@blamejs/exceptd-skills 0.13.4 → 0.13.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (31) hide show
  1. package/AGENTS.md +16 -0
  2. package/CHANGELOG.md +58 -0
  3. package/bin/exceptd.js +145 -17
  4. package/data/_indexes/_meta.json +8 -8
  5. package/data/_indexes/activity-feed.json +18 -18
  6. package/data/_indexes/catalog-summaries.json +6 -6
  7. package/data/_indexes/chains.json +3943 -0
  8. package/data/_indexes/frequency.json +3 -0
  9. package/data/atlas-ttps.json +74 -1
  10. package/data/attack-techniques.json +125 -8
  11. package/data/cve-catalog.json +1964 -2
  12. package/data/framework-control-gaps.json +47 -4
  13. package/data/playbooks/ai-discovered-cve-triage.json +1146 -0
  14. package/data/playbooks/cicd-pipeline-compromise.json +3 -0
  15. package/data/playbooks/cred-stores.json +1 -0
  16. package/data/playbooks/crypto.json +3 -0
  17. package/data/playbooks/framework.json +3 -0
  18. package/data/playbooks/idp-incident.json +2 -1
  19. package/data/playbooks/kernel.json +1 -0
  20. package/data/playbooks/mcp.json +27 -2
  21. package/data/playbooks/post-quantum-migration.json +1268 -0
  22. package/data/playbooks/runtime.json +1 -0
  23. package/data/playbooks/sbom.json +3 -0
  24. package/data/playbooks/supply-chain-recovery.json +1332 -0
  25. package/data/zeroday-lessons.json +1749 -2
  26. package/lib/schemas/cve-catalog.schema.json +2 -1
  27. package/lib/validate-cve-catalog.js +27 -0
  28. package/manifest.json +44 -44
  29. package/orchestrator/index.js +69 -2
  30. package/package.json +1 -1
  31. package/sbom.cdx.json +62 -29
package/data/zeroday-lessons.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "_meta": {
3
3
  "schema_version": "1.1.0",
4
- "last_updated": "2026-05-15",
4
+ "last_updated": "2026-05-18",
5
5
  "last_threat_review": "2026-05-17",
6
6
  "purpose": "Zero-day learning loop output. Each entry maps a CVE to: attack vector, defense chain analysis, framework coverage, new control requirements generated, and exposure scoring. v1.1.0 (2026-05-15): every entry now carries ai_discovered_zeroday boolean + ai_discovery_source enum + ai_discovery_date + ai_assist_factor ladder, per AGENTS.md Hard Rule #7.",
7
7
  "note": "Never delete entries. Closed gaps are marked status: closed. History is data.",
@@ -16,7 +16,8 @@
16
16
  "stale_after_days": 180,
17
17
  "rebuild_after_days": 365,
18
18
  "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
19
- }
19
+ },
20
+ "entry_count": 67
20
21
  },
21
22
  "CVE-2026-31431": {
22
23
  "name": "Copy Fail",
@@ -2919,5 +2920,1751 @@
2919
2920
  "ai_discovered_zeroday": false,
2920
2921
  "ai_discovery_source": "vendor_research",
2921
2922
  "ai_assist_factor": "low"
2923
+ },
2924
+ "CVE-2025-10585": {
2925
+ "name": "Google Chrome V8 Type Confusion Zero-Day (TAG-disclosed)",
2926
+ "lesson_date": "2026-05-18",
2927
+ "attack_vector": {
2928
+ "description": "Type confusion in V8's WebAssembly/JIT path reachable via a malicious web page; primitive yields renderer arbitrary read/write. Full-system compromise typically requires pairing with a Chromium sandbox escape.",
2929
+ "privileges_required": "none (drive-by web rendering)",
2930
+ "complexity": "low — exploit observed in the wild before disclosure",
2931
+ "ai_factor": "Not AI-discovered. Google TAG human-researcher attribution; no AI tool credit."
2932
+ },
2933
+ "framework_coverage": {
2934
+ "NIST-800-53-SI-2": {
2935
+ "covered": true,
2936
+ "adequate": false,
2937
+ "gap": "30-day SI-2 patch SLA is two orders of magnitude longer than the operational exploitation window for a KEV-listed in-wild V8 zero-day."
2938
+ },
2939
+ "ISO-27001-2022-A.8.8": {
2940
+ "covered": true,
2941
+ "adequate": false,
2942
+ "gap": "Appropriate timescales undefined; enterprise managed-browser update deferral (7-30 days for QA) is exposure acceptance."
