@blamejs/exceptd-skills 0.12.31 → 0.12.32
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +27 -0
- package/bin/exceptd.js +68 -12
- package/data/_indexes/_meta.json +6 -6
- package/data/_indexes/activity-feed.json +2 -2
- package/data/_indexes/catalog-summaries.json +2 -2
- package/data/_indexes/chains.json +869 -46
- package/data/_indexes/frequency.json +9 -0
- package/data/cve-catalog.json +18 -18
- package/data/cwe-catalog.json +31 -22
- package/data/framework-control-gaps.json +331 -6
- package/data/zeroday-lessons.json +580 -0
- package/manifest-snapshot.json +1 -1
- package/manifest-snapshot.sha256 +1 -1
- package/manifest.json +44 -44
- package/package.json +1 -1
- package/sbom.cdx.json +18 -18
- package/scripts/refresh-reverse-refs.js +63 -6
|
@@ -1252,5 +1252,585 @@
|
|
|
1252
1252
|
"ai_discovery_source": "human_researcher",
|
|
1253
1253
|
"ai_discovery_date": "2024-01-31",
|
|
1254
1254
|
"ai_assist_factor": "low"
|
|
1255
|
+
},
|
|
1256
|
+
"CVE-2026-0300": {
|
|
1257
|
+
"name": "PAN-UID — Palo Alto PAN-OS User-ID Authentication Portal Pre-Auth RCE",
|
|
1258
|
+
"lesson_date": "2026-05-15",
|
|
1259
|
+
"attack_vector": {
|
|
1260
|
+
"description": "Pre-auth out-of-bounds write in the PAN-OS User-ID Authentication Portal request-parsing path on the firewall control plane. Any host that can reach the portal's HTTPS endpoint achieves unauth root RCE on the perimeter device — i.e. on the system whose entire job is to enforce trust boundaries.",
|
|
1261
|
+
"privileges_required": "none — pre-authentication, network-reachable",
|
|
1262
|
+
"complexity": "low — single crafted HTTPS request to the portal endpoint",
|
|
1263
|
+
"ai_factor": "Not AI-discovered. Internal Palo Alto PSIRT proactive audit; no AI-tool credit in the vendor advisory."
|
|
1264
|
+
},
|
|
1265
|
+
"defense_chain": {
|
|
1266
|
+
"prevention": {
|
|
1267
|
+
"what_would_have_worked": "Restrict User-ID Authentication Portal exposure to management-network ranges only; disable the portal on perimeter interfaces where SSO is not in use; deploy threat-prevention signature push the moment vendor signatures land (Palo Alto pushed Threat Prevention IPS coverage same-day).",
|
|
1268
|
+
"was_this_required": false,
|
|
1269
|
+
"framework_requiring_it": null,
|
|
1270
|
+
"adequacy": "Network-segmentation hygiene reduces blast radius but does not eliminate it for organizations whose architecture intentionally exposes the portal to user populations."
|
|
1271
|
+
},
|
|
1272
|
+
"detection": {
|
|
1273
|
+
"what_would_have_worked": "Outbound-from-firewall connection monitoring (the firewall control plane should NEVER initiate outbound TCP except to the management plane and update servers); auth-portal request-rate anomaly detection; PAN-OS log-forwarding to an external SIEM with separate-trust-zone storage.",
|
|
1274
|
+
"was_this_required": false,
|
|
1275
|
+
"framework_requiring_it": null,
|
|
1276
|
+
"adequacy": "Detection-on-the-firewall is contraindicated when the firewall IS the compromise — telemetry must egress to a separate-trust-zone collector."
|
|
1277
|
+
},
|
|
1278
|
+
"response": {
|
|
1279
|
+
"what_would_have_worked": "Pre-rehearsed perimeter-device compromise IR runbook including out-of-band management access, full-config exfil-and-rebuild (not patch-in-place), and post-incident credential rotation for any account whose traffic transited the device during the exposure window.",
|
|
1280
|
+
"was_this_required": false,
|
|
1281
|
+
"framework_requiring_it": null,
|
|
1282
|
+
"adequacy": "Patch-in-place is unsafe for perimeter compromise — operators routinely treat firewall patching as a maintenance window, missing that a pre-auth root RCE means the device may already be implanted."
|
|
1283
|
+
}
|
|
1284
|
+
},
|
|
1285
|
+
"framework_coverage": {
|
|
1286
|
+
"NIST-800-53-SI-2": {
|
|
1287
|
+
"covered": true,
|
|
1288
|
+
"adequate": false,
|
|
1289
|
+
"gap": "Standard 30-day patch SLA is exploitation-acceptance for a perimeter pre-auth RCE on CISA KEV with vendor-confirmed in-wild use; no SI-2 carve-out for perimeter-device zero-days exists."
|
|
1290
|
+
},
|
|
1291
|
+
"NIS2-Article-21-2-c": {
|
|
1292
|
+
"covered": true,
|
|
1293
|
+
"adequate": false,
|
|
1294
|
+
"gap": "NIS2 'business continuity, including backup management and disaster recovery' does not define a perimeter-firewall-zero-day SLA tier; operators meet NIS2 obligations on paper while leaving pre-auth RCE on perimeter devices for the full 30-day patch window."
|
|
1295
|
+
},
|
|
1296
|
+
"DORA-Article-9": {
|
|
1297
|
+
"covered": true,
|
|
1298
|
+
"adequate": false,
|
|
1299
|
+
"gap": "DORA ICT-risk-management requires 'state-of-the-art' protective measures but does not enumerate perimeter-device-zero-day SLAs distinct from generic patch management; financial-entity audits accept 30-day patch evidence as compliant."
|
|
1300
|
+
},
|
|
1301
|
+
"ISO-27001-2022-A.8.22": {
|
|
1302
|
+
"covered": true,
|
|
1303
|
+
"adequate": false,
|
|
1304
|
+
"gap": "Network-segmentation control assumes the segmentation device is trustworthy; offers no guidance for the case where the segmentation device itself is the pre-auth RCE target."
|
|
1305
|
+
},
|
|
1306
|
+
"ASD-Essential-8-Patch-Internet-Facing": {
|
|
1307
|
+
"covered": true,
|
|
1308
|
+
"adequate": "closest",
|
|
1309
|
+
"gap": "Essential 8 ML3 requires 48-hour patching of internet-facing services with working exploits; closest framework match but still longer than the KEV exploitation window for vendor-confirmed in-wild attacks."
