@blamejs/exceptd-skills 0.13.2 → 0.13.4

package/data/attack-techniques.json

@@ -217,6 +217,7 @@
     "name": "External Remote Services",
     "version": "v19",
     "cve_refs": [
+      "CVE-2024-21762",
       "CVE-2026-0300",
       "CVE-2026-39987"
     ]
@@ -232,6 +233,7 @@
       "CVE-2020-10148",
       "CVE-2023-3519",
       "CVE-2024-1709",
+      "CVE-2024-21762",
       "CVE-2025-12686",
       "CVE-2025-53773",
       "CVE-2025-59389",

package/data/cve-catalog.json

@@ -55,15 +55,16 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.154,
-      "current_floor_enforced_by_test": 0.15,
+      "current_rate": 0.132,
+      "current_floor_enforced_by_test": 0.13,
       "ladder_to_target": [
+        0.13,
         0.15,
         0.2,
         0.3,
         0.4
       ],
-      "floor_correction_note": "v0.12.31 (cycle 11): floor dropped from 0.20 → 0.15 after the cycle-11 intake added six ai_discovered=false entries (PAN-OS, Marimo, Ivanti EPMM, Exchange OWA, Windows LNK APT28, Defender BlueHammer). All six are vendor- or threat-actor-discovered; none carry an AI-tool credit per Hard Rule #1. Catalog observed rate fell from 6/30 (0.200) to 6/36 (0.167); floor is reset below the new observed rate to keep the test honest, and a new 0.15 rung is prepended to the ladder so monotonic non-decreasing is preserved without rewriting prior rungs.",
+      "floor_correction_note": "v0.13.4: floor dropped from 0.15 → 0.13 after the v0.13.4 cleanup removed two stuck-draft CVEs (MAL-2026-ANTHROPIC-MCP-STDIO duplicate of CVE-2026-30623 + CVE-2026-GTIG-AI-2FA embargoed placeholder). The GTIG entry was the only ai_discovered=true of the two; catalog observed rate fell from 6/40 (0.15) to 5/38 (0.132). Floor is reset below the new observed rate to keep the test honest, and a new 0.13 rung is prepended to the ladder so monotonic non-decreasing is preserved without rewriting prior rungs. Prior correction note: v0.12.31 floor dropped 0.20 → 0.15 after the cycle-11 intake added six ai_discovered=false entries.",
       "ladder_note": "Test floor advances when each rung is exceeded with a margin (>= floor + 0.05). Surfaces incremental tightening without coincidence-passing failures.",
       "gap_explanation": "Catalog skews toward 2024 vendor-disclosed CVEs (xz-utils, runc, CRI-O, MLflow, containerd, SolarWinds, Citrix, ConnectWise) and Pwn2Own Ireland 2025 entries (Synacktiv, DEVCORE, Summoning Team, CyCraft) where AI-tooling involvement was either not used or not credited in the public disclosure. The 41% figure in AGENTS.md Hard Rule #7 reflects the broader 2025 zero-day population reported by Google Threat Intelligence Group; catalog membership is curated against a different sampling frame (operational impact + framework-coverage need) and so will lag the population-level rate.",
       "discovery_source_enum": [
@@ -2094,149 +2095,6 @@
     ],
     "related_threats_note": "MAL-2026-TANSTACK-MINI is a Mini-Shai-Hulud-wave incident (Microsoft Security Research, 2026-05-11). The framework was open-sourced 2026-05-12 (MAL-2026-SHAI-HULUD-OSS) — TanStack predates the public release by ~24h. Same threat-actor authorship class; same registry-pivot tradecraft."