2943
+ },
2944
+ "CIS-Controls-v8-7.4": {
2945
+ "covered": true,
2946
+ "adequate": false,
2947
+ "gap": "Automated updates assumed in the control text but enterprise update-ring deferral defeats the spirit."
2948
+ },
2949
+ "NIS2-Art21-patch-management": {
2950
+ "covered": true,
2951
+ "adequate": false,
2952
+ "gap": "No explicit browser-zero-day SLA on endpoint estates."
2953
+ }
2954
+ },
2955
+ "new_control_requirements": [
2956
+ {
2957
+ "id": "NEW-CTRL-001",
2958
+ "name": "CISA-KEV-RESPONSE-SLA",
2959
+ "description": "4h KEV-listing mitigation SLA applies directly.",
2960
+ "evidence": "CVE-2025-10585 — KEV-listed 2025-09-23 with confirmed in-wild exploitation pre-disclosure.",
2961
+ "gap_closes": [
2962
+ "NIST-800-53-SI-2",
2963
+ "ISO-27001-2022-A.8.8"
2964
+ ]
2965
+ },
2966
+ {
2967
+ "id": "NEW-CTRL-057",
2968
+ "name": "BROWSER-MANAGED-UPDATE-NO-DEFERRAL",
2969
+ "description": "Enterprise update rings must not defer security-channel browser updates beyond 24h.",
2970
+ "evidence": "CVE-2025-10585 — managed-update deferral kept renderers exposed during the hottest exploit window.",
2971
+ "gap_closes": [
2972
+ "CIS-Controls-v8-7.4",
2973
+ "NIS2-Art21-patch-management"
2974
+ ]
2975
+ }
2976
+ ],
2977
+ "compliance_exposure_score": {
2978
+ "percent_audit_passing_orgs_still_exposed": 75,
2979
+ "basis": "Enterprise browser management commonly uses 7-day update rings; SOC 2 / ISO 27001 audits do not contradict that posture.",
2980
+ "theater_pattern": "patch_management"
2981
+ },
2982
+ "ai_discovered_zeroday": false,
2983
+ "ai_discovery_source": "vendor_research",
2984
+ "ai_discovery_date": "2025-09-16",
2985
+ "ai_assist_factor": "none"
2986
+ },
2987
+ "CVE-2025-14174": {
2988
+ "name": "Apple WebKit Memory Corruption Zero-Day (Targeted Spyware)",
2989
+ "lesson_date": "2026-05-18",
2990
+ "attack_vector": {
2991
+ "description": "Memory corruption in WebKit triggered by malicious web content; commonly chained with a kernel exploit for sandbox escape. Apple characterised the activity as 'extremely sophisticated' — commercial-spyware / nation-state tradecraft against specific individuals.",
2992
+ "privileges_required": "none (rendered web content)",
2993
+ "complexity": "high (commercial-spyware-grade chain; no public PoC)",
2994
+ "ai_factor": "Not AI-discovered. Apple did not publish discovery credit; targeted-spyware operator activity rather than AI-assisted research."
2995
+ },
2996
+ "framework_coverage": {
2997
+ "NIST-800-53-SI-2": {
2998
+ "covered": true,
2999
+ "adequate": false,
3000
+ "gap": "Standard mobile patch baselines (often monthly) do not meet the operational reality of targeted-spyware deployment hours after exploit availability."
3001
+ },
3002
+ "ISO-27001-2022-A.8.8": {
3003
+ "covered": true,
3004
+ "adequate": false,
3005
+ "gap": "Mobile endpoint patching commonly user-driven; no MDM-enforced KEV-class SLA prescribed."
3006
+ },
3007
+ "NIS2-Art21-patch-management": {
3008
+ "covered": true,
3009
+ "adequate": false,
3010
+ "gap": "Mobile estates routinely out of scope of enterprise patch SLA in mid-market NIS2 filings."