|
|
1310
|
+
}
|
|
1311
|
+
},
|
|
1312
|
+
"new_control_requirements": [
|
|
1313
|
+
{
|
|
1314
|
+
"id": "NEW-CTRL-030",
|
|
1315
|
+
"name": "PERIMETER-DEVICE-ZERODAY-SLA-TIER",
|
|
1316
|
+
"description": "Compliance frameworks must define a distinct patch SLA tier for pre-auth RCE on perimeter-trust-boundary devices (firewalls, VPN concentrators, WAFs, edge load-balancers). Tier requirement: vendor-mitigation deployed within 4 hours of KEV listing OR isolation of the vulnerable interface; standard 14/30-day SLAs do not apply because the device IS the trust boundary.",
|
|
1317
|
+
"evidence": "CVE-2026-0300 — vendor-confirmed in-wild exploitation of Palo Alto perimeter firewalls; no NIS2/DORA/ISO control enumerates a perimeter-zero-day tier separate from generic patch management.",
|
|
1318
|
+
"gap_closes": [
|
|
1319
|
+
"NIST-800-53-SI-2",
|
|
1320
|
+
"NIS2-Article-21-2-c",
|
|
1321
|
+
"DORA-Article-9",
|
|
1322
|
+
"ISO-27001-2022-A.8.22"
|
|
1323
|
+
]
|
|
1324
|
+
},
|
|
1325
|
+
{
|
|
1326
|
+
"id": "NEW-CTRL-031",
|
|
1327
|
+
"name": "FIREWALL-EGRESS-TELEMETRY-SEPARATE-TRUST-ZONE",
|
|
1328
|
+
"description": "Firewall and other perimeter-trust-boundary devices must forward syslog, threat logs, and authentication logs to a SIEM hosted in a separate trust zone (different management plane, different credentials, different authentication path). Telemetry stored on the compromised device is destroyed by the attacker; telemetry on a separate-trust-zone collector survives.",
|
|
1329
|
+
"evidence": "CVE-2026-0300 — pre-auth root RCE on the firewall makes on-device log retention an attacker-controlled artifact.",
|
|
1330
|
+
"gap_closes": [
|
|
1331
|
+
"NIST-800-53-AU-9",
|
|
1332
|
+
"ISO-27001-2022-A.8.15"
|
|
1333
|
+
]
|
|
1334
|
+
},
|
|
1335
|
+
{
|
|
1336
|
+
"id": "NEW-CTRL-032",
|
|
1337
|
+
"name": "PERIMETER-COMPROMISE-REBUILD-NOT-PATCH",
|
|
1338
|
+
"description": "Pre-rehearsed IR runbook for any perimeter device that suffers a pre-auth RCE CVE in active exploitation MUST default to config-exfil + rebuild + credential rotation, not patch-in-place. Patch-in-place leaves attacker-installed implants intact.",
|
|
1339
|
+
"evidence": "CVE-2026-0300 — vendor-confirmed in-wild exploitation prior to KEV listing; affected devices may already be implanted at patch time.",
|
|
1340
|
+
"gap_closes": [
|
|
1341
|
+
"NIST-800-53-IR-4",
|
|
1342
|
+
"NIS2-Article-21-2-b"
|
|
1343
|
+
]
|
|
1344
|
+
}
|
|
1345
|
+
],
|
|
1346
|
+
"compliance_exposure_score": {
|
|
1347
|
+
"percent_audit_passing_orgs_still_exposed": 90,
|
|
1348
|
+
"basis": "Most NIS2/DORA/ISO/PCI audits accept 30-day patch evidence as compliant for perimeter devices; only ASD Essential 8 ML3 enforces sub-48h. Approximately 90% of audit-passing organizations still have unpatched PAN-OS portals at any moment in the standard patch window.",
|
|
1349
|
+
"theater_pattern": "vendor_patch_sla_anchored"
|
|
1350
|
+
},
|
|
1351
|
+
"ai_discovered_zeroday": false,
|
|
1352
|
+
"ai_discovery_source": "vendor_research",
|
|
1353
|
+
"ai_discovery_date": "2026-05-06",
|
|
1354
|
+
"ai_assist_factor": "low"
|
|
1355
|
+
},
|
|
1356
|
+
"CVE-2026-39987": {
|
|
1357
|
+
"name": "Marimo Notebook Pre-Auth WebSocket Terminal RCE",
|
|
1358
|
+
"lesson_date": "2026-05-15",
|
|
1359
|
+
"attack_vector": {
|
|
1360
|
+
"description": "Marimo's notebook server exposed `/terminal/ws` — a WebSocket endpoint that spawned a PTY shell on connect WITHOUT an authentication check. Any HTTP client reaching the notebook port received an interactive shell as the notebook-server user. Exploited within 10 hours of disclosure by NKAbuse blockchain-botnet payloads via Hugging Face-hosted Marimo Spaces.",
|
|
1361
|
+
"privileges_required": "none — pre-authentication, network-reachable WebSocket",
|
|
1362
|
+
"complexity": "trivial — single WebSocket connect to /terminal/ws",
|
|
1363
|
+
"ai_factor": "Not AI-discovered. Marimo's internal security review after Sysdig honeypot scanning; no AI-tool credit. The vulnerable surface IS AI/ML developer infrastructure but the bug was not found by an AI tool."
|
|
1364
|
+
},
|
|
1365
|
+
"defense_chain": {
|
|
1366
|
+
"prevention": {
|
|
1367
|
+
"what_would_have_worked": "Pre-deployment pen-test scoping that explicitly enumerates WebSocket endpoints, AI/ML notebook surfaces, and developer-tooling control planes — not just HTTP/REST API routes; default-deny WebSocket framework configuration that requires explicit auth-decorator opt-in per endpoint; Hugging Face Spaces auto-update for notebook server frameworks.",
|
|
1368
|
+
"was_this_required": false,
|
|
1369
|
+
"framework_requiring_it": null,
|
|
1370
|
+
"adequacy": "OWASP LLM Top 10 covers LLM input/output, NOT the AI/ML developer-tooling control plane (notebook servers, MLflow, Weights & Biases, Jupyter, Marimo). Pen-test scopes routinely exclude developer infrastructure."
|
|
1371
|
+
},
|
|
1372
|
+
"detection": {
|
|
1373
|
+
"what_would_have_worked": "Outbound-from-notebook-server connection monitoring (notebook servers should rarely initiate outbound TCP to non-package-mirror destinations); WebSocket-endpoint inventory feed into the org's API-security tool; alert on PTY spawn from notebook-server process tree.",
|
|
1374
|
+
"was_this_required": false,
|
|
1375
|
+
"framework_requiring_it": null,
|
|
1376
|
+
"adequacy": "Most organizations do not feed notebook-server telemetry into their SIEM; AI/ML platforms are operated by data-science teams outside the security team's monitoring scope."
|
|
1377
|
+
},
|
|
1378
|
+
"response": {
|
|
1379
|
+
"what_would_have_worked": "AI/ML developer-tooling inventory with classified blast-radius (model artifacts, training data, downstream production paths); pre-rehearsed runbook for revoking model-registry credentials and quarantining trained-model artifacts when notebook compromise is suspected.",
|
|
1380
|
+
"was_this_required": false,
|
|
1381
|
+
"framework_requiring_it": null,
|
|
1382
|
+
"adequacy": "AI/ML-pipeline IR runbooks are not standard; most security teams have no inventory of which model artifacts a compromised notebook server can reach."
|
|
1383
|
+
}
|
|
1384
|
+
},
|
|
1385
|
+
"framework_coverage": {
|
|
1386
|
+
"OWASP-LLM-Top-10-2025": {
|
|
1387
|
+
"covered": false,
|
|
1388
|
+
"adequate": false,
|
|
1389
|
+
"gap": "OWASP LLM Top 10 covers LLM input/output (prompt injection, data poisoning, supply chain) but does NOT cover the AI/ML developer-tooling control plane — notebook servers, experiment trackers, model registries are entirely out of scope."
