login latency regression traced to liblzma symbol resolution; reported to oss-security. Named human researcher; no AI tooling involved. Source: https://en.wikipedia.org/wiki/XZ_Utils_backdoor.",
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields."
   },
   "CVE-2024-3154": {
     "_draft": true,
@@ -1814,7 +1820,7 @@
     "attack_refs": [
       "T1190"
     ],
-    "rwep_score": 75,
+    "rwep_score": 80,
     "rwep_factors": {
       "cisa_kev": 25,
       "poc_available": 20,
@@ -1837,7 +1843,8 @@
       "https://support.citrix.com/article/CTX561482"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Independent security researchers via Citrix coordinated disclosure (CTX561482, 2023-07-18); no individual researcher named in the Citrix advisory. NSA/CISA AA23-201A documents in-wild exploitation by Chinese state-sponsored actors. No AI-tool credited. Source: https://support.citrix.com/article/CTX561482/ and https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a."
+    "discovery_attribution_note": "Independent security researchers via Citrix coordinated disclosure (CTX561482, 2023-07-18); no individual researcher named in the Citrix advisory. NSA/CISA AA23-201A documents in-wild exploitation by Chinese state-sponsored actors. No AI-tool credited. Source: https://support.citrix.com/article/CTX561482/ and https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a.",
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: +5 (75 -> 80)."
   },
   "CVE-2024-1709": {
     "_draft": true,
@@ -1945,7 +1952,7 @@
       "poc_available": 0,
       "ai_factor": 0,
       "active_exploitation": 20,
-      "blast_radius": 35,
+      "blast_radius": 30,
       "patch_available": -15,
       "live_patch_available": 0,
       "reboot_required": 5
@@ -1961,7 +1968,8 @@
       "https://sec.cloudapps.cisco.com/security/center/publicationListing.x"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Discovered by Stephen Fewer (Senior Principal Security Researcher) and Jonah Burgess (Senior Security Researcher), both at Rapid7, while researching the related CVE-2026-20127 vdaemon authentication-bypass. Named human researchers; no AI-tool credited. Source: https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/."
+    "discovery_attribution_note": "Discovered by Stephen Fewer (Senior Principal Security Researcher) and Jonah Burgess (Senior Security Researcher), both at Rapid7, while researching the related CVE-2026-20127 vdaemon authentication-bypass. Named human researchers; no AI-tool credited. Source: https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/.",
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: 0."
   },
   "CVE-2024-40635": {
     "_draft": true,
@@ -2006,7 +2014,7 @@
       "cisa_kev": 0,
       "poc_available": 20,
       "ai_factor": 0,
-      "active_exploitation": 0,
+      "active_exploitation": 5,
       "blast_radius": 20,
       "patch_available": -15,
       "live_patch_available": 0,
@@ -2023,7 +2031,8 @@
       "https://github.com/containerd/containerd/security/advisories"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Reported via the containerd security team (GO-2025-3528, Snyk SNYK-GOLANG-GITHUBCOMCONTAINERDCONTAINERDV2PKGOCI-9479987); no individual researcher byline in the advisory and no AI-tool credited. Bug class is straight integer overflow in WithUser() UID handling. Source: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERDCONTAINERDV2PKGOCI-9479987."
+    "discovery_attribution_note": "Reported via the containerd security team (GO-2025-3528, Snyk SNYK-GOLANG-GITHUBCOMCONTAINERDCONTAINERDV2PKGOCI-9479987); no individual researcher byline in the advisory and no AI-tool credited. Bug class is straight integer overflow in WithUser() UID handling. Source: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERDCONTAINERDV2PKGOCI-9479987.",
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: 0."
   },
   "MAL-2026-TANSTACK-MINI": {
     "_draft": true,
@@ -2035,6 +2044,7 @@
     "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
     "cisa_kev": false,
     "cisa_kev_date": null,
+    "kev_scope_note": "CISA KEV historically excludes ecosystem-package compromises (npm/PyPI worms, malicious-package backdoors) — its scope is federally-deployable products with CVE assignments. The Mini Shai-Hulud parent (CVE-2026-45321) and TanStack variant are NOT listed in KEV as of 2026-05-15 despite confirmed in-the-wild exploitation. `cisa_kev: false` is correct; `active_exploitation: confirmed` reflects the actual wormable state. Operators should consume CISA-KEV-style guidance from OpenSSF MAL feed + ecosystem-specific advisories (Snyk/Wiz/Phylum/Socket) for this class.",
     "poc_available": true,
     "poc_description": "84 malicious versions across 42 @tanstack/* packages 2026-05-11 — the worm IS the PoC.",
     "ai_discovered": false,
@@ -2076,8 +2086,8 @@
       "poc_available": 20,
       "ai_factor": 0,
       "active_exploitation": 20,
-      "blast_radius": 40,
-      "patch_available": -10,
+      "blast_radius": 30,
+      "patch_available": -15,
       "live_patch_available": 0,
       "reboot_required": 0
     },
@@ -2094,7 +2104,8 @@
       "https://www.npmjs.com/advisories"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Same incident-class as CVE-2026-45321 (Mini Shai-Hulud); discovery by ecosystem detection across multiple firms (Snyk, Wiz, StepSecurity, Socket, Orca, JFrog) within minutes of the 2026-05-11 publish window. No AI-tool discovery attribution on the defender side. Source: https://snyk.io/blog/tanstack-npm-packages-compromised/."
+    "discovery_attribution_note": "Same incident-class as CVE-2026-45321 (Mini Shai-Hulud); discovery by ecosystem detection across multiple firms (Snyk, Wiz, StepSecurity, Socket, Orca, JFrog) within minutes of the 2026-05-11 publish window. No AI-tool discovery attribution on the defender side. Source: https://snyk.io/blog/tanstack-npm-packages-compromised/.",
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields."
   },
   "MAL-2026-ANTHROPIC-MCP-STDIO": {
     "_draft": true,
@@ -2142,12 +2153,12 @@
     "rwep_score": 25,
     "rwep_factors": {
       "cisa_kev": 0,
-      "poc_available": 10,
+      "poc_available": 0,
       "ai_factor": 0,
       "active_exploitation": 5,
       "blast_radius": 30,
       "patch_available": 0,
-      "live_patch_available": -5,
+      "live_patch_available": -10,
       "reboot_required": 0
     },
     "epss_score": null,
@@ -2162,7 +2173,8 @@
       "https://modelcontextprotocol.io/"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Discovered by OX Security research team (Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok); part of the four-exploitation-family April 2026 MCP advisory. Named-human research; no AI-tool credited for the discovery despite the target being an AI SDK. Source: https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/."
+    "discovery_attribution_note": "Discovered by OX Security research team (Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok); part of the four-exploitation-family April 2026 MCP advisory. Named-human research; no AI-tool credited for the discovery despite the target being an AI SDK. Source: https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/.",
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields."