3011
+ }
3012
+ },
3013
+ "new_control_requirements": [
3014
+ {
3015
+ "id": "NEW-CTRL-001",
3016
+ "name": "CISA-KEV-RESPONSE-SLA",
3017
+ "description": "4h KEV-listing mitigation SLA applies; reboot-required does not extend the SLA.",
3018
+ "evidence": "CVE-2025-14174 — KEV-listed 2025-12-15 with confirmed targeted in-wild exploitation.",
3019
+ "gap_closes": [
3020
+ "NIST-800-53-SI-2"
3021
+ ]
3022
+ },
3023
+ {
3024
+ "id": "NEW-CTRL-056",
3025
+ "name": "MOBILE-ENDPOINT-MDM-ENFORCED-KEV-SLA",
3026
+ "description": "iOS / iPadOS / macOS estates must enforce KEV-class updates within 24h via DDM; user-deferral disallowed.",
3027
+ "evidence": "CVE-2025-14174 — default Apple MDM profiles do not enforce a KEV-deadline-bound update.",
3028
+ "gap_closes": [
3029
+ "ISO-27001-2022-A.8.8",
3030
+ "NIS2-Art21-patch-management"
3031
+ ]
3032
+ }
3033
+ ],
3034
+ "compliance_exposure_score": {
3035
+ "percent_audit_passing_orgs_still_exposed": 85,
3036
+ "basis": "Mobile-endpoint patch enforcement via MDM is rare in audit-passing organisations; most allow user-deferral on OS updates.",
3037
+ "theater_pattern": "patch_management"
3038
+ },
3039
+ "ai_discovered_zeroday": false,
3040
+ "ai_discovery_source": "vendor_research",
3041
+ "ai_discovery_date": "2025-12-15",
3042
+ "ai_assist_factor": "none"
3043
+ },
3044
+ "CVE-2025-43529": {
3045
+ "name": "Apple WebKit Use-After-Free (DarkSword 1-click chain)",
3046
+ "lesson_date": "2026-05-18",
3047
+ "attack_vector": {
3048
+ "description": "Use-after-free in WebKit reachable via crafted web content; primary 1-click initial-access vector in the DarkSword commercial exploit kit. Pairs with sandbox-escape primitives for full chain.",
3049
+ "privileges_required": "none (1-click web content)",
3050
+ "complexity": "low (commercial exploit-kit primitive)",
3051
+ "ai_factor": "Not AI-discovered. Commercial exploit kit (DarkSword) attribution; no AI tool credit."
3052
+ },
3053
+ "framework_coverage": {
3054
+ "NIST-800-53-SI-2": {
3055
+ "covered": true,
3056
+ "adequate": false,
3057
+ "gap": "Same KEV+PoC class as CVE-2025-14174; mobile patch SLAs not calibrated to in-wild WebKit UAFs."
3058
+ },
3059
+ "ISO-27001-2022-A.8.8": {
3060
+ "covered": true,
3061
+ "adequate": false,
3062
+ "gap": "Mobile-endpoint patch SLAs treat OS updates as user-pushed rather than enforced within KEV deadlines."
3063
+ }
3064
+ },
3065
+ "new_control_requirements": [
3066
+ {
3067
+ "id": "NEW-CTRL-001",
3068
+ "name": "CISA-KEV-RESPONSE-SLA",
3069
+ "description": "4h KEV-listing mitigation SLA applies.",
3070
+ "evidence": "CVE-2025-43529 — KEV-listed 2025-12-15 with commercial-exploit-kit-confirmed in-wild use.",
3071
+ "gap_closes": [
3072
+ "NIST-800-53-SI-2"
3073
+ ]
3074
+ },
3075
+ {
3076
+ "id": "NEW-CTRL-056",
3077
+ "name": "MOBILE-ENDPOINT-MDM-ENFORCED-KEV-SLA",
3078
+ "description": "DDM-enforced 24h KEV update on iOS/macOS estates.",
3079
+ "evidence": "CVE-2025-43529 — same mobile-MDM gap as CVE-2025-14174; the DarkSword kit demonstrates the commercial monetization of that gap.",
3080
+ "gap_closes": [
3081
+ "ISO-27001-2022-A.8.8"
3082
+ ]
3083
+ }
3084
+ ],
3085
+ "compliance_exposure_score": {
3086
+ "percent_audit_passing_orgs_still_exposed": 85,
3087
+ "basis": "Mobile-endpoint MDM-enforced updates are rare; commercial exploit kits monetize the gap directly.",
3088
+ "theater_pattern": "patch_management"
3089
+ },
3090
+ "ai_discovered_zeroday": false,
3091
+ "ai_discovery_source": "human_researcher",
3092
+ "ai_discovery_date": "2025-12-15",
3093
+ "ai_assist_factor": "none"
3094
+ },
3095
+ "CVE-2025-4919": {
3096
+ "name": "Firefox SpiderMonkey Type Confusion (Pwn2Own Berlin)",
3097
+ "lesson_date": "2026-05-18",
3098
+ "attack_vector": {
3099
+ "description": "Type confusion in SpiderMonkey's WASM-GC code triggered by crafted JavaScript / WebAssembly; primitive grants renderer read/write. Sandbox NOT escaped in the disclosed Pwn2Own chain.",
3100
+ "privileges_required": "none (web rendering)",
3101
+ "complexity": "low (single-character & vs | typo in WASM-GC code path)",
3102
+ "ai_factor": "Not AI-discovered. Pwn2Own Berlin 2025 contestant; same-day patch; no AI tool credit."