|
|
1390
|
+
},
|
|
1391
|
+
"MITRE-ATLAS-v5.1.0": {
|
|
1392
|
+
"covered": true,
|
|
1393
|
+
"adequate": "reference only",
|
|
1394
|
+
"gap": "ATLAS documents AML.T0010 (ML supply chain compromise) and AML.T0011 (ML model access) but no framework has implemented the developer-tooling-perimeter control class derived from these techniques."
|
|
1395
|
+
},
|
|
1396
|
+
"NIST-AI-RMF-MAP-3.4": {
|
|
1397
|
+
"covered": true,
|
|
1398
|
+
"adequate": false,
|
|
1399
|
+
"gap": "NIST AI RMF Map function requires inventorying AI system components but does not require security-control coverage of AI/ML developer infrastructure as a distinct attack surface."
|
|
1400
|
+
},
|
|
1401
|
+
"ISO-27001-2022-A.5.30": {
|
|
1402
|
+
"covered": true,
|
|
1403
|
+
"adequate": false,
|
|
1404
|
+
"gap": "ICT readiness for business continuity does not enumerate AI/ML developer tooling as a critical service requiring specific availability and integrity controls."
|
|
1405
|
+
},
|
|
1406
|
+
"ISO-IEC-42001-2023": {
|
|
1407
|
+
"covered": true,
|
|
1408
|
+
"adequate": false,
|
|
1409
|
+
"gap": "AI management system standard requires AI lifecycle controls but is silent on the developer-tooling perimeter — the WebSocket/HTTP control plane operators use to BUILD AI systems is not enumerated as in-scope."
|
|
1410
|
+
}
|
|
1411
|
+
},
|
|
1412
|
+
"new_control_requirements": [
|
|
1413
|
+
{
|
|
1414
|
+
"id": "NEW-CTRL-033",
|
|
1415
|
+
"name": "AI-ML-DEVELOPER-TOOLING-INVENTORY",
|
|
1416
|
+
"description": "Organizations using AI/ML systems must maintain a separate inventory of developer-tooling control planes (notebook servers, experiment trackers, model registries, vector-DB admin UIs, agent frameworks) with: exposed network endpoints (HTTP, WebSocket, gRPC), authentication mechanism per endpoint, blast-radius mapping (which model artifacts/training data/production deployments are reachable from each tool), and patch SLA tier separate from generic application patching.",
|
|
1417
|
+
"evidence": "CVE-2026-39987 — Marimo notebook servers were not in standard application inventories; WebSocket endpoints were not enumerated by pen tests; Hugging Face Spaces autodeployed without operator awareness of the surface.",
|
|
1418
|
+
"gap_closes": [
|
|
1419
|
+
"NIST-AI-RMF-MAP-3.4",
|
|
1420
|
+
"ISO-IEC-42001-2023",
|
|
1421
|
+
"OWASP-LLM-Top-10-2025"
|
|
1422
|
+
]
|
|
1423
|
+
},
|
|
1424
|
+
{
|
|
1425
|
+
"id": "NEW-CTRL-034",
|
|
1426
|
+
"name": "WEBSOCKET-ENDPOINT-PEN-TEST-SCOPE",
|
|
1427
|
+
"description": "Penetration test scopes must explicitly enumerate WebSocket endpoints (ws://, wss://) as in-scope, including framework-default endpoints automatically registered by notebook frameworks (Jupyter, Marimo, VS Code Server). Default-deny frameworks where every WebSocket route requires explicit auth-decorator opt-in are preferred over default-allow.",
|
|
1428
|
+
"evidence": "CVE-2026-39987 — `/terminal/ws` was not in any pre-disclosure pen-test report despite being a default Marimo endpoint; WebSocket endpoints are routinely scoped out as 'real-time channels' rather than authenticated APIs.",
|
|
1429
|
+
"gap_closes": [
|
|
1430
|
+
"NIST-800-53-CA-8",
|
|
1431
|
+
"PCI-DSS-4.0-11.4"
|
|
1432
|
+
]
|
|
1433
|
+
},
|
|
1434
|
+
{
|
|
1435
|
+
"id": "NEW-CTRL-035",
|
|
1436
|
+
"name": "AI-ML-PIPELINE-IR-RUNBOOK",
|
|
1437
|
+
"description": "Pre-rehearsed IR runbook for AI/ML developer-tooling compromise covering: model-registry credential rotation, trained-model artifact quarantine, training-data integrity verification, and downstream production-deployment review for any model artifact touched during the compromise window.",
|
|
1438
|
+
"evidence": "CVE-2026-39987 — no standard IR runbook exists for 'notebook server was compromised, what artifacts are now suspect'.",
|
|
1439
|
+
"gap_closes": [
|
|
1440
|
+
"NIST-800-53-IR-4",
|
|
1441
|
+
"ISO-27001-2022-A.5.30"
|
|
1442
|
+
]
|
|
1443
|
+
}
|
|
1444
|
+
],
|
|
1445
|
+
"compliance_exposure_score": {
|
|
1446
|
+
"percent_audit_passing_orgs_still_exposed": 95,
|
|
1447
|
+
"basis": "Marimo and similar AI/ML notebook servers are not in standard CMDBs, not in pen-test scopes, and not covered by application-security frameworks. Audit-passing organizations using AI/ML tooling are exposed by default unless they have implemented the developer-tooling-inventory control class — which no major framework requires.",
|
|
1448
|
+
"theater_pattern": "ai_pipeline_developer_surface_excluded"
|
|
1449
|
+
},
|
|
1450
|
+
"ai_discovered_zeroday": false,
|
|
1451
|
+
"ai_discovery_source": "vendor_research",
|
|
1452
|
+
"ai_discovery_date": "2026-04-23",
|
|
1453
|
+
"ai_assist_factor": "low"
|
|
1454
|
+
},
|
|
1455
|
+
"CVE-2026-6973": {
|
|
1456
|
+
"name": "Ivanti EPMM Authenticated-Admin RCE",
|
|
1457
|
+
"lesson_date": "2026-05-15",
|
|
1458
|
+
"attack_vector": {
|
|
1459
|
+
"description": "Authenticated EPMM administrator with access to a specific management endpoint supplies crafted parameter values that bypass server-side input validation, reaching a code-execution sink. Result: arbitrary OS-level code execution as the EPMM service account, which holds elevated privilege over both the MDM application tenant AND the underlying host OS — and indirectly over every enrolled mobile device under the EPMM tenant's management policy.",
|
|
1460
|
+
"privileges_required": "authenticated EPMM administrator",
|
|
1461
|
+
"complexity": "moderate — requires admin credentials and parameter-shape knowledge; CISA assigned a 3-day KEV due date (the tightest standard tier) reflecting urgency.",
|
|
1462
|
+
"ai_factor": "Not AI-discovered. Vendor-side discovery by Ivanti's product-security team."
|
|
1463
|
+
},
|
|
1464
|
+
"defense_chain": {
|
|
1465
|
+
"prevention": {
|
|
1466
|
+
"what_would_have_worked": "Treat MDM-control-plane administrators as a distinct privilege class with privileged-access-management (PAM) workstation enforcement, FIDO2 step-up authentication for management actions, and just-in-time admin elevation; restrict EPMM admin console exposure to PAM-jumphost ranges only; never expose EPMM admin endpoints to the public internet.",
|
|
1467
|
+
"was_this_required": false,
|
|
1468
|
+
"framework_requiring_it": null,
|
|
1469
|
+
"adequacy": "Standard frameworks treat application admins and infrastructure admins as the same privilege class; MDM admins are functionally infrastructure-tier (control over endpoint OS configuration) but rarely classified as such."