   },
   "CVE-2026-GTIG-AI-2FA": {
     "_draft": true,
@@ -2215,12 +2227,12 @@
     "rwep_score": 55,
     "rwep_factors": {
       "cisa_kev": 0,
-      "poc_available": 10,
-      "ai_factor": 25,
+      "poc_available": 0,
+      "ai_factor": 15,
       "active_exploitation": 20,
       "blast_radius": 30,
       "patch_available": 0,
-      "live_patch_available": -5,
+      "live_patch_available": -10,
       "reboot_required": 0
     },
     "epss_score": null,
@@ -2235,7 +2247,8 @@
       "https://services.google.com/fh/files/misc/gtig-2026-ai-attack-trends.pdf"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "AI-developed zero-day per Google Threat Intelligence Group 2026-05-11 disclosure; first publicly-attributed in-the-wild AI-built zero-day exploit. GTIG assesses with high confidence that an LLM was weaponized to facilitate discovery + weaponization of a 2FA bypass in a popular open-source web administration tool. Source: https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access and https://thehackernews.com/2026/05/hackers-used-ai-to-develop-first-known.html."
+    "discovery_attribution_note": "AI-developed zero-day per Google Threat Intelligence Group 2026-05-11 disclosure; first publicly-attributed in-the-wild AI-built zero-day exploit. GTIG assesses with high confidence that an LLM was weaponized to facilitate discovery + weaponization of a 2FA bypass in a popular open-source web administration tool. Source: https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access and https://thehackernews.com/2026/05/hackers-used-ai-to-develop-first-known.html.",
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields."
   },
   "CVE-2026-30623": {
     "_draft": true,
@@ -2339,7 +2352,7 @@
     "attack_refs": [
       "T1190"
     ],
-    "rwep_score": 50,
+    "rwep_score": 45,
     "rwep_factors": {
       "cisa_kev": 0,
       "poc_available": 20,
@@ -2361,7 +2374,8 @@
       "https://www.zerodayinitiative.com/blog"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Pwn2Own Ireland 2025 (Cork, 2025-10-21) — exploited by @Tek_7987 and @_Anyfun of Synacktiv's offensive security team. Disclosure methodology: attack-surface enumeration + manual code auditing + exploit development per Synacktiv's published writeup; no AI-tool credit. Source: https://www.synacktiv.com/en/publications/breaking-the-beestation-inside-our-pwn2own-2025-exploit-journey."
+    "discovery_attribution_note": "Pwn2Own Ireland 2025 (Cork, 2025-10-21) — exploited by @Tek_7987 and @_Anyfun of Synacktiv's offensive security team. Disclosure methodology: attack-surface enumeration + manual code auditing + exploit development per Synacktiv's published writeup; no AI-tool credit. Source: https://www.synacktiv.com/en/publications/breaking-the-beestation-inside-our-pwn2own-2025-exploit-journey.",
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: -5 (50 -> 45)."
   },
   "CVE-2025-62847": {
     "_draft": true,
@@ -2400,7 +2414,7 @@
     "attack_refs": [
       "T1190"
     ],
-    "rwep_score": 45,
+    "rwep_score": 40,
     "rwep_factors": {
       "cisa_kev": 0,
       "poc_available": 20,
@@ -2422,7 +2436,8 @@
       "https://www.qnap.com/en/security-advisory/"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Pwn2Own Ireland 2025 — exploited by DEVCORE Research Team (chained injection + format-string bug, $40,000 + 4 Master of Pwn points). Named-human team via ZDI live-blog credit; no AI-tool attribution. Source: https://www.thezdi.com/blog/2025/10/21/pwn2own-ireland-2025-day-one-results."
+    "discovery_attribution_note": "Pwn2Own Ireland 2025 — exploited by DEVCORE Research Team (chained injection + format-string bug, $40,000 + 4 Master of Pwn points). Named-human team via ZDI live-blog credit; no AI-tool attribution. Source: https://www.thezdi.com/blog/2025/10/21/pwn2own-ireland-2025-day-one-results.",
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: -5 (45 -> 40)."
   },
   "CVE-2025-62848": {
     "_draft": true,
@@ -2461,7 +2476,7 @@
     "attack_refs": [
       "T1190"
     ],
-    "rwep_score": 45,
+    "rwep_score": 40,
     "rwep_factors": {
       "cisa_kev": 0,
       "poc_available": 20,
@@ -2483,7 +2498,8 @@
       "https://www.qnap.com/en/security-advisory/"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Pwn2Own Ireland 2025 — chain 2/3 of the DEVCORE Research Team QNAP TS-453E exploit. Same researcher attribution as CVE-2025-62847; ZDI live-blog credit. No AI-tool attribution. Source: https://www.thezdi.com/blog/2025/10/21/pwn2own-ireland-2025-day-one-results."
+    "discovery_attribution_note": "Pwn2Own Ireland 2025 — chain 2/3 of the DEVCORE Research Team QNAP TS-453E exploit. Same researcher attribution as CVE-2025-62847; ZDI live-blog credit. No AI-tool attribution. Source: https://www.thezdi.com/blog/2025/10/21/pwn2own-ireland-2025-day-one-results.",
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: -5 (45 -> 40)."
   },
   "CVE-2025-62849": {
     "_draft": true,
@@ -2522,7 +2538,7 @@
     "attack_refs": [
       "T1068"
     ],
-    "rwep_score": 40,
+    "rwep_score": 35,
     "rwep_factors": {
       "cisa_kev": 0,
       "poc_available": 20,
@@ -2544,7 +2560,8 @@
       "https://www.qnap.com/en/security-advisory/"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Pwn2Own Ireland 2025 — chain 3/3 of the DEVCORE Research Team QNAP TS-453E exploit (post-auth elevation). Same attribution as CVE-2025-62847/62848; ZDI credit. No AI-tool attribution. Source: https://www.thezdi.com/blog/2025/10/21/pwn2own-ireland-2025-day-one-results."
+    "discovery_attribution_note": "Pwn2Own Ireland 2025 — chain 3/3 of the DEVCORE Research Team QNAP TS-453E exploit (post-auth elevation). Same attribution as CVE-2025-62847/62848; ZDI credit. No AI-tool attribution. Source: https://www.thezdi.com/blog/2025/10/21/pwn2own-ireland-2025-day-one-results.",
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: -5 (40 -> 35)."
   },
   "CVE-2025-59389": {
     "_draft": true,
@@ -2589,7 +2606,7 @@
       "poc_available": 20,
       "ai_factor": 0,
       "active_exploitation": 5,
-      "blast_radius": 35,
+      "blast_radius": 30,
       "patch_available": -15,
       "live_patch_available": 0,
       "reboot_required": 5
@@ -2605,7 +2622,8 @@
       "https://www.qnap.com/en/security-advisory/"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Pwn2Own Ireland 2025 — Sina Kheirkhah of Summoning Team chained a hardcoded-credential issue with an injection flaw against QNAP Hyper Data Protector ($20,000 award). Named-human researcher; no AI-tool credit. Source: https://www.thezdi.com/blog/2025/10/21/pwn2own-ireland-2025-day-one-results and https://www.qnap.com/en/security-advisory/qsa-25-48."
+    "discovery_attribution_note": "Pwn2Own Ireland 2025 — Sina Kheirkhah of Summoning Team chained a hardcoded-credential issue with an injection flaw against QNAP Hyper Data Protector ($20,000 award). Named-human researcher; no AI-tool credit. Source: https://www.thezdi.com/blog/2025/10/21/pwn2own-ireland-2025-day-one-results and https://www.qnap.com/en/security-advisory/qsa-25-48.",
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors AND rwep_score to satisfy Shape B invariant. The prior stored rwep_score was internally inconsistent with its rwep_factors block; both now derived from canonical RWEP_WEIGHTS + operational fields. Delta from prior stored: 0."
