@blamejs/exceptd-skills 0.13.18 → 0.13.19

package/data/zeroday-lessons.json

@@ -2034,7 +2034,7 @@
   },
   "CVE-2024-3154": {
     "name": "CRI-O arbitrary kernel-module load",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "Pod-spec attributes reach modprobe argument path in CRI-O without validation. An attacker with pod-create RBAC on a cluster using CRI-O can cause arbitrary kernel modules to load on the host node, achieving container-escape-equivalent capability.",
       "privileges_required": "pod-create RBAC inside the cluster (namespace-scoped is sufficient)",
@@ -2078,7 +2078,18 @@
         "gap": "Container-runtime supply chain not differentiated from application-runtime supply chain."
       }
     },
-    "new_control_requirements": [],
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-001",
+        "name": "CISA-KEV-RESPONSE-SLA",
+        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
+        "evidence": "CVE-2024-3154",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8"
+        ]
+      }
+    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "AppArmor/SELinux deny-module-load is rarely enforced on container hosts; CIS-K8s benchmark passes without it. Patch cadence on Kubernetes node runtimes typically lags behind application patches.",
@@ -2090,7 +2101,7 @@
   },
   "CVE-2023-43472": {
     "name": "MLflow path-traversal arbitrary file read",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "MLflow tracking-server artifact endpoint resolves user-controlled paths under the artifact root without normalization. An unauthenticated HTTP request with ../ traversal reads arbitrary files from the host filesystem.",
       "privileges_required": "none (unauth network reachability to MLflow tracking server)",
@@ -2134,7 +2145,18 @@
         "gap": "Secure coding control does not anchor on ML-runtime web-surface review; ML platforms are treated as out-of-scope of conventional secure-coding programs."
       }
     },
-    "new_control_requirements": [],
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-001",
+        "name": "CISA-KEV-RESPONSE-SLA",
+        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
+        "evidence": "CVE-2023-43472",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8"
+        ]
+      }
+    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 70,
       "basis": "MLflow tracking servers are widely deployed without auth and without front-proxy logging; ML platforms typically fall outside the AppSec team's secure-coding-review remit.",
@@ -2146,7 +2168,7 @@
   },
   "CVE-2020-10148": {
     "name": "SolarWinds Orion API authentication bypass (SUNBURST chain component)",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "URI pattern matching against SkipI18nStrings inside Orion's HTTP routing triggers an authentication bypass — an unauthenticated request that matches the pattern reaches API write endpoints. Used by SUNBURST operators to exercise API write access against compromised Orion installations.",
       "privileges_required": "none (unauth network reachability to Orion)",
@@ -2190,7 +2212,18 @@
         "gap": "Supply-chain protection control predates the SolarWinds incident; pre-2020 supply-chain controls did not contemplate a trusted vendor as the breach vector."
       }
     },
-    "new_control_requirements": [],
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-001",
+        "name": "CISA-KEV-RESPONSE-SLA",
+        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
+        "evidence": "CVE-2020-10148",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8"
+        ]
+      }
+    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 40,
       "basis": "Direct exposure to this specific CVE is low five years post-disclosure (Orion installations are largely patched), but the lessons-class — trusted-vendor-as-pivot — remains under-addressed by most supply-chain controls.",
@@ -2202,7 +2235,7 @@
   },
   "CVE-2023-3519": {
     "name": "Citrix NetScaler ADC/Gateway unauth RCE (CitrixBleed precursor)",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "Pre-auth stack buffer overflow in the NetScaler SAML processing path. An unauthenticated HTTP POST to /gwtest/formssso reaches the vulnerable nsppe parser; CISA AA23-201A documented in-wild exploitation by Chinese state-sponsored actors against US critical-infrastructure organizations within weeks of disclosure.",
       "privileges_required": "none (unauth network reachability to NetScaler appliance)",
@@ -2246,7 +2279,18 @@
         "gap": "EU NIS2 generic vulnerability-management requirement without unauth-RCE-specific SLA."