|
|
1470
|
+
},
|
|
1471
|
+
"detection": {
|
|
1472
|
+
"what_would_have_worked": "Anomaly detection on EPMM admin actions (unusual parameter shapes, requests outside normal admin work hours, requests from non-jumphost source IPs); correlation between EPMM admin events and downstream mobile-device policy changes; alert on EPMM service-account spawning unexpected child processes.",
|
|
1473
|
+
"was_this_required": false,
|
|
1474
|
+
"framework_requiring_it": null,
|
|
1475
|
+
"adequacy": "MDM telemetry is typically operated by the mobility team, not the security team; SIEM coverage is uneven."
|
|
1476
|
+
},
|
|
1477
|
+
"response": {
|
|
1478
|
+
"what_would_have_worked": "Pre-rehearsed runbook treating EPMM compromise as fleet-wide mobile-device compromise: revoke MDM-pushed certificates, invalidate device-trust state across the fleet, force-rotate device-management credentials, audit pushed configuration profiles since the suspected compromise window.",
|
|
1479
|
+
"was_this_required": false,
|
|
1480
|
+
"framework_requiring_it": null,
|
|
1481
|
+
"adequacy": "MDM-fleet-compromise IR runbooks are uncommon; most organizations have no plan for 'EPMM was rooted, what does that mean for our 50,000 enrolled devices'."
|
|
1482
|
+
}
|
|
1483
|
+
},
|
|
1484
|
+
"framework_coverage": {
|
|
1485
|
+
"NIST-800-53-AC-6": {
|
|
1486
|
+
"covered": true,
|
|
1487
|
+
"adequate": false,
|
|
1488
|
+
"gap": "Least-privilege control does not enumerate MDM admins as a distinct privilege class with blast-radius spanning app-tenant + host-OS + managed-fleet; treated as standard application admin."
|
|
1489
|
+
},
|
|
1490
|
+
"NIST-800-53-AC-2-7": {
|
|
1491
|
+
"covered": true,
|
|
1492
|
+
"adequate": false,
|
|
1493
|
+
"gap": "Privileged-account management requires monitoring privileged accounts but does not require role-class differentiation between control-plane admins and ordinary application admins."
|
|
1494
|
+
},
|
|
1495
|
+
"NIS2-Article-21-2-i": {
|
|
1496
|
+
"covered": true,
|
|
1497
|
+
"adequate": false,
|
|
1498
|
+
"gap": "NIS2 'human resources security, access control policies and asset management' requires access-control policies but does not enumerate device-management-platform admins as a distinct privilege tier; auditors accept generic admin RBAC as compliant."
|
|
1499
|
+
},
|
|
1500
|
+
"ISO-27001-2022-A.8.2": {
|
|
1501
|
+
"covered": true,
|
|
1502
|
+
"adequate": false,
|
|
1503
|
+
"gap": "Privileged access rights control treats MDM admin as one of many application admin roles; no requirement to model the cross-tenancy/cross-fleet blast radius distinct from other app admins."
|
|
1504
|
+
},
|
|
1505
|
+
"CIS-Critical-Security-Controls-v8-IG3-6.8": {
|
|
1506
|
+
"covered": true,
|
|
1507
|
+
"adequate": "closest",
|
|
1508
|
+
"gap": "Account-management role-based access requires defined roles but does not force differentiation of fleet-management roles from application roles; closest match but does not enforce the privilege-tier separation."
|
|
1509
|
+
}
|
|
1510
|
+
},
|
|
1511
|
+
"new_control_requirements": [
|
|
1512
|
+
{
|
|
1513
|
+
"id": "NEW-CTRL-036",
|
|
1514
|
+
"name": "FLEET-CONTROL-PLANE-ADMIN-PRIVILEGE-TIER",
|
|
1515
|
+
"description": "Administrators of fleet-control-plane systems (MDM/UEM, EDR consoles, identity providers, container orchestrators, configuration management) must be classified as a distinct privilege tier above application admins, with: PAM-jumphost-only access, FIDO2 step-up per session, just-in-time elevation with approval workflow, separate identity from any other admin role, and dedicated PAW (privileged access workstation) hardware. Compliance frameworks must enumerate this tier explicitly rather than collapsing it into 'admin'.",
|
|
1516
|
+
"evidence": "CVE-2026-6973 — EPMM admin RCE means fleet-wide mobile-device compromise; no framework currently treats MDM admins as a distinct tier from application admins.",
|
|
1517
|
+
"gap_closes": [
|
|
1518
|
+
"NIST-800-53-AC-6",
|
|
1519
|
+
"NIS2-Article-21-2-i",
|
|
1520
|
+
"ISO-27001-2022-A.8.2"
|
|
1521
|
+
]
|
|
1522
|
+
},
|
|
1523
|
+
{
|
|
1524
|
+
"id": "NEW-CTRL-037",
|
|
1525
|
+
"name": "FLEET-COMPROMISE-IR-PLAYBOOK",
|
|
1526
|
+
"description": "Pre-rehearsed IR playbook for fleet-control-plane compromise including: MDM-pushed certificate revocation, device-trust-state invalidation, configuration-profile audit since the suspected compromise window, downstream device-quarantine criteria, and credential rotation for any account that authenticated through a compromised fleet device during the exposure period.",
|
|
1527
|
+
"evidence": "CVE-2026-6973 — EPMM root RCE compromises every enrolled mobile device under the EPMM tenant; standard IR runbooks do not address fleet-wide downstream impact.",
|
|
1528
|
+
"gap_closes": [
|
|
1529
|
+
"NIST-800-53-IR-8",
|
|
1530
|
+
"ISO-27001-2022-A.5.30"
|
|
1531
|
+
]
|
|
1532
|
+
}
|
|
1533
|
+
],
|
|
1534
|
+
"compliance_exposure_score": {
|
|
1535
|
+
"percent_audit_passing_orgs_still_exposed": 85,
|
|
1536
|
+
"basis": "Most NIS2/ISO/NIST audits accept generic admin RBAC for MDM/UEM administration; few organizations enforce PAW + FIDO2 + JIT for EPMM admins specifically. Organizations meeting paper privileged-access controls are exposed if their MDM admins do not have the fleet-control-plane tier separation.",
|
|
1537
|
+
"theater_pattern": "admin_role_undifferentiated_from_fleet_control_plane"
|
|
1538
|
+
},
|
|
1539
|
+
"ai_discovered_zeroday": false,
|
|
1540
|
+
"ai_discovery_source": "vendor_research",
|
|
1541
|
+
"ai_discovery_date": "2026-05-07",
|
|
1542
|
+
"ai_assist_factor": "low"
|
|
1543
|
+
},
|
|
1544
|
+
"CVE-2026-42897": {
|
|
1545
|
+
"name": "Microsoft Exchange OWA Stored XSS / Spoofing Zero-Day (No-Patch)",
|
|
1546
|
+
"lesson_date": "2026-05-15",
|
|
1547
|
+
"attack_vector": {
|
|
1548
|
+
"description": "Stored XSS triggered during OWA's web-page generation when rendering attacker-crafted email content. The payload executes in the victim's authenticated OWA session, enabling token theft, mailbox-wide access, and OWA-mediated spoofing of further internal mail. Exploited in-the-wild prior to disclosure; NO BINARY PATCH available at disclosure — Microsoft directed operators to enable the Exchange Emergency Mitigation Service (EEMS) for vendor-pushed mitigation rules.",
|
|
1549
|
+
"privileges_required": "none — pre-auth (attacker sends email; victim opens in OWA)",
|
|
1550
|
+
"complexity": "low — craft email payload that survives Exchange's content rendering pipeline",
|
|
1551
|
+
"ai_factor": "Not AI-discovered. MSRC discovery from in-wild attack telemetry."