   },
-  "MAL-2026-ANTHROPIC-MCP-STDIO": {
-    "_draft": true,
-    "_quarantine": true,
-    "_quarantine_reason": "Duplicate of CVE-2026-30623 (Anthropic MCP SDK stdio command-injection). This entry was the pre-CVE-assignment embargoed placeholder for the OX Security MCP stdio command-injection disclosure (Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok); the embargo lifted with the April 2026 vendor advisory and the issue received CVE-2026-30623. Canonical id: CVE-2026-30623. Retained as _draft: true so the validator treats it as a non-failing draft warning; downstream tooling should filter on _quarantine: true and skip these entries.",
-    "ai_assisted_weaponization": false,
-    "name": "Anthropic SDK MCP STDIO command-injection (embargoed)",
-    "type": "command-injection",
-    "cvss_score": 9,
-    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
-    "cisa_kev": false,
-    "cisa_kev_date": null,
-    "poc_available": false,
-    "poc_description": "Embargoed — operator-supplied configuration parameter reaches subprocess exec argv concatenation.",
-    "ai_discovered": false,
-    "active_exploitation": "unknown",
-    "active_exploitation_notes": "Embargoed disclosure pending vendor advisory.",
-    "affected": "Anthropic MCP-client STDIO transport in published SDK versions handling operator-configured server-spawn commands.",
-    "affected_versions": [
-      "anthropic-sdk pending-vendor-advisory"
-    ],
-    "vector": "MCP-client spawns server subprocess from operator config — argument parsing concatenates user-controlled fields into the exec argv via shell-like splitting rather than argv-array passing.",
-    "complexity": "low",
-    "patch_available": false,
-    "patch_required_reboot": false,
-    "live_patch_available": true,
-    "live_patch_tools": [
-      "Operator-side allowlist of MCP server configurations",
-      "Pin MCP server commands to immutable absolute paths",
-      "Disable user-provided MCP server config until vendor advisory lands"
-    ],
-    "vendor_update_paths": [
-      "Pending Anthropic SDK security release"
-    ],
-    "framework_control_gaps": {
-      "NIST-AI-RMF-MEASURE-2.7": "MCP-client trust boundary not specifically called out — operator-config-as-input is treated as platform-trusted.",
-      "OWASP-LLM-Top-10-2025-LLM05": "Improper output handling on LLM-side; this is the symmetric upstream — improper INPUT handling on transport side.",
-      "ISO-27001-2022-A.8.28": "Secure coding assumed in vendor SDKs without tooling to attest."
-    },
-    "atlas_refs": [
-      "AML.T0040"
-    ],
-    "attack_refs": [
-      "T1059"
-    ],
-    "rwep_score": 25,
-    "rwep_factors": {
-      "cisa_kev": 0,
-      "poc_available": 0,
-      "ai_factor": 0,
-      "active_exploitation": 5,
-      "blast_radius": 30,
-      "patch_available": 0,
-      "live_patch_available": -10,
-      "reboot_required": 0
-    },
-    "epss_score": null,
-    "epss_date": "2026-05-14",
-    "cwe_refs": [
-      "CWE-78",
-      "CWE-88"
-    ],
-    "source_verified": "2026-05-14",
-    "verification_sources": [
-      "https://docs.anthropic.com/security",
-      "https://modelcontextprotocol.io/"
-    ],
-    "last_updated": "2026-05-15",
-    "discovery_attribution_note": "Discovered by OX Security research team (Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok); part of the four-exploitation-family April 2026 MCP advisory. Named-human research; no AI-tool credited for the discovery despite the target being an AI SDK. Source: https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields."
-  },
-  "CVE-2026-GTIG-AI-2FA": {
-    "_draft": true,
-    "_draft_reason": "Placeholder entry — affected product is unnamed under GTIG embargo and affected_versions is set to \"pending-disclosure\". The key itself is not a real CVE identifier (GTIG-tracked, no MITRE assignment yet). Hard Rule #1 fields cannot be verified against a vendor advisory until the embargo lifts and a real CVE id is assigned. Re-triage once GTIG/MITRE publishes the canonical id and affected-product list.",
-    "name": "GTIG-tracked AI-built 2FA-bypass zero-day (placeholder)",
-    "type": "auth-bypass",
-    "cvss_score": 8.1,
-    "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
-    "cisa_kev": false,
-    "cisa_kev_date": null,
-    "poc_available": false,
-    "poc_description": "Embargoed — GTIG 2026-05-11 report references in-the-wild exploitation by a financially motivated threat actor using AI-built exploit code targeting an unnamed enterprise 2FA service.",
-    "ai_discovered": true,
-    "ai_discovery_notes": "First documented case of a fully AI-BUILT zero-day exploit observed in-the-wild.",
-    "ai_assisted_weaponization": true,
-    "ai_assisted_notes": "Per GTIG attribution analysis — exploit code structure consistent with AI-generated output.",
-    "active_exploitation": "confirmed",
-    "affected": "Unnamed enterprise 2FA service per GTIG embargo; placeholder entry pending CVE assignment.",
-    "affected_versions": [
-      "pending-disclosure"
-    ],
-    "vector": "Authentication state-machine confusion — exploit payload bypasses second-factor challenge by manipulating session token at the post-primary-auth / pre-2FA-challenge boundary.",
-    "complexity": "moderate",
-    "patch_available": false,
-    "patch_required_reboot": false,
-    "live_patch_available": true,
-    "live_patch_tools": [
-      "Vendor-side rate-limiting on 2FA challenge endpoint",
-      "Anomaly detection on session-token mutation between auth phases",
-      "Out-of-band MFA fallback"
-    ],
-    "vendor_update_paths": [
-      "Pending vendor advisory"
-    ],
-    "framework_control_gaps": {
-      "NIST-AI-RMF-MEASURE-2.7": "AI-discovered + AI-built exploit class not anchored in any framework.",
-      "NIS2-Art21-incident-handling": "EU NIS2 incident-handling SLA does not differentiate AI-built vs human-built exploit class.",
-      "ISO-27001-2022-A.5.7": "Threat intelligence control does not specifically require AI-attack-development feeds.",
-      "FedRAMP-IA-2": "MFA requirement satisfied on paper; AI-built bypass operates at a layer below the MFA control surface.",
-      "EU-AI-Act-Art-15": "AI Act robustness requirement applies to AI SYSTEMS not to defending against AI-built attacks."