   },
   "CVE-2025-11837": {
     "_draft": true,
@@ -2726,9 +2744,9 @@
     "rwep_factors": {
       "cisa_kev": 0,
       "poc_available": 20,
-      "ai_factor": 25,
+      "ai_factor": 15,
       "active_exploitation": 0,
-      "blast_radius": 40,
+      "blast_radius": 30,
       "patch_available": -15,
       "live_patch_available": -10,
       "reboot_required": 0
@@ -2747,6 +2765,681 @@
       "https://nginx.org/en/security_advisories.html"
     ],
     "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Discovered by depthfirst's autonomous vulnerability-analysis platform; flagged the heap-buffer-overflow in nginx ngx_http_rewrite_module (present since nginx 0.6.27, 2008) within six hours of scan time. First publicly-attributed AI-discovered nginx CVE; jointly disclosed by F5 + depthfirst on 2026-05-13. Source: https://depthfirst.com/nginx-rift and https://github.com/depthfirstdisclosures/nginx-rift."
+    "discovery_attribution_note": "Discovered by depthfirst's autonomous vulnerability-analysis platform; flagged the heap-buffer-overflow in nginx ngx_http_rewrite_module (present since nginx 0.6.27, 2008) within six hours of scan time. First publicly-attributed AI-discovered nginx CVE; jointly disclosed by F5 + depthfirst on 2026-05-13. Source: https://depthfirst.com/nginx-rift and https://github.com/depthfirstdisclosures/nginx-rift.",
+    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields."
+  },
+  "CVE-2026-0300": {
+    "_draft": true,
+    "_auto_imported": true,
+    "name": "PAN-UID — Palo Alto Networks PAN-OS User-ID Authentication Portal RCE",
+    "type": "rce",
+    "cvss_score": 9.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-06",
+    "cisa_kev_due_date": "2026-05-27",
+    "poc_available": true,
+    "poc_description": "Vendor-confirmed in-wild exploitation of the User-ID Authentication Portal request-parsing path. Public PoC details withheld during the KEV 21-day window; exploitation chain reaches an out-of-bounds write in the authentication-portal handler reachable pre-auth from any host that can reach the portal's HTTPS endpoint, producing unauth root RCE on the firewall control plane.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Internal Palo Alto Networks PSIRT discovery during proactive auditing of the User-ID subsystem. No AI-tool credit in the vendor advisory; classed under vendor_research per Hard Rule #1 (no silent upgrades).",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted exploit development reported in the vendor advisory or downstream reporting.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CISA KEV listing 2026-05-06 reflects vendor-confirmed limited in-the-wild exploitation. Palo Alto PSIRT bulletin attributes the activity to a 'sophisticated threat actor' targeting perimeter PAN-OS deployments with the User-ID Authentication Portal feature enabled.",
+    "affected": "Palo Alto Networks PAN-OS on PA-Series hardware appliances + VM-Series virtual firewalls with the User-ID Authentication Portal feature exposed to untrusted networks. Prisma Access, Cloud NGFW, and Panorama are NOT affected — the vulnerable code path lives in the on-device authentication-portal handler. Operational footprint covers a large fraction of enterprise perimeters and federal/SLTT firewalls.",
+    "affected_versions": [
+      "PAN-OS 10.2.x prior to the 2026-05-13 fixed release",
+      "PAN-OS 11.0.x prior to the 2026-05-13 fixed release",
+      "PAN-OS 11.1.x prior to the 2026-05-13 fixed release",
+      "PAN-OS 11.2.x prior to the 2026-05-13 fixed release"
+    ],
+    "vector": "Pre-auth network — a crafted HTTPS request to the User-ID Authentication Portal endpoint triggers an out-of-bounds write in the request-parsing logic, leading to remote code execution as root on the firewall data plane. No credentials or user interaction required; the only filter is portal reachability.",
+    "complexity": "low",
+    "complexity_notes": "Single-shot HTTPS request. Operationally the only practical limiter is whether the Authentication Portal is reachable from the attacker's network position — internet-exposed portals are immediate; portals fronted by IP allowlist or external auth require pivot.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "PAN-OS content updates and threat-prevention signatures applied via dynamic-updates without firewall restart provide compensating detection while the binary upgrade is staged",
+      "Temporary mitigation: disable the User-ID Authentication Portal feature on internet-facing interfaces until the binary upgrade is applied — operator-side configuration change, no restart needed"
+    ],
+    "vendor_update_paths": [
+      "PAN-OS upgrade to vendor-released fixed train (2026-05-13) on PA-Series and VM-Series appliances; firewall reboot required to land the data-plane binary."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "30-day SI-2 SLA insufficient for pre-auth unauth RCE on the perimeter. KEV due date 2026-05-27 (21 days) tightens the federal expectation but does not align with private-sector SI-2 baselines.",
+      "NIS2-Art21-vulnerability-management": "Essential-entity tier should treat perimeter firewall RCE as Tier-1; framework does not name the perimeter-firewall control-plane class explicitly.",
+      "ISO-27001-2022-A.8.8": "Appropriate timescales for technical-vulnerability management are undefined for perimeter-network appliances with unauth RCE exposure.",
+      "DORA-Art-9": "Financial-services ICT third-party risk does not differentiate between perimeter-firewall vendor patch path and feature-disable mitigation path."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1133",
+      "T1068"
+    ],
+    "rwep_score": 73,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 5
+    },
+    "rwep_notes": "P0 — KEV-listed pre-auth unauth RCE on a Tier-1 perimeter appliance. blast_radius=28 reflects the enterprise-perimeter footprint without claiming the full 30-point cap (Prisma + Cloud NGFW + Panorama are unaffected, narrowing the population vs a universally-deployed PAN-OS bug).",
+    "epss_score": null,
+    "epss_date": "2026-05-15",
+    "epss_note": "EPSS score not yet computed for CVE-2026-0300 at intake. Refresh via `exceptd refresh --source epss` once FIRST API publishes a value; cold-start EPSS frequently understates fresh KEV-listed perimeter RCEs.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-0300",
+    "cwe_refs": [
+      "CWE-787",
+      "CWE-306"
+    ],
+    "source_verified": "2026-05-15",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-0300",
+      "https://www.cisa.gov/news-events/alerts/2026/05/06/cisa-adds-one-known-exploited-vulnerability-catalog"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Palo Alto Networks PSIRT",
+        "advisory_id": "CVE-2026-0300",
+        "url": "https://security.paloaltonetworks.com/CVE-2026-0300",
+        "severity": "critical",
+        "published_date": "2026-05-13"
+      },
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": null,
+        "url": "https://www.cisa.gov/news-events/alerts/2026/05/06/cisa-adds-one-known-exploited-vulnerability-catalog",
+        "severity": "critical",
+        "published_date": "2026-05-06"
+      }
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "HTTPS request to the User-ID Authentication Portal endpoint with an unusually long URI path component or oversized parameter value (>2 KB) — the OOB-write path keys on length-bounded parsing the request exceeds",
+        "PAN-OS device-log entries with auth-portal request-parsing errors immediately preceding an out-of-process auth-portal worker restart"
+      ],
+      "behavioral": [
+        "Outbound connection from PAN-OS management plane to a host NOT in the operator's update-server allowlist immediately after an inbound HTTPS auth-portal request from an external IP",
+        "Auth-portal request originating from a single source IP with no prior baseline of legitimate auth-portal traffic, followed within seconds by configuration-read XML-API calls from the same control-plane session"
+      ],
+      "version_exposure": [
+        "PAN-OS version below the 2026-05-13 fixed train AND `show user-id authentication-portal` reports an enabled portal AND the firewall's untrust interface accepts traffic to the portal listener"
+      ]
+    },
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Internal discovery by Palo Alto Networks PSIRT during proactive authentication-subsystem auditing; vendor advisory published 2026-05-13 alongside CISA KEV listing 2026-05-06. No AI-tool credit. Source: https://security.paloaltonetworks.com/CVE-2026-0300 and https://www.cisa.gov/news-events/alerts/2026/05/06/cisa-adds-one-known-exploited-vulnerability-catalog."