|
|
1552
|
+
},
|
|
1553
|
+
"defense_chain": {
|
|
1554
|
+
"prevention": {
|
|
1555
|
+
"what_would_have_worked": "Exchange Emergency Mitigation Service (EEMS) enabled BEFORE the disclosure (it can only ship mitigation rules to operators who have already enabled the service); strict OWA Content Security Policy that breaks XSS payload execution regardless of input-sanitization bugs; OWA usage restricted to managed devices behind a reverse proxy that strips inline script execution.",
|
|
1556
|
+
"was_this_required": false,
|
|
1557
|
+
"framework_requiring_it": null,
|
|
1558
|
+
"adequacy": "EEMS opt-in is required before disclosure; organizations that opted in late received the mitigation rule late or not at all."
|
|
1559
|
+
},
|
|
1560
|
+
"detection": {
|
|
1561
|
+
"what_would_have_worked": "OWA session anomaly detection (token usage from new geographies, mass mailbox-search activity, OAuth token export); Exchange transport-rule audit for new spoofing rules created via OWA session; SIEM ingestion of OWA per-request logs (not just authentication logs).",
|
|
1562
|
+
"was_this_required": false,
|
|
1563
|
+
"framework_requiring_it": null,
|
|
1564
|
+
"adequacy": "OWA per-request logging is not enabled by default; most operators only ingest auth events into SIEM."
|
|
1565
|
+
},
|
|
1566
|
+
"response": {
|
|
1567
|
+
"what_would_have_worked": "Pre-rehearsed OWA-compromise runbook including: OAuth-token-wide revocation for the affected tenant, mailbox-search-result audit for the suspected window, transport-rule diff against last-known-good, and re-enrollment of MFA for any account with an authenticated OWA session in the exposure window.",
|
|
1568
|
+
"was_this_required": false,
|
|
1569
|
+
"framework_requiring_it": null,
|
|
1570
|
+
"adequacy": "Mailbox-compromise runbooks exist but rarely cover the 'OWA itself was the attack vector' case where standard credential-reset is insufficient."
|
|
1571
|
+
}
|
|
1572
|
+
},
|
|
1573
|
+
"framework_coverage": {
|
|
1574
|
+
"ISO-27001-2022-A.5.30": {
|
|
1575
|
+
"covered": true,
|
|
1576
|
+
"adequate": false,
|
|
1577
|
+
"gap": "ICT readiness for business continuity has no concept of a 'mitigation-rule-active, binary-patch-pending' state — operators with EEMS mitigation deployed are auditor-classed as 'fully patched' even though no binary patch exists, hiding residual risk."
|
|
1578
|
+
},
|
|
1579
|
+
"NIS2-Article-21-2-b": {
|
|
1580
|
+
"covered": true,
|
|
1581
|
+
"adequate": false,
|
|
1582
|
+
"gap": "NIS2 'incident handling' obligation does not differentiate between binary-patch-deployed and vendor-mitigation-rule-deployed states; verdict surfaces 'patched per SLA' for both even though only the former eliminates the underlying vulnerability."
|
|
1583
|
+
},
|
|
1584
|
+
"NIST-800-53-SI-2": {
|
|
1585
|
+
"covered": true,
|
|
1586
|
+
"adequate": false,
|
|
1587
|
+
"gap": "Flaw remediation control assumes a binary patch exists; the no-patch + vendor-mitigation-rule state is not enumerated as a distinct flaw-remediation outcome."
|
|
1588
|
+
},
|
|
1589
|
+
"DORA-Article-9-4-c": {
|
|
1590
|
+
"covered": true,
|
|
1591
|
+
"adequate": false,
|
|
1592
|
+
"gap": "DORA prevention-detection-response obligation does not separately track residual-risk-with-mitigation-only states; financial entities can satisfy the obligation with EEMS active even if the underlying XSS still exists."
|
|
1593
|
+
},
|
|
1594
|
+
"PCI-DSS-4.0-6.2.4": {
|
|
1595
|
+
"covered": true,
|
|
1596
|
+
"adequate": false,
|
|
1597
|
+
"gap": "Bespoke-software vulnerability management does not address the case where the vendor has not released a patch and the operator is dependent on vendor-pushed mitigation rules with no operator-side validation."