-    },
-    "atlas_refs": [
-      "AML.T0040",
-      "AML.T0051"
-    ],
-    "attack_refs": [
-      "T1078",
-      "T1556"
-    ],
-    "rwep_score": 55,
-    "rwep_factors": {
-      "cisa_kev": 0,
-      "poc_available": 0,
-      "ai_factor": 15,
-      "active_exploitation": 20,
-      "blast_radius": 30,
-      "patch_available": 0,
-      "live_patch_available": -10,
-      "reboot_required": 0
-    },
-    "epss_score": null,
-    "epss_date": "2026-05-14",
-    "cwe_refs": [
-      "CWE-287"
-    ],
-    "source_verified": "2026-05-14",
-    "verification_sources": [
-      "https://cloud.google.com/blog/topics/threat-intelligence/",
-      "https://services.google.com/fh/files/misc/gtig-2026-ai-attack-trends.pdf"
-    ],
-    "last_updated": "2026-05-15",
-    "discovery_attribution_note": "AI-developed zero-day per Google Threat Intelligence Group 2026-05-11 disclosure; first publicly-attributed in-the-wild AI-built zero-day exploit. GTIG assesses with high confidence that an LLM was weaponized to facilitate discovery + weaponization of a 2FA bypass in a popular open-source web administration tool. Source: https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access and https://thehackernews.com/2026/05/hackers-used-ai-to-develop-first-known.html.",
-    "rwep_correction_note": "v0.12.30: canonicalized rwep_factors to satisfy Shape B invariant (Σ factors === rwep_score). Prior values used non-canonical weights and/or blast_radius > 30 (over-cap). Stored rwep_score unchanged; factor block now reproducible from canonical RWEP_WEIGHTS + operational fields."
-  },
   "CVE-2026-30623": {
     "ai_assisted_weaponization": false,
     "name": "Anthropic MCP SDK stdio command-injection",
@@ -3704,5 +3562,100 @@
     ],
     "last_updated": "2026-05-17",
     "discovery_attribution_note": "TeamPCP threat-actor framework, not a vulnerability discovery. The framework was open-sourced 2026-05-12 on GitHub under MIT license by the same actor group responsible for the September 2025 / November 2025 / May 2026 Shai-Hulud npm-worm waves. TeamPCP self-describes the framework as \"vibe coded\" — AI-coding-assistant-mediated authoring. Adoption-side weaponization is accelerated by AI coding assistants + the BreachForums-hosted $1,000 USD bounty contest."