+  },
+  "CVE-2026-39987": {
+    "_draft": true,
+    "_auto_imported": true,
+    "name": "Marimo Python Notebook Pre-Auth WebSocket Terminal RCE",
+    "type": "rce",
+    "cvss_score": 9.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-04-23",
+    "cisa_kev_due_date": "2026-05-07",
+    "poc_available": true,
+    "poc_description": "Sysdig published the exploitation chain within 10 hours of disclosure: any HTTP client can open a WebSocket to `/terminal/ws` on an exposed Marimo instance and receive a PTY shell as the notebook-server user without presenting credentials. NKAbuse blockchain-botnet samples observed deploying within the same window via Hugging Face-hosted Marimo notebooks.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Discovery credited to marimo-team's internal security review of the terminal subsystem after a Sysdig honeypot caught early scanning. Marimo is AI/ML-developer infrastructure (the vulnerable surface is in the AI tooling stack) but the bug itself was not found by an AI tool — classed as vendor_research per Hard Rule #1.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted exploit development reported. The exploit primitive is a single WebSocket connect; weaponization complexity is trivial.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Sysdig confirmed in-the-wild exploitation within ~10 hours of public disclosure, with NKAbuse blockchain-botnet payloads observed deploying via Hugging Face-hosted Marimo notebook instances. CISA KEV listing 2026-04-23 reflects federal-relevant exploitation evidence.",
+    "affected": "marimo-team / Marimo Python reactive notebook server — popular AI/ML notebook surface used in research labs, Hugging Face Spaces, internal data-science platforms. Affected installs include Hugging Face-hosted Marimo Spaces that did not auto-update.",
+    "affected_versions": [
+      "marimo <= 0.20.4",
+      "marimo < 0.23.0 (fixed in 0.23.0)"
+    ],
+    "vector": "Marimo's notebook server exposed a `/terminal/ws` WebSocket endpoint that spawned a PTY shell on connect WITHOUT performing any authentication check. Any attacker who could reach the notebook-server port (default 2718) could open the WebSocket and immediately execute commands as the notebook-server user. No notebook code execution, no notebook ownership, no token required.",
+    "complexity": "low",
+    "complexity_notes": "Single WebSocket connect with no auth headers. Operationally the only practical filter is network reachability — internet-exposed Marimo instances are immediate; localhost-only instances require pivot through another host vulnerability.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "Upgrade marimo to 0.23.0+ (auth check added to /terminal/ws WebSocket handshake)",
+      "Temporary mitigation: bind the notebook server to localhost (--host 127.0.0.1) until upgrade is applied — operator-side configuration change, no restart of the notebook itself required",
+      "Temporary mitigation: front the notebook server with a reverse proxy that requires authentication on /terminal/ws"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement does not name AI/ML notebook surfaces as a class; framework's web-application control set treats /terminal/ws as ordinary web infrastructure.",
+      "OWASP-LLM-Top-10-2025-LLM05": "Insecure plugin / tool surfaces — LLM Top-10 names plugin-trust risks but does not address the AI/ML notebook-server admin-surface attack class.",
+      "EU-AI-Act-Art-15": "Robustness + cybersecurity requirement is undefined operationally for AI development surfaces (notebook servers, model hubs, dataset registries).",
+      "NIS2-Art21-incident-handling": "Generic incident-handling controls without AI/ML-developer-surface-specific guidance."
+    },
+    "atlas_refs": [
+      "AML.T0051",
+      "AML.T0010"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059",
+      "T1133"
+    ],
+    "rwep_score": 62,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P1 — KEV-listed, pre-auth unauth RCE on a moderate-footprint AI/ML developer surface. blast_radius=22 reflects Marimo's substantial-but-not-universal AI/ML developer adoption (smaller than nginx/Exchange-class population, larger than niche-tool population).",
+    "epss_score": null,
+    "epss_date": "2026-05-15",
+    "epss_note": "EPSS score not yet refreshed for CVE-2026-39987 at intake. Refresh via `exceptd refresh --source epss` once FIRST API publishes a value.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-39987",
+    "cwe_refs": [
+      "CWE-306",
+      "CWE-78"
+    ],
+    "source_verified": "2026-05-15",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-39987",
+      "https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "marimo-team",
+        "advisory_id": null,
+        "url": "https://github.com/marimo-team/marimo/security/advisories",
+        "severity": "critical",
+        "published_date": "2026-04-21"
+      },
+      {
+        "vendor": "Sysdig Threat Research",
+        "advisory_id": null,
+        "url": "https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface",
+        "severity": "critical",
+        "published_date": "2026-04-23"
+      },
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": null,
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "critical",
+        "published_date": "2026-04-23"
+      }
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "WebSocket handshake against `/terminal/ws` on a Marimo server (default port 2718) WITHOUT an Authorization / Cookie / token query parameter — pre-0.23.0 the endpoint accepts the connection unconditionally and spawns a PTY",
+        "NKAbuse-class payload markers in /tmp, /var/tmp, or the notebook-server user's home — the campaign's blockchain-botnet binary writes initial implants to predictable temp paths"
+      ],
+      "behavioral": [
+        "PTY process (bash, sh, python -i) parented by the marimo notebook-server process with no corresponding notebook-cell-execute log entry — terminal sessions opened via the unauthenticated /terminal/ws path leave no notebook-cell audit trail",
+        "Outbound connection from a Marimo notebook host to NKAbuse / blockchain-botnet C2 infrastructure (Sysdig blog enumerates the campaign's domains) within minutes of an inbound /terminal/ws WebSocket handshake from an external IP",
+        "Marimo notebook server bound to 0.0.0.0 (not 127.0.0.1) on a host with internet-routable IP AND server version below 0.23.0"
+      ],
+      "version_exposure": [
+        "Marimo server reports a version in the affected_versions range AND `/terminal/ws` returns HTTP 101 Switching Protocols on a WebSocket handshake without auth"
+      ]
+    },
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Marimo team's security review of the terminal subsystem prompted by Sysdig honeypot evidence; vendor advisory + Sysdig blog jointly disclosed 2026-04-21 / 2026-04-23. No AI-tool credit for the discovery; the vulnerable component IS an AI/ML developer surface but the bug was found by conventional human review. Source: https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface and https://github.com/marimo-team/marimo/security/advisories."