3103
+ },
3104
+ "framework_coverage": {
3105
+ "NIST-800-53-SI-2": {
3106
+ "covered": true,
3107
+ "adequate": false,
3108
+ "gap": "Enterprise 7-day patch SLAs for high-severity browser CVEs lag the same-day vendor turnaround expected for Pwn2Own-class flaws."
3109
+ },
3110
+ "ISO-27001-2022-A.8.8": {
3111
+ "covered": true,
3112
+ "adequate": false,
3113
+ "gap": "Patch timescale unspecified; secondary-browser (Firefox) maintenance often deprioritised vs Chrome/Edge."
3114
+ }
3115
+ },
3116
+ "new_control_requirements": [
3117
+ {
3118
+ "id": "NEW-CTRL-057",
3119
+ "name": "BROWSER-MANAGED-UPDATE-NO-DEFERRAL",
3120
+ "description": "Secondary-browser updates must not lag primary-browser updates; Firefox ESR policy enforcement must commit within 24h of MFSA publication.",
3121
+ "evidence": "CVE-2025-4919 — Firefox ESR estates routinely deprioritised vs Chrome/Edge.",
3122
+ "gap_closes": [
3123
+ "NIST-800-53-SI-2",
3124
+ "ISO-27001-2022-A.8.8"
3125
+ ]
3126
+ }
3127
+ ],
3128
+ "compliance_exposure_score": {
3129
+ "percent_audit_passing_orgs_still_exposed": 60,
3130
+ "basis": "Firefox / ESR estates commonly run behind Chrome update cadence in enterprise managed-browser programs.",
3131
+ "theater_pattern": "patch_management"
3132
+ },
3133
+ "ai_discovered_zeroday": false,
3134
+ "ai_discovery_source": "human_researcher",
3135
+ "ai_discovery_date": "2025-05-17",
3136
+ "ai_assist_factor": "none"
3137
+ },
3138
+ "CVE-2025-24201": {
3139
+ "name": "Apple WebKit Out-of-Bounds Write (Glass Cage chain, iOS sandbox escape)",
3140
+ "lesson_date": "2026-05-18",
3141
+ "attack_vector": {
3142
+ "description": "WebKit OOB write reachable via crafted web content; zero-click via iMessage when chained with CVE-2025-43300 (ImageIO) and CVE-2025-24085 (Core Media). Public 'Glass Cage' chain on GitHub achieves sandbox escape + kernel access + device bricking on iOS 18.2.1.",
3143
+ "privileges_required": "none (zero-click via iMessage in the documented chain)",
3144
+ "complexity": "high for full chain; low for the WebKit primitive in isolation",
3145
+ "ai_factor": "Not AI-discovered. Apple internal telemetry-driven discovery; no AI tool credit."
3146
+ },
3147
+ "framework_coverage": {
3148
+ "NIST-800-53-SI-2": {
3149
+ "covered": true,
3150
+ "adequate": false,
3151
+ "gap": "KEV-listed with public chain; mobile patch SLAs (14-30 days) do not match the 4h exposure window for zero-click chains."
3152
+ },
3153
+ "ISO-27001-2022-A.8.8": {
3154
+ "covered": true,
3155
+ "adequate": false,
3156
+ "gap": "Mobile-OS update timeliness user-driven; no enforced KEV-class SLA."
3157
+ },
3158
+ "ENISA-mobile-secure-baseline": {
3159
+ "covered": true,
3160
+ "adequate": false,
3161
+ "gap": "Operator MDM policy is the only enforcement layer; default Apple MDM profiles do not enforce KEV-deadline updates."