       }
     },
-    "new_control_requirements": [],
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-001",
+        "name": "CISA-KEV-RESPONSE-SLA",
+        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
+        "evidence": "CVE-2023-3519",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8"
+        ]
+      }
+    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 60,
       "basis": "PCI-DSS / NIS2 / SI-2 patch SLAs are wider than the actual exploitation window. Many organizations passing those audits remained exposed during the active mass-exploitation phase.",
@@ -2258,7 +2302,7 @@
   },
   "CVE-2024-1709": {
     "name": "ConnectWise ScreenConnect auth-bypass",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "Path-traversal in the auth filter — appending /SetupWizard.aspx/anything to a request URL bypasses authentication and reaches the admin setup endpoint. Attacker creates a new admin account via the setup endpoint and gains full ScreenConnect control, including the ability to push remote-control payloads to every endpoint the affected MSP manages.",
       "privileges_required": "none (unauth network reachability to ScreenConnect web surface)",
@@ -2302,7 +2346,18 @@
         "gap": "Access-control management does not require setup-endpoint hardening on production deployments; the ScreenConnect setup wizard was reachable post-install by design."
       }
     },
-    "new_control_requirements": [],
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-001",
+        "name": "CISA-KEV-RESPONSE-SLA",
+        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
+        "evidence": "CVE-2024-1709",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8"
+        ]
+      }
+    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "MSP fleets passing SOC 2 / ISO 27001 audits routinely deploy remote-management tooling with default routing exposed; setup-endpoint hardening is not a benchmark requirement.",
@@ -2314,7 +2369,7 @@
   },
   "CVE-2026-20182": {
     "name": "Cisco SD-WAN authentication bypass to admin",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "Authentication bypass in the Cisco SD-WAN controller management plane (vManage / vEdge). An unauthenticated attacker reaches admin-equivalent state on the controller, giving control over the SD-WAN fabric's policy plane.",
       "privileges_required": "none (unauth network reachability to SD-WAN controller management surface)",
@@ -2358,7 +2413,18 @@
         "gap": "ICT third-party risk — SD-WAN vendor risk concentrated in a single advisory cadence; DORA does not require dual-vendor fabric topology."
       }
     },
-    "new_control_requirements": [],
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-001",
+        "name": "CISA-KEV-RESPONSE-SLA",
+        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
+        "evidence": "CVE-2026-20182",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8"
+        ]
+      }
+    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 65,
       "basis": "SD-WAN controller management surfaces are frequently reachable beyond operator subnets in real-world deployments; NIS2 / DORA controls do not enforce management-plane isolation as a specific requirement.",
@@ -2370,7 +2436,7 @@
   },
   "CVE-2024-40635": {
     "name": "containerd integer overflow IP mask leak",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "Integer overflow in the containerd CNI IP-allocation path. A crafted CIDR specification overflows the uint32 mask conversion, causing the container to receive a spurious mask that allows traffic to leak across network namespaces.",
       "privileges_required": "ability to influence a container's CNI configuration (typically requires pod-create RBAC or compromise of an in-cluster component that provisions pods)",
@@ -2414,7 +2480,18 @@
         "gap": "Networks security control covers segmentation policy at organizational level but does not extend to container-runtime IPAM verification."
       }
     },
-    "new_control_requirements": [],
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-001",
+        "name": "CISA-KEV-RESPONSE-SLA",
+        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
+        "evidence": "CVE-2024-40635",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8"
+        ]
+      }
+    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 50,
       "basis": "Most clusters do not pair NetworkPolicy with IPAM-correctness audit. CIS-K8s benchmark passes without it.",
@@ -2493,7 +2570,7 @@
   },
   "CVE-2025-12686": {
     "name": "Synology BeeStation unauth RCE (Pwn2Own Ireland 2025)",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "Pre-auth RCE chain on the Synology BeeStation Manager web management surface. Demonstrated as a full chain on consumer NAS hardware at Pwn2Own Ireland 2025.",
       "privileges_required": "none (unauth network reachability to BeeStation web surface)",
@@ -2537,7 +2614,18 @@
         "gap": "Configuration-management control covers organizational assets; consumer NAS appliances at remote sites are commonly out of scope of the enterprise CMDB."
       }
     },
-    "new_control_requirements": [],
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-001",
+        "name": "CISA-KEV-RESPONSE-SLA",
+        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
+        "evidence": "CVE-2025-12686",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8"
+        ]
+      }
+    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 60,
       "basis": "Consumer-NAS appliances are pervasive at branch / SMB / remote-worker sites and routinely fall outside enterprise patch and asset-management programs.",
@@ -2549,7 +2637,7 @@
   },
   "CVE-2025-62847": {
     "name": "QNAP QTS/QuTS hero RCE (Pwn2Own Ireland 2025, chain 1/3)",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "Component 1/3 of the DEVCORE Research Team chain on the QNAP TS-453E appliance at Pwn2Own Ireland 2025. Chained injection + format-string bug demonstrated as part of the three-CVE chain that earned $40,000 + 4 Master of Pwn points.",
       "privileges_required": "none (unauth network reachability to QTS / QuTS hero web management)",
@@ -2593,7 +2681,18 @@
         "gap": "Configuration-management control covers organizational assets; SMB / branch NAS appliances are commonly out of CMDB scope."