+  },
+  "CVE-2026-6973": {
+    "_draft": true,
+    "_auto_imported": true,
+    "name": "Ivanti EPMM Authenticated-Admin RCE",
+    "type": "rce",
+    "cvss_score": 7.2,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-07",
+    "cisa_kev_due_date": "2026-05-10",
+    "poc_available": true,
+    "poc_description": "Ivanti confirmed in-wild exploitation of the authenticated-admin RCE path. Public exploit details withheld during the 3-day KEV window but vendor advisory enumerates the affected endpoints; the chain accepts attacker-controlled input through an admin-only management endpoint that fails to validate parameter shape, reaching a shell-out with attacker-controlled arguments.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Vendor-side discovery by Ivanti's product-security team during admin-surface review. No AI-tool credit in the vendor advisory; classed as vendor_research per Hard Rule #1.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization reported in vendor or Help Net Security coverage.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CISA KEV listing 2026-05-07 with a 3-day due date (the tightest standard KEV deadline) reflects vendor-confirmed in-the-wild exploitation targeting on-premise EPMM admin consoles. Threat-actor TTPs cluster on enterprise-mobility-management surfaces consistent with prior Ivanti-EPMM campaigns.",
+    "affected": "Ivanti Endpoint Manager Mobile (EPMM) on-premise — enterprise mobile-device-management platform. Cloud-hosted Ivanti Neurons for MDM is unaffected. Operational footprint covers enterprise + government MDM deployments with internet-reachable admin consoles or admin sessions reachable from compromised internal hosts.",
+    "affected_versions": [
+      "Ivanti EPMM < 12.6.1.1",
+      "Ivanti EPMM < 12.7.0.1",
+      "Ivanti EPMM < 12.8.0.1"
+    ],
+    "vector": "Authenticated administrator with access to a specific management endpoint can supply crafted parameter values that bypass server-side input validation, reaching a code-execution sink. Result: arbitrary OS-level code execution as the EPMM service account, which typically holds elevated privileges on the EPMM host and access to the device-fleet management database.",
+    "complexity": "low",
+    "complexity_notes": "Once an attacker has admin credentials (via password spray, stolen MDM admin token, or supply-chain compromise of an integration), the RCE primitive itself is a single API call. Operational difficulty is in obtaining the admin foothold, not in landing the exploit.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "Upgrade EPMM to 12.6.1.1 / 12.7.0.1 / 12.8.0.1 (matching the operator's installed train) — service restart only, no host reboot",
+      "Temporary mitigation: restrict admin-console access to a small set of operator IP ranges via firewall / WAF rule until the binary upgrade is applied"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-6": "Least privilege controls do not address the admin-surface-RCE class — the bug presumes an admin foothold and trades that foothold for full host compromise, which AC-6 does not constrain.",
+      "NIST-800-53-SI-2": "30-day SLA insufficient for KEV-listed authenticated-admin RCE on a fleet-management platform; KEV due date 2026-05-10 (3 days) is unusually tight even by federal standards.",
+      "NIS2-Art21-identity-management": "Privileged-account controls assume admin-account compromise is the breach; the EPMM RCE class additionally trades that admin position for host-level compromise, expanding blast radius beyond the MDM application boundary.",
+      "ISO-27001-2022-A.8.7": "Privileged-access management controls don't address admin-surface-to-host privilege escalation paths within MDM platforms."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1078",
+      "T1059",
+      "T1068"
+    ],
+    "rwep_score": 62,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P1 — KEV-listed authenticated-admin RCE with a 3-day federal due date. blast_radius=22 reflects enterprise MDM admin-surface footprint; the auth prerequisite caps the score below pre-auth perimeter RCEs like CVE-2026-0300.",
+    "epss_score": null,
+    "epss_date": "2026-05-15",
+    "epss_note": "EPSS score not yet refreshed for CVE-2026-6973 at intake. Refresh via `exceptd refresh --source epss`.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-6973",
+    "cwe_refs": [
+      "CWE-20",
+      "CWE-94"
+    ],
+    "source_verified": "2026-05-15",
+    "verification_sources": [
+      "https://www.cisa.gov/news-events/alerts/2026/05/07/cisa-adds-one-known-exploited-vulnerability-catalog",
+      "https://www.helpnetsecurity.com/2026/05/08/ivanti-epmm-zero-day-cve-2026-6973/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Ivanti",
+        "advisory_id": "CVE-2026-6973",
+        "url": "https://forums.ivanti.com/s/article/Security-Advisory-EPMM-CVE-2026-6973",
+        "severity": "high",
+        "published_date": "2026-05-07"
+      },
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": null,
+        "url": "https://www.cisa.gov/news-events/alerts/2026/05/07/cisa-adds-one-known-exploited-vulnerability-catalog",
+        "severity": "high",
+        "published_date": "2026-05-07"
+      }
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "EPMM admin-console request to the affected management endpoint with parameter values containing shell metacharacters (`;`, `|`, `&`, `$()`, backtick, `>`, `<`) or path-traversal sequences",
+        "EPMM application log entries showing parameter-validation failures immediately preceding a child-process spawn from the EPMM service account"
+      ],
+      "behavioral": [
+        "EPMM service account spawning shells (bash, sh, cmd.exe, powershell.exe) without a corresponding operator console session in the application audit log",
+        "Outbound connection from the EPMM host to a non-vendor, non-Apple/Google/Microsoft destination within seconds of an admin-console parameter-validation failure log entry",
+        "EPMM admin-account session originating from a source IP not in the operator's admin-IP allowlist AND issuing requests to the affected management endpoint"
+      ],
+      "credential_paths_scanned": [
+        "EPMM application database connection strings stored on the host (typically /opt/ivanti/* or C:\\Program Files\\Ivanti\\*)",
+        "EPMM TLS private keys and APNs / FCM push credentials reachable from the EPMM service account"
+      ],
+      "version_exposure": [
+        "EPMM installed version below 12.6.1.1 / 12.7.0.1 / 12.8.0.1 AND admin console reachable from the network the attacker can reach"
+      ]
+    },
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Internal Ivanti product-security discovery; vendor advisory + CISA KEV listing jointly published 2026-05-07 with a 3-day due date reflecting confirmed in-wild exploitation. No AI-tool credit. Source: https://forums.ivanti.com/s/article/Security-Advisory-EPMM-CVE-2026-6973 and https://www.helpnetsecurity.com/2026/05/08/ivanti-epmm-zero-day-cve-2026-6973/."