3162
+ }
3163
+ },
3164
+ "new_control_requirements": [
3165
+ {
3166
+ "id": "NEW-CTRL-001",
3167
+ "name": "CISA-KEV-RESPONSE-SLA",
3168
+ "description": "4h KEV-listing mitigation SLA applies to the mobile estate.",
3169
+ "evidence": "CVE-2025-24201 — KEV-listed 2025-03-12 with public Glass Cage chain.",
3170
+ "gap_closes": [
3171
+ "NIST-800-53-SI-2"
3172
+ ]
3173
+ },
3174
+ {
3175
+ "id": "NEW-CTRL-056",
3176
+ "name": "MOBILE-ENDPOINT-MDM-ENFORCED-KEV-SLA",
3177
+ "description": "DDM-enforced 24h KEV update on iOS / iPadOS estates.",
3178
+ "evidence": "CVE-2025-24201 — zero-click iMessage chain shipped publicly; default MDM permits user-deferral.",
3179
+ "gap_closes": [
3180
+ "ISO-27001-2022-A.8.8",
3181
+ "ENISA-mobile-secure-baseline"
3182
+ ]
3183
+ }
3184
+ ],
3185
+ "compliance_exposure_score": {
3186
+ "percent_audit_passing_orgs_still_exposed": 80,
3187
+ "basis": "Public sandbox-escape chains on iOS routinely outpace organisational MDM-enforced update cadence.",
3188
+ "theater_pattern": "patch_management"
3189
+ },
3190
+ "ai_discovered_zeroday": false,
3191
+ "ai_discovery_source": "vendor_research",
3192
+ "ai_discovery_date": "2025-03-11",
3193
+ "ai_assist_factor": "none"
3194
+ },
3195
+ "CVE-2025-43300": {
3196
+ "name": "Apple ImageIO Out-of-Bounds Write (DNG/JPEG-lossless zero-click chain root)",
3197
+ "lesson_date": "2026-05-18",
3198
+ "attack_vector": {
3199
+ "description": "OOB write in ImageIO triggered when TIFF SamplesPerPixel conflicts with JPEG SOF3 component count in a crafted DNG / JPEG-lossless image. Zero-click via iMessage / WhatsApp / any auto-rendering image path. Initial-access primitive in the Glass Cage chain.",
3200
+ "privileges_required": "none (zero-click image rendering)",
3201
+ "complexity": "high for full chain; medium for the ImageIO primitive in isolation",
3202
+ "ai_factor": "Not AI-discovered. Apple internal disclosure; no AI tool credit."
3203
+ },
3204
+ "framework_coverage": {
3205
+ "NIST-800-53-SI-2": {
3206
+ "covered": true,
3207
+ "adequate": false,
3208
+ "gap": "Zero-click image-processing CVE; default mobile patch SLAs assume user-driven update timing."
3209
+ },
3210
+ "ISO-27001-2022-A.8.8": {
3211
+ "covered": true,
3212
+ "adequate": false,
3213
+ "gap": "Mobile endpoints commonly outside enterprise patch-management scope."
3214
+ },
3215
+ "PCI-DSS-4.0-6.3.3": {
3216
+ "covered": true,
3217
+ "adequate": false,
3218
+ "gap": "1-month critical SLA insufficient for an in-wild zero-click chain."