|
|
1598
|
+
}
|
|
1599
|
+
},
|
|
1600
|
+
"new_control_requirements": [
|
|
1601
|
+
{
|
|
1602
|
+
"id": "NEW-CTRL-038",
|
|
1603
|
+
"name": "MITIGATION-ACTIVE-PATCH-PENDING-VERDICT-CLASS",
|
|
1604
|
+
"description": "Compliance verdicts must distinguish three states: (a) binary patch deployed (vulnerability eliminated), (b) vendor-mitigation rule active, no binary patch (residual risk: any defect in the mitigation rule reopens the vulnerability), (c) no mitigation, no patch (full exposure). Audit reports must surface (b) as a distinct compensating-control state with an associated time-bound action item, not as a 'patched per SLA' outcome.",
|
|
1605
|
+
"evidence": "CVE-2026-42897 — MSRC shipped EEMS mitigation but no binary patch; operators using EEMS verdict as 'compliant' obscure the residual risk that any future EEMS rule defect re-exposes the vulnerability.",
|
|
1606
|
+
"gap_closes": [
|
|
1607
|
+
"ISO-27001-2022-A.5.30",
|
|
1608
|
+
"NIS2-Article-21-2-b",
|
|
1609
|
+
"NIST-800-53-SI-2",
|
|
1610
|
+
"DORA-Article-9-4-c"
|
|
1611
|
+
]
|
|
1612
|
+
},
|
|
1613
|
+
{
|
|
1614
|
+
"id": "NEW-CTRL-039",
|
|
1615
|
+
"name": "VENDOR-PUSH-MITIGATION-OPT-IN-PRE-DISCLOSURE",
|
|
1616
|
+
"description": "For vendors offering push-mitigation services (Microsoft EEMS, Palo Alto Threat Prevention auto-update, etc.), opt-in must be enabled BEFORE the next disclosure event, not in response to it. Compliance frameworks must require operators to enable available vendor-push-mitigation services as a baseline control — opt-in late means the mitigation rule arrives after exploitation, not before.",
|
|
1617
|
+
"evidence": "CVE-2026-42897 — operators who had not pre-enabled EEMS could not receive the same-day mitigation rule.",
|
|
1618
|
+
"gap_closes": [
|
|
1619
|
+
"NIST-800-53-SI-3",
|
|
1620
|
+
"ISO-27001-2022-A.8.7"
|
|
1621
|
+
]
|
|
1622
|
+
},
|
|
1623
|
+
{
|
|
1624
|
+
"id": "NEW-CTRL-040",
|
|
1625
|
+
"name": "OWA-PER-REQUEST-SIEM-INGESTION",
|
|
1626
|
+
"description": "Exchange OWA per-request access logs (not just authentication events) must be forwarded to an external SIEM with at least 90-day retention. Authentication-only logging misses XSS-stage telemetry — the malicious request flows over an already-authenticated session.",
|
|
1627
|
+
"evidence": "CVE-2026-42897 — token-theft and mailbox-search activity occurs over an authenticated session and is invisible to auth-event-only SIEM ingestion.",
|
|
1628
|
+
"gap_closes": [
|
|
1629
|
+
"NIST-800-53-AU-2",
|
|
1630
|
+
"ISO-27001-2022-A.8.15"
|
|
1631
|
+
]
|
|
1632
|
+
}
|
|
1633
|
+
],
|
|
1634
|
+
"compliance_exposure_score": {
|
|
1635
|
+
"percent_audit_passing_orgs_still_exposed": 88,
|
|
1636
|
+
"basis": "Most on-prem Exchange deployments do not have EEMS pre-enabled, do not ingest OWA per-request logs into a SIEM, and have no IR runbook for 'OWA itself was the attack vector'. Audit-passing organizations satisfying NIS2/ISO/NIST patch-management obligations remain materially exposed during the no-patch window.",
|
|
1637
|
+
"theater_pattern": "vendor_mitigation_treated_as_patch"
|
|
1638
|
+
},
|
|
1639
|
+
"ai_discovered_zeroday": false,
|
|
1640
|
+
"ai_discovery_source": "vendor_research",
|
|
1641
|
+
"ai_discovery_date": "2026-05-15",
|
|
1642
|
+
"ai_assist_factor": "low"
|
|
1643
|
+
},
|
|
1644
|
+
"CVE-2026-32202": {
|
|
1645
|
+
"name": "Windows Shell LNK Mark-of-the-Web Bypass (APT28, Incomplete Patch)",
|
|
1646
|
+
"lesson_date": "2026-05-15",
|
|
1647
|
+
"attack_vector": {
|
|
1648
|
+
"description": "Crafted LNK files bypass Windows Mark-of-the-Web (MOTW) protection. Chained with CVE-2026-21513, the exploitation converts a downloaded LNK into a SmartScreen-suppressed execution path. CVE-2026-32202 is the third bug in a sequence: CVE-2026-21510 attempted to close the same MOTW-bypass surface but did so incompletely; CVE-2026-32202 is the resulting re-exploit primitive — i.e. the patch itself was the new vulnerability source.",
|
|
1649
|
+
"privileges_required": "user opens a downloaded LNK file (UI:R)",
|
|
1650
|
+
"complexity": "low for APT28's existing LNK-weaponization toolkit; the primitive is an extension of established LNK tradecraft.",
|
|
1651
|
+
"ai_factor": "Not AI-discovered. APT28 (nation-state) tradecraft predates AI-assisted exploit-development tooling by years."
|
|
1652
|
+
},
|
|
1653
|
+
"defense_chain": {
|
|
1654
|
+
"prevention": {
|
|
1655
|
+
"what_would_have_worked": "Detonation-chamber pre-execution analysis (NIST SC-44) of every downloaded executable surface including LNK / ISO / VHD / IMG, with a test battery that explicitly covers MOTW-bypass classes — not just behavioral detonation but format-parser confidence; ASR (Attack Surface Reduction) rule blocking LNK execution from email/web download paths regardless of MOTW state; AppLocker / WDAC policy denying LNK execution from user-writable paths.",
|
|
1656
|
+
"was_this_required": false,
|
|
1657
|
+
"framework_requiring_it": null,
|
|
1658
|
+
"adequacy": "Detonation chambers are deployed but most operators do not have explicit MOTW-bypass class regression testing in their detonation pipelines — they treat each MOTW-bypass CVE as a one-off rather than a class."
|
|
1659
|
+
},
|
|
1660
|
+
"detection": {
|
|
1661
|
+
"what_would_have_worked": "EDR rules detecting LNK-spawned process trees with outbound network activity within 60s of execution; MOTW-attribute auditing on every newly-created file under user profile directories; SmartScreen telemetry ingestion to detect SmartScreen-suppression patterns.",
|
|
1662
|
+
"was_this_required": false,
|
|
1663
|
+
"framework_requiring_it": null,
|
|
1664
|
+
"adequacy": "EDR LNK-execution telemetry exists but MOTW-bypass detection requires operator-side rule authoring; vendors do not ship out-of-box MOTW-bypass class detections that survive incremental patch cycles."
|
|
1665
|
+
},
|
|
1666
|
+
"response": {
|
|
1667
|
+
"what_would_have_worked": "Pre-rehearsed APT28-class IR runbook treating LNK execution from email/web as initial-access-confirmed until proven otherwise; aggressive endpoint quarantine; nation-state IR escalation path with appropriate intelligence-sharing channels (CISA, NCSC, BSI, ANSSI).",
|
|
1668
|
+
"was_this_required": false,
|
|
1669
|
+
"framework_requiring_it": null,
|
|
1670
|
+
"adequacy": "Standard IR runbooks treat MOTW bypass as malware infection rather than nation-state initial access; under-escalates the response."
|
|
1671
|
+
}
|
|
1672
|
+
},
|
|
1673
|
+
"framework_coverage": {
|
|
1674
|
+
"NIST-800-53-SC-44": {
|
|
1675
|
+
"covered": true,
|
|
1676
|
+
"adequate": false,
|
|
1677
|
+
"gap": "Detonation chambers control does not require explicit regression test coverage for protection-mechanism-failure classes (MOTW bypass, SmartScreen bypass, AMSI bypass); incomplete patches re-introduce risk that detonation chambers tested-once-against-the-fix do not catch."
|
|
1678
|
+
},
|
|
1679
|
+
"NIST-800-53-SI-2-6": {
|
|
1680
|
+
"covered": true,
|
|
1681
|
+
"adequate": false,
|
|
1682
|
+
"gap": "Flaw-remediation 'removal of previous versions' enhancement does not address the case where the FIX is the new flaw; framework treats each CVE in an incomplete-patch sequence as a discrete finding rather than as evidence of a structurally-defective patch series."
|
|
1683
|
+
},
|
|
1684
|
+
"ISO-27001-2022-A.8.7": {
|
|
1685
|
+
"covered": true,
|
|
1686
|
+
"adequate": false,
|
|
1687
|
+
"gap": "Anti-malware control treats incomplete patches as new findings rather than as a sequence; no requirement to track 'CVE-X is the third incomplete patch on the same primitive' as a higher-severity signal."
|
|
1688
|
+
},
|
|
1689
|
+
"MITRE-ATTACK-T1566.002": {
|
|
1690
|
+
"covered": true,
|
|
1691
|
+
"adequate": "reference only",
|
|
1692
|
+
"gap": "Spearphishing Link technique is documented but framework-side controls do not enforce LNK-class detonation regression as a result."