+  },
+  "CVE-2026-42897": {
+    "_draft": true,
+    "_auto_imported": true,
+    "name": "Microsoft Exchange OWA Stored XSS / Spoofing Zero-Day",
+    "type": "stored-xss",
+    "cvss_score": 8.1,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-15",
+    "cisa_kev_due_date": "2026-06-05",
+    "poc_available": true,
+    "poc_description": "Microsoft Security Response Center confirmed in-wild exploitation observed prior to disclosure. The vulnerability is a stored XSS triggered during OWA's web-page generation when rendering attacker-crafted email content; the payload executes in the victim's authenticated OWA session, enabling token theft, mailbox-wide access, and OWA-mediated spoofing of further internal mail. No patch was available at disclosure — Microsoft directed operators to enable the Exchange Emergency Mitigation Service (EEMS) for vendor-pushed mitigation rules.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Microsoft MSRC discovery from in-wild attack telemetry; no AI-tool credit in the MSRC blog post or downstream BleepingComputer coverage. Classed as vendor_research per Hard Rule #1.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted exploit development reported. The XSS primitive is conventional; novelty is in the OWA-page-generation context where the payload renders against the victim's auth context.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Microsoft MSRC blog explicitly states observed in-the-wild exploitation prior to disclosure. CISA KEV listing same-day (2026-05-15) reflects federal-relevant exploitation evidence. Threat-actor profile not publicly attributed at disclosure.",
+    "affected": "Microsoft Exchange Server SE RTM, Exchange Server 2019, Exchange Server 2016 on-premise deployments. Exchange Online (Microsoft 365 / cloud-hosted Exchange) is NOT affected — the vulnerable code path lives in the on-premise OWA rendering pipeline. Operational footprint covers a large fraction of enterprise + government on-prem Exchange installations.",
+    "affected_versions": [
+      "Microsoft Exchange Server SE RTM (all CUs prior to the post-disclosure fix)",
+      "Microsoft Exchange Server 2019 (all CUs prior to the post-disclosure fix)",
+      "Microsoft Exchange Server 2016 (all CUs prior to the post-disclosure fix)"
+    ],
+    "vector": "An attacker sends a crafted email to any mailbox hosted on the affected Exchange Server. When the recipient opens the message in Outlook on the Web (OWA), Exchange's OWA page-generation pipeline renders the attacker-controlled content without sanitizing a specific element class, allowing stored XSS to execute in the recipient's authenticated OWA session. The payload can spoof internal mail, exfiltrate session tokens, and read/modify the victim's mailbox via OWA APIs.",
+    "complexity": "low",
+    "complexity_notes": "Single crafted email triggers the chain on victim's first OWA render. No additional auth or interaction beyond opening the message. Operationally the limiter is OWA usage — operators whose users access mail exclusively via Outlook desktop (MAPI / RPC over HTTPS) are less exposed than browser-OWA-heavy organizations.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No patch available at disclosure. Microsoft directs operators to enable Exchange Emergency Mitigation Service (EEMS) which receives vendor-pushed mitigation rules without requiring an Exchange service restart. EEMS is a workaround, not a patch — the vulnerable code path remains present; EEMS rules filter the attack pattern. Both patch_available and live_patch_available are recorded as false to reflect the absence of true remediation at intake; refresh once a binary fix is released.",
+    "vendor_update_paths": [
+      "Enable Exchange Emergency Mitigation Service (EEMS) — receives vendor-pushed mitigation rules within hours of MSRC release. Operator-side: confirm `Get-MitigationsApplied` shows current rules.",
+      "Restrict OWA access to known-good source IPs / VPN-attached endpoints via published-protocol rules in Exchange or a reverse proxy until a binary fix ships.",
+      "Once Microsoft releases the binary CU, install via standard Exchange-update path; Exchange service restart required."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "SI-2 patch-management SLA is undefined when no patch exists. EEMS-style vendor-pushed mitigation rules occupy an awkward gap between 'compensating control' and 'patch'; federal frameworks do not name this class explicitly.",
+      "NIST-800-53-SC-7": "Boundary protection — restricting OWA exposure is the operational mitigation path but framework's web-application boundary controls don't address email-delivered XSS-in-OWA-rendering as a distinct class.",
+      "NIS2-Art21-incident-handling": "24-hour incident-notification window applies if exploitation is confirmed in operator's environment. Mitigation-only state during the patch gap complicates the 'remediation timeline' field on the notification.",
+      "DORA-Art-9": "Financial-services ICT third-party risk does not differentiate between vendor-supplied binary patch and vendor-supplied mitigation-rule path during a true zero-day.",
+      "EU-CRA-Art13": "Cyber Resilience Act vendor-vulnerability-handling requirement is in awkward territory when the vendor releases a mitigation-rule update but not a binary fix — the rule pushes the burden of 'fix' onto the operator's EEMS-enablement state."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1566",
+      "T1078"
+    ],
+    "rwep_score": 93,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P0 — KEV-listed zero-day with no binary patch at disclosure. blast_radius=28 reflects the global on-prem Exchange footprint. The 0 patch_available factor (no negative offset) is what drives the unusually high RWEP relative to most KEV-listed entries; operators cannot apply the standard -15 patch credit because there is no patch to apply. EEMS-based mitigation is captured in vendor_update_paths but does not satisfy live_patch_available (mitigation rule, not a code-path fix).",
+    "epss_score": null,
+    "epss_date": "2026-05-15",
+    "epss_note": "EPSS score not available at same-day intake. Refresh via `exceptd refresh --source epss` once FIRST publishes.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-42897",
+    "cwe_refs": [
+      "CWE-79"
+    ],
+    "source_verified": "2026-05-15",
+    "verification_sources": [
+      "https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498",
+      "https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-exchange-zero-day-flaw-exploited-in-attacks/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Microsoft MSRC",
+        "advisory_id": "CVE-2026-42897",
+        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897",
+        "severity": "high",
+        "published_date": "2026-05-15"
+      },
+      {
+        "vendor": "Microsoft Exchange Team Blog",
+        "advisory_id": null,
+        "url": "https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498",
+        "severity": "high",
+        "published_date": "2026-05-15"
+      },
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": null,
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "high",
+        "published_date": "2026-05-15"
+      }
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "Inbound email to an on-prem Exchange-hosted mailbox containing an HTML element class flagged by EEMS rule pushed 2026-05-15 — operators with EEMS enabled get the exact payload signature in Get-MitigationsApplied output",
+        "OWA-rendered message body executing JavaScript not present in any other message from the same sender — XSS-payload-in-mail-body signature"
+      ],
+      "behavioral": [
+        "OWA session token observed in use from a source IP not seen in the user's prior 90-day OWA access baseline, within minutes of the user opening a message from an external sender",
+        "OWA mailbox-API calls (move-message, send-message, set-forwarding-rule) from a session whose initial OWA page load was the only legitimate user-initiated action — XSS-driven follow-on activity signature",
+        "Internal mail traffic where the apparent sender is the victim user but the SMTP submission source is OWA from an unusual session — OWA-mediated spoofing signature"
+      ],
+      "forensic_note": "Defenders should snapshot the OWA IIS logs + Exchange transport logs covering the attack window BEFORE applying EEMS rules; the EEMS rule strips the payload pattern from subsequent renders, but historical IIS log entries retain the request shape that surfaces the exploitation."
+    },
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Microsoft MSRC discovery from in-the-wild exploitation telemetry; disclosed 2026-05-15 with concurrent CISA KEV listing and Exchange Team blog publication. No binary patch at disclosure; mitigation via Exchange Emergency Mitigation Service. No AI-tool credit. Source: https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498 and https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-exchange-zero-day-flaw-exploited-in-attacks/."