       }
     },
-    "new_control_requirements": [],
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-001",
+        "name": "CISA-KEV-RESPONSE-SLA",
+        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
+        "evidence": "CVE-2025-62847",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8"
+        ]
+      }
+    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 60,
       "basis": "QNAP appliances are pervasive at SMB / prosumer scale and fall outside enterprise patch programs.",
@@ -2605,7 +2704,7 @@
   },
   "CVE-2025-62848": {
     "name": "QNAP QTS/QuTS hero RCE (Pwn2Own Ireland 2025, chain 2/3)",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "Component 2/3 of the DEVCORE Research Team chain on the QNAP TS-453E appliance at Pwn2Own Ireland 2025. Code-injection (CWE-94) chained with CVE-2025-62847 and CVE-2025-62849.",
       "privileges_required": "none (unauth as part of the chain) — standalone exploitation requires the chain pre-condition",
@@ -2649,7 +2748,18 @@
         "gap": "Secure-coding control assumed in vendor firmware; appliance vendors are out-of-band of the operator's secure-coding program."
       }
     },
-    "new_control_requirements": [],
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-001",
+        "name": "CISA-KEV-RESPONSE-SLA",
+        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
+        "evidence": "CVE-2025-62848",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8"
+        ]
+      }
+    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 60,
       "basis": "Same population and coverage gap as CVE-2025-62847; chain components track together.",
@@ -2661,7 +2771,7 @@
   },
   "CVE-2025-62849": {
     "name": "QNAP QTS/QuTS hero RCE (Pwn2Own Ireland 2025, chain 3/3)",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "Component 3/3 of the DEVCORE Research Team chain on the QNAP TS-453E appliance at Pwn2Own Ireland 2025 — post-auth elevation (CWE-269, T1068). Used by the chain to convert the unauth RCE foothold from CVE-2025-62847/62848 into appliance-level privileged execution.",
       "privileges_required": "post-auth (achieved by the chain via CVE-2025-62847 / CVE-2025-62848)",
@@ -2705,7 +2815,18 @@
         "gap": "Consumer-NAS coverage begins 2027."
       }
     },
-    "new_control_requirements": [],
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-001",
+        "name": "CISA-KEV-RESPONSE-SLA",
+        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
+        "evidence": "CVE-2025-62849",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8"
+        ]
+      }
+    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 60,
       "basis": "Same population as the chain siblings.",
@@ -2852,7 +2973,7 @@
   },
   "CVE-2024-21762": {
     "name": "Fortinet FortiOS / FortiProxy SSL-VPN out-of-bounds write (sslvpnd preauth RCE)",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "Out-of-bounds write in the sslvpnd daemon's HTTP request handling on FortiOS and FortiProxy. An unauthenticated attacker sends a specially crafted HTTP request to the SSL-VPN web surface and executes code on the appliance. Mass-scanning began within hours of the 2024-02-08 vendor disclosure; CISA KEV-listed the next day with a 7-day federal remediation deadline. Fortinet's 2025-04-11 follow-up advisory documented a post-exploitation technique where attackers who compromised the device before patching leave behind read-only symlinks in the SSL-VPN language-file directory that grant persistent filesystem read access on fully patched firmware — patch alone is insufficient.",
       "privileges_required": "none (unauth network reach to the SSL-VPN web surface; SSL-VPN must be enabled on the FortiGate)",
@@ -2911,7 +3032,18 @@
         "gap": "Essential 8 patch-applications ML3 (48h) is closer to the operational reality than NIST SI-2 but still misses the mass-scanning window."
       }
     },
-    "new_control_requirements": [],
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-001",
+        "name": "CISA-KEV-RESPONSE-SLA",
+        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
+        "evidence": "CVE-2024-21762",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8"
+        ]
+      }
+    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 60,
       "basis": "Internet-facing SSL-VPN concentrators are routinely deployed by SOC 2 / ISO 27001 / PCI-audited organisations without a documented compressed-SLA patching procedure for the appliance class; the standard 30-day patch SLA was active exposure for this CVE. Post-exploitation symlink cleanup is essentially never tested in compliance audits — operators who patched in place after compromise frequently retained attacker persistence.",