|
|
1693
|
+
}
|
|
1694
|
+
},
|
|
1695
|
+
"new_control_requirements": [
|
|
1696
|
+
{
|
|
1697
|
+
"id": "NEW-CTRL-041",
|
|
1698
|
+
"name": "PROTECTION-MECHANISM-FAILURE-CLASS-REGRESSION",
|
|
1699
|
+
"description": "Detonation chambers, EDR rules, and AppLocker/WDAC policies covering protection-mechanism classes (MOTW, SmartScreen, AMSI, ASR, WDAC, Driver Block Rules) must include class-level regression testing executed on every patch deployment, not just one-off bypass-CVE remediation. The test battery for class-X must include all historic class-X bypass primitives — incomplete patches re-introduce risk that one-off testing does not detect.",
|
|
1700
|
+
"evidence": "CVE-2026-32202 — third bug in the same MOTW-bypass primitive class (sequence with CVE-2026-21510 and CVE-2026-21513); operators treating each as a discrete patch missed the structural defect.",
|
|
1701
|
+
"gap_closes": [
|
|
1702
|
+
"NIST-800-53-SC-44",
|
|
1703
|
+
"ISO-27001-2022-A.8.7"
|
|
1704
|
+
]
|
|
1705
|
+
},
|
|
1706
|
+
{
|
|
1707
|
+
"id": "NEW-CTRL-042",
|
|
1708
|
+
"name": "INCOMPLETE-PATCH-SEQUENCE-SEVERITY-MULTIPLIER",
|
|
1709
|
+
"description": "Vulnerability-management programs must apply a severity multiplier when a CVE is the Nth in an incomplete-patch sequence on the same primitive (third MOTW bypass, second AMSI bypass, etc.). Framework controls treating each CVE as discrete obscure the structural defect; the Nth CVE in a sequence implies that future bypasses on the same primitive are likely.",
|
|
1710
|
+
"evidence": "CVE-2026-32202 — third MOTW-bypass CVE in 18 months; structural pattern not surfaced by per-CVE severity scoring.",
|
|
1711
|
+
"gap_closes": [
|
|
1712
|
+
"NIST-800-53-SI-2-6",
|
|
1713
|
+
"RWEP-scoring-model"
|
|
1714
|
+
]
|
|
1715
|
+
},
|
|
1716
|
+
{
|
|
1717
|
+
"id": "NEW-CTRL-043",
|
|
1718
|
+
"name": "NATION-STATE-INITIAL-ACCESS-IR-ESCALATION",
|
|
1719
|
+
"description": "IR runbooks must include an explicit nation-state-initial-access escalation path triggered by APT28/APT29/Lazarus/Volt-Typhoon/etc. attribution on a confirmed exploit chain. Standard malware-infection IR under-escalates nation-state activity by treating it as commodity threat.",
|
|
1720
|
+
"evidence": "CVE-2026-32202 — confirmed APT28 weaponization; standard IR runbooks do not include nation-state-class escalation criteria.",
|
|
1721
|
+
"gap_closes": [
|
|
1722
|
+
"NIST-800-53-IR-4",
|
|
1723
|
+
"NIS2-Article-23"
|
|
1724
|
+
]
|
|
1725
|
+
}
|
|
1726
|
+
],
|
|
1727
|
+
"compliance_exposure_score": {
|
|
1728
|
+
"percent_audit_passing_orgs_still_exposed": 75,
|
|
1729
|
+
"basis": "Detonation-chamber regression coverage of protection-mechanism-failure classes is rare; most operators patch MOTW-bypass CVEs individually without class-level test extension. Audit-passing organizations remain exposed to the next bypass in the sequence — and APT28's tempo suggests a next bypass is the expected outcome.",
|
|
1730
|
+
"theater_pattern": "incomplete_patch_treated_as_discrete_finding"
|
|
1731
|
+
},
|
|
1732
|
+
"ai_discovered_zeroday": false,
|
|
1733
|
+
"ai_discovery_source": "vendor_research",
|
|
1734
|
+
"ai_discovery_date": "2026-04-28",
|
|
1735
|
+
"ai_assist_factor": "low"
|
|
1736
|
+
},
|
|
1737
|
+
"CVE-2026-33825": {
|
|
1738
|
+
"name": "BlueHammer — Microsoft Defender File-Remediation TOCTOU LPE",
|
|
1739
|
+
"lesson_date": "2026-05-15",
|
|
1740
|
+
"attack_vector": {
|
|
1741
|
+
"description": "Race window in Defender's file-remediation logic: after Defender flags a malicious file, the path-to-quarantine sequence opens non-atomically. An attacker-controlled junction / symlink swap during the TOCTOU window redirects the remediation operation against a SYSTEM-owned file, producing arbitrary-file-overwrite escalating to SYSTEM. Picus 'BlueHammer' / RedSun published a working PoC BEFORE Microsoft released a patch — true zero-day disclosure where the EDR is the vulnerability.",
|
|
1742
|
+
"privileges_required": "low — local user with ability to drop a file Defender will scan",
|
|
1743
|
+
"complexity": "high — requires winning the TOCTOU race window via symlink swap",
|
|
1744
|
+
"ai_factor": "Not AI-discovered. Conventional Windows-Defender internals research by Picus Security."
|
|
1745
|
+
},
|
|
1746
|
+
"defense_chain": {
|
|
1747
|
+
"prevention": {
|
|
1748
|
+
"what_would_have_worked": "Defender platform-update channel separated from Windows OS-update channel and treated as a distinct patch SLA; ASR (Attack Surface Reduction) rules limiting symlink/junction creation by low-privilege processes in user-writable paths; second-EDR overlay or Defender ASR Block-Persistence-Through-WMI configured to detect post-LPE persistence even when Defender itself is the initial-access vector.",
|
|
1749
|
+
"was_this_required": false,
|
|
1750
|
+
"framework_requiring_it": null,
|
|
1751
|
+
"adequacy": "Most operators treat Defender as 'always patched via Windows Update' without recognizing the platform-update channel is a distinct surface; ASR rules require explicit operator opt-in."
|
|
1752
|
+
},
|
|
1753
|
+
"detection": {
|
|
1754
|
+
"what_would_have_worked": "Independent EDR overlay (a second-vendor EDR or non-Defender behavioral monitor) capable of detecting Defender-process anomalous file-overwrite patterns; SYSTEM-process spawn monitoring with parentage cross-check; NTFS reparse-point creation auditing in user-writable paths.",
|
|
1755
|
+
"was_this_required": false,
|
|
1756
|
+
"framework_requiring_it": null,
|
|
1757
|
+
"adequacy": "Single-vendor EDR cannot reliably detect itself as the vulnerability source — by design, Defender is allow-listed in its own telemetry."
|
|
1758
|
+
},
|
|
1759
|
+
"response": {
|
|
1760
|
+
"what_would_have_worked": "Pre-rehearsed runbook for EDR-platform-compromise (Defender, CrowdStrike, SentinelOne, Carbon Black) treating compromise of the security control plane as a tier-1 incident; out-of-band telemetry source (network-side EDR-bypass telemetry) for the response window; documented Defender platform-update rollout SLA distinct from Windows OS update.",
|
|
1761
|
+
"was_this_required": false,
|
|
1762
|
+
"framework_requiring_it": null,
|
|
1763
|
+
"adequacy": "EDR-as-vulnerability runbooks are rare; most security teams have no documented response when 'the security control IS the attack vector'."