+  },
+  "CVE-2024-21762": {
+    "ai_assisted_weaponization": false,
+    "name": "Fortinet FortiOS / FortiProxy SSL-VPN out-of-bounds write (sslvpnd preauth RCE)",
+    "type": "out-of-bounds-write-preauth-rce",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD 9.8. Fortinet PSIRT FG-IR-24-015 advisory scored 9.6; the 0.2 delta is the scope (S:U vs S:C) interpretation. Operationally treated as 9.8 — unauthenticated network reach to the SSL-VPN web surface with code execution on the appliance.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2024-02-09",
+    "cisa_kev_due_date": "2024-02-16",
+    "poc_available": true,
+    "poc_description": "Multiple public PoCs published within days of Fortinet's 2024-02-08 disclosure (h4x0r-dz/CVE-2024-21762 on GitHub among the earliest). The vulnerability is an out-of-bounds write in sslvpnd reachable via a specially crafted unauthenticated HTTP request to the SSL-VPN web surface.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Vendor-internal discovery by Fortinet PSIRT; no AI tooling credited.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Fortinet's 2024-02-08 advisory stated the vulnerability was 'potentially being exploited in the wild'; CISA KEV-listed the next day (2024-02-09) with a 7-day federal remediation deadline. Multiple state-aligned and ransomware-affiliate clusters subsequently observed exploiting the bug for initial access. Canadian Centre for Cyber Security joint advisory (2024) bundled CVE-2024-21762 with CVE-2022-42475 and CVE-2023-27997 as the canonical FortiGate persistent-access trio. Fortinet's 2025-04-11 advisory documented a post-exploitation technique establishing persistence on devices patched after compromise — read-only symlinks left behind in the SSL-VPN language-file directory grant ongoing filesystem read access even on fully patched firmware, requiring an additional cleanup step beyond the patch itself.",
+    "affected": "Fortinet FortiOS and FortiProxy SSL-VPN feature on FortiGate appliances. Any internet-facing FortiGate with SSL-VPN enabled is in scope; FortiGates without SSL-VPN enabled are not reachable via this vector.",
+    "affected_versions": [
+      "fortios 7.6.0 (pre-7.6.2)",
+      "fortios 7.4.0-7.4.6 (pre-7.4.7)",
+      "fortios 7.2.0-7.2.10 (pre-7.2.11)",
+      "fortios 7.0.0-7.0.16 (pre-7.0.17)",
+      "fortios 6.4.0-6.4.15 (pre-6.4.16)",
+      "fortiproxy 7.4.0-7.4.2 (pre-7.4.3)",
+      "fortiproxy 7.2.0-7.2.8 (pre-7.2.9)",
+      "fortiproxy 7.0.0-7.0.14 (pre-7.0.15)",
+      "fortiproxy 2.0.0-2.0.13 (pre-2.0.14)"
+    ],
+    "vector": "Out-of-bounds write in the sslvpnd daemon's HTTP request handling. An unauthenticated remote attacker sends a specially crafted HTTP request to the SSL-VPN web surface, corrupting memory and achieving code execution as the sslvpnd process on the appliance. Workaround pre-patch: disable SSL-VPN entirely (Fortinet's recommended interim mitigation).",
+    "complexity": "low",
+    "complexity_notes": "Single-request exploitation, no preconditions beyond SSL-VPN being enabled and network-reachable. Public PoCs available; mass-scanning observed within hours of disclosure.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "FortiOS firmware updates require a device reboot. No live-patching primitive exists for FortiGate appliances. Fortinet's 2025-04 post-exploitation advisory adds an additional cleanup requirement on top of the firmware update — operators must follow the FortiGuard remediation steps to remove read-only symlinks left behind by attackers who compromised the device before patching.",
+    "vendor_update_paths": [
+      "FortiOS 7.6.2+",
+      "FortiOS 7.4.7+",
+      "FortiOS 7.2.11+",
+      "FortiOS 7.0.17+",
+      "FortiOS 6.4.16+",
+      "FortiProxy 7.4.3+",
+      "FortiProxy 7.2.9+",
+      "FortiProxy 7.0.15+",
+      "FortiProxy 2.0.14+"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "30-day patch SLA is multiple orders of magnitude longer than the observed exploitation window (hours from disclosure to mass-scanning). Reboot-required nature breaks the standard maintenance-window assumption; many operators delayed patching until the next scheduled window, extending exposure.",
+      "ISO-27001-2022-A.8.8": "'Appropriate timescales' undefined; standard 30-day interpretation is unsafe for an unauthenticated preauth RCE on an internet-facing security appliance with public PoCs and confirmed in-wild exploitation.",
+      "NIS2-Art21-network-security": "EU NIS2 treats VPN concentrators as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA. Operators in NIS2 sectors typically discovered the vulnerability via vendor advisory, not via the regulatory channel.",
+      "DORA-Art-9": "ICT incident management presumes vendor-patch cadence; the appliance-reboot requirement breaks the standard SLA assumption for financial-entity SSL-VPN concentrators.",