+  },
+  "CVE-2026-32202": {
+    "_draft": true,
+    "_auto_imported": true,
+    "name": "Microsoft Windows Shell LNK Mark-of-the-Web Bypass (APT28)",
+    "type": "protection-mechanism-failure",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_correction_note": "CVSS 7.5 is an intake-time estimate aligned with Microsoft's typical LNK-MOTW-bypass scoring; refresh once NVD publishes the authoritative vector.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-04-28",
+    "cisa_kev_due_date": "2026-05-19",
+    "poc_available": true,
+    "poc_description": "APT28 (Fancy Bear) in-wild weaponization of crafted LNK files that bypass Windows' Mark-of-the-Web protection. The exploitation chain pairs CVE-2026-32202 with CVE-2026-21513 to convert a downloaded LNK file into a SmartScreen-suppressed execution path. The chain represents an incomplete-patch class — CVE-2026-21510 attempted to close the same MOTW-bypass surface but did so incompletely, enabling the CVE-2026-32202 re-exploit primitive.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "APT28 weaponization discovered by Microsoft MAPP partners + Help Net Security reporting; no AI-tool credit on the defender-side discovery. Threat-actor side (APT28) is well-known nation-state tradecraft, not AI-assisted exploit development. Classed as vendor_research per Hard Rule #1.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted exploit development reported. APT28's LNK-weaponization toolkit predates AI-assisted exploit-development tooling by years; the CVE-2026-32202 primitive is an extension of established LNK tradecraft, not an AI-discovery.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Microsoft + Help Net Security confirmed APT28 (Fancy Bear) in-the-wild weaponization. CISA KEV listing 2026-04-28 with standard 21-day due date 2026-05-19 reflects federal-relevant nation-state exploitation. Chains with CVE-2026-21513 and is the incomplete-patch follow-up to CVE-2026-21510.",
+    "affected": "Microsoft Windows 10 (all supported builds), Windows 11 (all supported builds), Windows Server 2016 / 2019 / 2022 / 2025. Operational footprint is the entire Windows endpoint + server fleet on supported releases — broad-population MOTW-bypass primitive.",
+    "affected_versions": [
+      "Windows 10 — all supported builds prior to the 2026-04 Patch Tuesday update",
+      "Windows 11 — all supported builds prior to the 2026-04 Patch Tuesday update",
+      "Windows Server 2016 / 2019 / 2022 / 2025 — all supported builds prior to the 2026-04 Patch Tuesday update"
+    ],
+    "vector": "An attacker delivers a crafted LNK file via phishing email, drive-by download, or removable-media plant. When the victim interacts with the LNK (typically a double-click), Windows Shell processes the shortcut and fails to enforce the Mark-of-the-Web origin tag, suppressing the SmartScreen download-origin warning that would normally prompt the user. The LNK target executes with the user's normal privileges; combined with CVE-2026-21513 the chain reaches code execution paths that bypass SmartScreen reputation checks entirely.",
+    "complexity": "low",
+    "complexity_notes": "LNK weaponization is a commodity primitive for nation-state actors; the bypass component is a one-bit MOTW-flag suppression. User interaction is required (the victim must open the LNK) — operationally APT28-grade phishing lures clear this bar reliably.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Standard Windows servicing path; April 2026 Patch Tuesday cumulative update closes the bypass. No live-patch primitive for shell-layer code; reboot is required to land the kernel + shell components of the update.",
+    "vendor_update_paths": [
+      "Install April 2026 Patch Tuesday cumulative update (KB matching the affected Windows build); reboot required.",
+      "Operator-side temporary mitigation: enforce Attack Surface Reduction (ASR) rule 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion' to blunt LNK-delivered second-stage payloads while patches stage.",
+      "Operator-side temporary mitigation: SmartScreen / WDAC policies that block LNK files from the Downloads folder and email-attachment quarantine paths."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-3": "Malicious-code protection (AV / SmartScreen / WDAC) is the standard control for LNK-bypass class; framework does not name MOTW-flag enforcement as a distinct sub-control.",
+      "NIST-800-53-SC-44": "Detonation chambers (sandboxes) are the framework's nominal answer for LNK-delivered payloads; SC-44 does not address the MOTW-enforcement bypass that nullifies the user-facing warning prompt.",
+      "NIST-800-53-SI-2": "30-day SI-2 SLA insufficient for KEV-listed nation-state-weaponized LNK-MOTW-bypass on the global Windows fleet; KEV due 2026-05-19 (21 days) tightens but does not align.",
+      "ISO-27001-2022-A.8.7": "Malicious-code protection controls don't address incomplete-patch re-exploit class (CVE-2026-32202 as the re-exploit of CVE-2026-21510's incomplete fix).",
+      "CIS-Controls-v8-10.1": "Malware defense controls assume MOTW + SmartScreen prompt enforcement; the bypass class voids the user-facing prompt without changing the MOTW flag at rest."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059",
+      "T1566",
+      "T1027"
+    ],
+    "rwep_score": 85,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "rwep_notes": "P0 — KEV-listed nation-state-weaponized MOTW-bypass on the global Windows fleet. blast_radius=30 reflects the universal Windows-endpoint footprint (no narrowing config filter — every supported Windows build is in scope). The +5 reboot_required factor reflects the operational reality that Windows fleet reboot is the limiter on patch landing.",
+    "epss_score": null,
+    "epss_date": "2026-05-15",
+    "epss_note": "EPSS score not yet refreshed at intake; refresh via `exceptd refresh --source epss`. APT28-class weaponization typically drives EPSS rapidly upward once FIRST observes scanning.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-32202",
+    "cwe_refs": [
+      "CWE-345",
+      "CWE-353"
+    ],
+    "source_verified": "2026-05-15",
+    "verification_sources": [
+      "https://www.helpnetsecurity.com/2026/04/29/windows-cve-2026-32202-exploited/",
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Microsoft MSRC",
+        "advisory_id": "CVE-2026-32202",
+        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202",
+        "severity": "high",
+        "published_date": "2026-04-28"
+      },
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": null,
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "high",
+        "published_date": "2026-04-28"
+      }
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "LNK files delivered via email attachment, archive payload (zip / iso / img), or drive-by download whose target path resolves to a non-system executable AND whose Zone.Identifier alternate-data-stream is present-but-suppressed at Shell-resolve time",
+        "LNK files whose target arguments contain LOLBin paths (rundll32.exe, regsvr32.exe, mshta.exe, wscript.exe, cscript.exe, conhost.exe) — APT28 weaponization signature",
+        "LNK target path containing UNC reference (\\\\<attacker-host>\\<share>\\<file>) — staged-execution via SMB pull"
+      ],
+      "behavioral": [
+        "explorer.exe spawning a LOLBin (rundll32 / regsvr32 / mshta / wscript / cscript) where the parent context is a Shell LNK-execute AND the LNK origin path is in {Downloads, %TEMP%, %APPDATA%\\Local\\Temp, archive-extraction temp paths}",
+        "SmartScreen log entry showing a download-class file executed without a corresponding user-prompt event in the SmartScreen telemetry — MOTW-suppression signature",
+        "APT28-attributed C2 infrastructure (rotation of domains and IPs published by Microsoft + CISA + Mandiant) contacted shortly after explorer.exe spawns a child process from a recently-downloaded LNK"
+      ],
+      "version_exposure": [
+        "Windows build number below the April 2026 Patch Tuesday update AND user environment includes routine receipt of email attachments or removable-media interaction"
+      ]
+    },
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "APT28 (Fancy Bear) in-the-wild weaponization observed by Microsoft + Help Net Security 2026-04-28; CVE-2026-32202 represents an incomplete-patch re-exploit of CVE-2026-21510 and chains with CVE-2026-21513 in the operational APT28 toolkit. Nation-state tradecraft; no AI-tool credit on either the discovery or weaponization side. Source: https://www.helpnetsecurity.com/2026/04/29/windows-cve-2026-32202-exploited/ and https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202."