|
|
1764
|
+
}
|
|
1765
|
+
},
|
|
1766
|
+
"framework_coverage": {
|
|
1767
|
+
"ISO-27001-2022-A.8.7": {
|
|
1768
|
+
"covered": true,
|
|
1769
|
+
"adequate": false,
|
|
1770
|
+
"gap": "Anti-malware control assumes the AV/EDR is a defense, not a vulnerability source; offers no model for 'EDR is the attack vector' and provides no compensating-control guidance for the case."
|
|
1771
|
+
},
|
|
1772
|
+
"NIST-800-53-SI-3": {
|
|
1773
|
+
"covered": true,
|
|
1774
|
+
"adequate": false,
|
|
1775
|
+
"gap": "Malicious-code-protection control treats AV/EDR as a defense layer; no enhancement addresses the case where the malicious-code-protection mechanism itself is the LPE primitive."
|
|
1776
|
+
},
|
|
1777
|
+
"NIST-800-53-SI-2": {
|
|
1778
|
+
"covered": true,
|
|
1779
|
+
"adequate": false,
|
|
1780
|
+
"gap": "Flaw remediation does not separately enumerate EDR/AV platform-update channels — operators meeting OS-patch SLA may still lag the Defender platform update."
|
|
1781
|
+
},
|
|
1782
|
+
"PCI-DSS-4.0-5.2.1": {
|
|
1783
|
+
"covered": true,
|
|
1784
|
+
"adequate": false,
|
|
1785
|
+
"gap": "Anti-malware solution requirement does not address EDR-as-vulnerability nor require an independent overlay capable of detecting EDR-platform compromise."
|
|
1786
|
+
},
|
|
1787
|
+
"NIS2-Article-21-2-h": {
|
|
1788
|
+
"covered": true,
|
|
1789
|
+
"adequate": false,
|
|
1790
|
+
"gap": "Cybersecurity hygiene + training obligation does not address the case where the AV/EDR product is itself the LPE source; pen-test scopes routinely exclude 'security defense' products from in-scope attack surface."
|
|
1791
|
+
}
|
|
1792
|
+
},
|
|
1793
|
+
"new_control_requirements": [
|
|
1794
|
+
{
|
|
1795
|
+
"id": "NEW-CTRL-044",
|
|
1796
|
+
"name": "EDR-AS-VULNERABILITY-SECONDARY-OVERLAY",
|
|
1797
|
+
"description": "Organizations whose primary EDR is also a high-value attack target (Defender, CrowdStrike, SentinelOne) must deploy an independent secondary overlay capable of detecting anomalous behavior by the primary EDR's own processes. The overlay can be a second-vendor behavioral EDR, network-side EDR-bypass telemetry, or out-of-band SYSTEM-process spawn monitoring — but must NOT share trust roots with the primary EDR.",
|
|
1798
|
+
"evidence": "CVE-2026-33825 — Defender's file-remediation pipeline was the LPE primitive; Defender's own telemetry cannot reliably surface Defender-as-attacker.",
|
|
1799
|
+
"gap_closes": [
|
|
1800
|
+
"ISO-27001-2022-A.8.7",
|
|
1801
|
+
"NIST-800-53-SI-3",
|
|
1802
|
+
"PCI-DSS-4.0-5.2.1"
|
|
1803
|
+
]
|
|
1804
|
+
},
|
|
1805
|
+
{
|
|
1806
|
+
"id": "NEW-CTRL-045",
|
|
1807
|
+
"name": "EDR-PLATFORM-UPDATE-DISTINCT-SLA",
|
|
1808
|
+
"description": "EDR / AV platform-update channels must be tracked as distinct patch surfaces with their own SLA, separate from OS-update SLA. Defender platform updates, CrowdStrike Falcon-sensor updates, SentinelOne agent updates, etc. ship outside the OS-patching cadence and require dedicated monitoring and SLA tracking.",
|
|
1809
|
+
"evidence": "CVE-2026-33825 — Defender platform update fixed the TOCTOU; operators tracking only Windows Update missed the patch surface.",
|
|
1810
|
+
"gap_closes": [
|
|
1811
|
+
"NIST-800-53-SI-2",
|
|
1812
|
+
"ISO-27001-2022-A.8.8"
|
|
1813
|
+
]
|
|
1814
|
+
},
|
|
1815
|
+
{
|
|
1816
|
+
"id": "NEW-CTRL-046",
|
|
1817
|
+
"name": "PEN-TEST-SCOPE-INCLUDES-SECURITY-PRODUCTS",
|
|
1818
|
+
"description": "Penetration test and red-team scopes must explicitly include security-defense products (EDR, AV, DLP, identity-providers, secret-managers) as in-scope attack surface, not as defenses to evade. Scope language must call out that these products' admin interfaces, agent processes, and update channels are testable surfaces.",
|
|
1819
|
+
"evidence": "CVE-2026-33825 — Defender was the LPE primitive; pen tests scoping Defender as 'defense to evade' rather than 'product to test' miss this class.",
|
|
1820
|
+
"gap_closes": [
|
|
1821
|
+
"NIST-800-53-CA-8",
|
|
1822
|
+
"NIS2-Article-21-2-h"
|
|
1823
|
+
]
|
|
1824
|
+
}
|
|
1825
|
+
],
|
|
1826
|
+
"compliance_exposure_score": {
|
|
1827
|
+
"percent_audit_passing_orgs_still_exposed": 92,
|
|
1828
|
+
"basis": "Almost no organizations operate a secondary EDR overlay against their primary EDR; pen-test scopes routinely exclude security products. Audit-passing organizations meeting ISO/NIST/PCI anti-malware controls remain materially exposed because the controls assume the AV/EDR is a defense, not a vulnerability source.",
|
|
1829
|
+
"theater_pattern": "edr_assumed_defense_never_vulnerability"
|
|
1830
|
+
},
|
|
1831
|
+
"ai_discovered_zeroday": false,
|
|
1832
|
+
"ai_discovery_source": "vendor_research",
|
|
1833
|
+
"ai_discovery_date": "2026-04-22",
|
|
1834
|
+
"ai_assist_factor": "low"
|
|
1255
1835
|
}
|
|
1256
1836
|
}
|
package/manifest-snapshot.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"_comment": "Auto-generated by scripts/refresh-manifest-snapshot.js — do not hand-edit. Public skill surface used by check-manifest-snapshot.js to detect breaking removals.",
|
|
3
|
-
"_generated_at": "2026-05-
|
|
3
|
+
"_generated_at": "2026-05-16T04:00:15.840Z",
|
|
4
4
|
"atlas_version": "5.4.0",
|
|
5
5
|
"skill_count": 42,
|
|
6
6
|
"skills": [
|
package/manifest-snapshot.sha256
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
|
|
1
|
+
9c01b58f0f9e5ceb3070bbfab781ced453d5a8fd0c4a20a883ecbf011004b12c manifest-snapshot.json
|