+      "UK-CAF-B4": "System security principle is silent on the operational reality that fully patched FortiGates can carry attacker persistence (symlink-based filesystem read access) seeded before the patch was applied. Patch alone is insufficient; cleanup verification is required.",
+      "AU-ISM-1546": "Essential 8 patch-applications ML3 (48h) is closer to the operational reality than NIST SI-2 but still misses the mass-scanning window. Internet-facing-appliance class deserves a tighter SLA than general application patching.",
+      "PCI-DSS-4.0-6.3.3": "30-day critical patch window is exploitation acceptance for an unauthenticated preauth RCE on a perimeter SSL-VPN appliance carrying CDE traffic."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1133"
+    ],
+    "rwep_score": 85,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "rwep_notes": "RWEP 85. cisa_kev (+25) + poc_available (+20) + active_exploitation confirmed (+20) + blast_radius 30 (every internet-facing FortiGate with SSL-VPN enabled — global perimeter-appliance install base, frequently used as ransomware initial-access vector through 2024-2026) - patch_available (-15) + reboot_required (+5). Live-patch credit not available — FortiOS has no live-patching primitive. Operationally exceeds the live-patching ceiling because patching requires a maintenance window; many fleets remained exposed for weeks after the patch shipped.",
+    "epss_score": null,
+    "epss_date": null,
+    "cwe_refs": [
+      "CWE-787"
+    ],
+    "source_verified": "2026-05-17",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-21762",
+      "https://www.fortiguard.com/psirt/FG-IR-24-015",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://www.tenable.com/blog/cve-2024-21762-critical-fortinet-fortios-out-of-bound-write-ssl-vpn-vulnerability",
+      "https://www.rapid7.com/blog/post/2024/02/12/etr-critical-fortinet-fortios-cve-2024-21762-exploited/",
+      "https://www.huntress.com/threat-library/vulnerabilities/cve-2024-21762",
+      "https://www.helpnetsecurity.com/2024/02/12/critical-fortinet-fortios-flaw-exploited-in-the-wild-cve-2024-21762/",
+      "https://www.cisa.gov/news-events/alerts/2025/04/11/fortinet-releases-advisory-new-post-exploitation-technique-known-vulnerabilities",
+      "https://www.cyber.gc.ca/en/alerts-advisories/compromise-persistent-access-fortinet-fortios-products-cve-2022-42475-cve-2023-27997-cve-2024-21762"
+    ],
+    "_draft": false,
+    "last_updated": "2026-05-17",
+    "discovery_attribution_note": "Vendor-internal discovery by Fortinet PSIRT, disclosed 2024-02-08 via advisory FG-IR-24-015. No external researcher byline. CISA KEV-listed 2024-02-09 with a 7-day federal remediation deadline. Post-exploitation symlink-persistence technique documented in Fortinet's 2025-04-11 advisory after operators reported residual filesystem access on devices patched after compromise."
   }
 }

package/data/cwe-catalog.json

@@ -1369,6 +1369,7 @@
     ],
     "evidence_cves": [
       "CVE-2023-3519",
+      "CVE-2024-21762",
       "CVE-2026-0300",
       "CVE-2026-42945",
       "CVE-2026-43500",

package/data/exploit-availability.json

@@ -287,33 +287,6 @@
     "last_verified": "2026-05-15",
     "verification_source": "TanStack security advisory 2026-05-11, npm advisories"
   },
-  "MAL-2026-ANTHROPIC-MCP-STDIO": {
-    "poc_status": "private",
-    "poc_description": "Embargoed reproduction in vendor channel; operator-side mitigations published while CVE assignment is pending.",
-    "weaponization_stage": "partially_weaponized",
-    "ai_discovery_confirmed": false,
-    "ai_discovery_source": "vendor_research",
-    "ai_assist_factor": "moderate",
-    "ai_assisted_weaponization": false,
-    "exploit_complexity": "low",
-    "active_exploitation": "unknown",
-    "last_verified": "2026-05-15",
-    "verification_source": "Anthropic security channel, MCP project advisory"
-  },
-  "CVE-2026-GTIG-AI-2FA": {
-    "poc_status": "private",
-    "poc_description": "Embargoed per GTIG. AI-built exploit code observed in-the-wild against an unnamed enterprise 2FA service.",
-    "weaponization_stage": "fully_weaponized",
-    "ai_discovery_confirmed": true,
-    "ai_discovery_source": "threat_actor_ai_built",
-    "ai_assist_factor": "very_high",
-    "ai_discovery_notes": "First documented case of a fully AI-BUILT zero-day exploit observed in-the-wild — threat actor used a frontier LLM to construct the auth-state-confusion payload.",
-    "ai_assisted_weaponization": true,
-    "exploit_complexity": "moderate",
-    "active_exploitation": "confirmed",
-    "last_verified": "2026-05-15",
-    "verification_source": "GTIG 2026-05-11 report, Google Cloud Threat Intelligence"
-  },
   "CVE-2026-30623": {
     "poc_status": "public",
     "poc_description": "Public advisory documents the argv-string concatenation in MCP-client stdio transport; researcher-published PoC chains operator-config to shell-meta injection.",