+  },
+  "CVE-2026-33825": {
+    "_draft": true,
+    "_auto_imported": true,
+    "name": "BlueHammer — Microsoft Defender File-Remediation TOCTOU LPE",
+    "type": "race-condition",
+    "cvss_score": 7.8,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-04-22",
+    "cisa_kev_due_date": "2026-05-06",
+    "poc_available": true,
+    "poc_description": "Picus Security 'BlueHammer' / RedSun published a working PoC BEFORE Microsoft released the patch — true zero-day disclosure. The race window is in Defender's file-remediation logic: after Defender flags a malicious file, the remediation step opens the path-to-quarantine sequence non-atomically, and an attacker-controlled junction / symlink swap during the TOCTOU window redirects the remediation operation against a SYSTEM-owned file, producing an arbitrary-file-overwrite primitive that escalates to SYSTEM via standard overwrite-to-LPE techniques.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Discovery by Picus Security research team (the BlueHammer / RedSun writeup); no AI-tool credit in their blog post. Conventional Windows-Defender internals research. Classed as vendor_research per Hard Rule #1 (Picus is a third-party security-research firm, not a model-discovery tool).",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted exploit development. The race-window primitive is conventional TOCTOU race-condition exploitation; the novelty is the target (Defender's remediation pipeline) not the technique.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Picus published a working PoC before Microsoft released a patch — this is the textbook 'public exploit before patch' true-zero-day scenario. CISA KEV listing 2026-04-22 with a 14-day due date (2026-05-06) reflects the unusual urgency. In-wild exploitation observed by Microsoft + Picus telemetry within hours of PoC publication.",
+    "affected": "Microsoft Windows 10 / 11 endpoints with Microsoft Defender Antivirus enabled — the global Defender-enabled Windows fleet. Includes fully-patched Windows hosts where the only mitigation is the Defender platform update, not the Windows OS update. Picus PoC reproduces on fully-patched Windows 11 with current Defender signatures.",
+    "affected_versions": [
+      "Microsoft Defender Antivirus on Windows 10 / 11 — platform versions prior to the post-disclosure platform update (typically 4.18.2604.x and later carry the fix)",
+      "Microsoft Defender file-remediation engine versions prior to the post-disclosure remediation-pipeline rewrite"
+    ],
+    "vector": "An unprivileged local attacker drops a file that Defender's real-time-protection engine flags for remediation. During the gap between Defender's identify-as-malicious decision and its quarantine-the-file action, the attacker swaps the path with a directory junction / symlink pointing at a SYSTEM-owned target. Defender then performs the remediation (move-to-quarantine / overwrite-with-stub) against the SYSTEM-owned file, granting the attacker an arbitrary-file-overwrite primitive that escalates to SYSTEM via standard 'write controlled bytes to SYSTEM-only path' techniques (DLL planting on PATH precedence, scheduled-task XML overwrite, service-binary path overwrite).",
+    "complexity": "moderate",
+    "complexity_notes": "TOCTOU race-condition exploitation requires winning the window between Defender's detect and remediate steps. Picus PoC documents the window as wide enough to win deterministically on standard endpoint hardware; race-tuning needed only on heavily-loaded or virtualized hosts. AC:H in CVSS reflects this race-tuning requirement.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "Microsoft Defender platform update (delivered via Defender's auto-update channel; no Windows reboot required — Defender restarts its own service on update)",
+      "Operator-side temporary mitigation: configure Defender exclusions to skip user-writable directories where the race primitive lands (workaround only; not a defense if attacker can write to non-excluded paths)"
+    ],
+    "vendor_update_paths": [
+      "Microsoft Defender platform auto-update channel (preferred; deploys without operator action on default-configured endpoints)",
+      "Manual Defender platform update via Get-MpComputerStatus + Update-MpSignature on hosts where auto-update is restricted by policy"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-3": "Malicious-code protection controls assume the malicious-code-protection AGENT (Defender) is itself trustworthy; the BlueHammer class trades the AV's elevated remediation context for an LPE primitive — SI-3 does not anticipate the AV being the exploit primitive.",
+      "NIST-800-53-AC-6": "Least privilege presumes a clean separation between unprivileged user code and SYSTEM-context services; AV-mediated TOCTOU breaks the assumption that AV remediation paths cannot be coerced by unprivileged users.",
+      "NIST-800-53-SI-2": "Public exploit before patch — SI-2 30-day SLA insufficient; KEV due 2026-05-06 (14 days) reflects the public-exploit-before-patch urgency.",
+      "ISO-27001-2022-A.8.7": "Malicious-code protection controls do not name the 'AV agent as exploit primitive' class.",
+      "CIS-Controls-v8-10.1": "Malware defense controls treat the AV as a defense, not as an attack surface; the AV-platform-update path is the operator's only true remediation here."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1068",
+      "T1078"
+    ],
+    "rwep_score": 68,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P1 — KEV-listed true-zero-day (public exploit before patch) targeting the Defender platform on the global Windows-with-Defender fleet. blast_radius=28 reflects the Defender-enabled Windows population (smaller than the full Windows fleet by the slice running third-party AV instead of Defender). live_patch_available=true reflects Defender's auto-update channel, which lands the fix without a Windows reboot.",
+    "epss_score": null,
+    "epss_date": "2026-05-15",
+    "epss_note": "EPSS score not yet refreshed at intake; refresh via `exceptd refresh --source epss`. Public-exploit-before-patch class typically scores high on EPSS within 48 hours of FIRST observation.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-33825",
+    "cwe_refs": [
+      "CWE-362"
+    ],
+    "source_verified": "2026-05-15",
+    "verification_sources": [
+      "https://www.picussecurity.com/resource/blog/bluehammer-redsun-windows-defender-cve-2026-33825-zero-day-vulnerability-explained",
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Microsoft MSRC",
+        "advisory_id": "CVE-2026-33825",
+        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825",
+        "severity": "high",
+        "published_date": "2026-04-22"
+      },
+      {
+        "vendor": "Picus Security",
+        "advisory_id": null,
+        "url": "https://www.picussecurity.com/resource/blog/bluehammer-redsun-windows-defender-cve-2026-33825-zero-day-vulnerability-explained",
+        "severity": "high",
+        "published_date": "2026-04-22"
+      },
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": null,
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "high",
+        "published_date": "2026-04-22"
+      }
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "Files written to user-writable paths that Defender flags during real-time-protection scan, followed within milliseconds by the same path being replaced with a directory junction / symlink pointing at C:\\Windows\\System32\\* or C:\\ProgramData\\Microsoft\\Windows Defender\\* — Picus PoC race primitive signature",
+        "Process creating a directory junction (mklink /J) or NTFS reparse point referencing a SYSTEM-owned target path within 100 ms of a Defender real-time-protection notification on the same parent directory"
+      ],
+      "behavioral": [
+        "Microsoft Defender process (MsMpEng.exe) performing a file-rename / file-delete / file-write operation against a SYSTEM-owned path that did NOT exist when Defender's scan started — TOCTOU race signature",
+        "Unprivileged process spawned with SYSTEM token within seconds of a Defender remediation event in the host's Defender operational log",
+        "Defender platform version below the post-2026-04-22 update (Get-MpComputerStatus | Select AMEngineVersion, AMProductVersion) AND host has had a real-time-protection event in the last 24 hours"
+      ],
+      "version_exposure": [
+        "AMProductVersion below the platform update Microsoft released in the post-disclosure window — Get-MpComputerStatus surfaces the version; auto-update channel typically lands the fix within 48 hours on default-configured endpoints"
+      ]
+    },
+    "last_updated": "2026-05-15",
+    "discovery_attribution_note": "Picus Security ('BlueHammer' / RedSun research) published a working PoC before Microsoft released the patch — true zero-day disclosure 2026-04-22; CISA KEV listed same day with a 14-day due date. No AI-tool credit on the discovery; conventional Windows-Defender internals research. Source: https://www.picussecurity.com/resource/blog/bluehammer-redsun-windows-defender-cve-2026-33825-zero-day-vulnerability-explained and https://www.cisa.gov/known-exploited-vulnerabilities-catalog."
   }
 }