3219
+ }
3220
+ },
3221
+ "new_control_requirements": [
3222
+ {
3223
+ "id": "NEW-CTRL-001",
3224
+ "name": "CISA-KEV-RESPONSE-SLA",
3225
+ "description": "4h KEV-listing mitigation SLA applies.",
3226
+ "evidence": "CVE-2025-43300 — KEV-listed 2025-08-21 with confirmed in-wild zero-click exploitation.",
3227
+ "gap_closes": [
3228
+ "NIST-800-53-SI-2",
3229
+ "PCI-DSS-4.0-6.3.3"
3230
+ ]
3231
+ },
3232
+ {
3233
+ "id": "NEW-CTRL-056",
3234
+ "name": "MOBILE-ENDPOINT-MDM-ENFORCED-KEV-SLA",
3235
+ "description": "DDM-enforced 24h KEV update on mobile estates.",
3236
+ "evidence": "CVE-2025-43300 — zero-click iMessage / WhatsApp delivery makes user-deferral untenable.",
3237
+ "gap_closes": [
3238
+ "ISO-27001-2022-A.8.8"
3239
+ ]
3240
+ }
3241
+ ],
3242
+ "compliance_exposure_score": {
3243
+ "percent_audit_passing_orgs_still_exposed": 82,
3244
+ "basis": "Zero-click image-processing chains require MDM-enforced update cadence; most audit-passing orgs do not enforce it.",
3245
+ "theater_pattern": "patch_management"
3246
+ },
3247
+ "ai_discovered_zeroday": false,
3248
+ "ai_discovery_source": "vendor_research",
3249
+ "ai_discovery_date": "2025-08-20",
3250
+ "ai_assist_factor": "none"
3251
+ },
3252
+ "CVE-2025-38352": {
3253
+ "name": "Android / Linux Kernel POSIX CPU Timer Race (sandbox-escape LPE)",
3254
+ "lesson_date": "2026-05-18",
3255
+ "attack_vector": {
3256
+ "description": "Race between handle_posix_cpu_timers() and posix_cpu_timer_del() when a task exits while CPU timers are being removed; improper exit_state handling opens an LPE window. Used as a zero-day to escape the Android application sandbox; public 'chronomaly' PoC targets vulnerable x86_64 Linux kernels.",
3257
+ "privileges_required": "local unprivileged process (Android app / Linux user)",
3258
+ "complexity": "moderate (race condition, but reliable PoC published)",
3259
+ "ai_factor": "Not AI-discovered. Google Android Security Bulletin attribution; no AI tool credit."
3260
+ },
3261
+ "framework_coverage": {
3262
+ "NIST-800-53-SI-2": {
3263
+ "covered": true,
3264
+ "adequate": false,
3265
+ "gap": "Android device patch deployment varies wildly by OEM (often 30-90 days behind Google bulletin) — KEV deadline cannot realistically bind non-Pixel devices."
3266
+ },
3267
+ "ISO-27001-2022-A.8.8": {
3268
+ "covered": true,
3269
+ "adequate": false,
3270
+ "gap": "Mobile firmware patching timescales undefined; OEM-controlled."
3271
+ },
3272
+ "NIS2-Art21-patch-management": {
3273
+ "covered": true,
3274
+ "adequate": false,
3275
+ "gap": "Mobile-OS estate patch SLA is exception territory in most NIS2 OES filings."
3276
+ }
3277
+ },
3278
+ "new_control_requirements": [
3279
+ {
3280
+ "id": "NEW-CTRL-001",
3281
+ "name": "CISA-KEV-RESPONSE-SLA",
3282
+ "description": "4h KEV-listing mitigation SLA — operational constraint: OEM patch cadence breaks the SLA on non-Pixel Android.",
3283
+ "evidence": "CVE-2025-38352 — KEV-listed 2025-09-04; OEM lag means many fleets miss the deadline structurally.",
3284
+ "gap_closes": [
3285
+ "NIST-800-53-SI-2"
3286
+ ]
3287
+ },
3288
+ {
3289
+ "id": "NEW-CTRL-002",
3290
+ "name": "LIVE-PATCH-CAPABILITY",
3291
+ "description": "Where live-patch is available (kpatch / canonical-livepatch on Linux servers), it must be deployed and tested quarterly.",
3292
+ "evidence": "CVE-2025-38352 — Linux server estates can avoid reboot windows; Android cannot.",
3293
+ "gap_closes": [
3294
+ "ISO-27001-2022-A.8.8"
3295
+ ]
3296
+ },
3297
+ {
3298
+ "id": "NEW-CTRL-056",
3299
+ "name": "MOBILE-ENDPOINT-MDM-ENFORCED-KEV-SLA",
3300
+ "description": "Android Enterprise managed-update SLA must commit security patches within OEM-published cadence; OEMs lagging > 30 days behind the Google bulletin must be inventoried as KEV-non-conformant.",
3301
+ "evidence": "CVE-2025-38352 — Android OEM patch cadence is the binding constraint on KEV compliance.",
3302
+ "gap_closes": [
3303
+ "NIS2-Art21-patch-management"
3304
+ ]
3305
+ }
3306
+ ],
3307
+ "compliance_exposure_score": {
3308
+ "percent_audit_passing_orgs_still_exposed": 88,
3309
+ "basis": "Android OEM patch lag is endemic; KEV deadline is structurally unachievable on most non-Pixel fleets.",
3310
+ "theater_pattern": "patch_management"
3311
+ },
3312
+ "ai_discovered_zeroday": false,
3313
+ "ai_discovery_source": "vendor_research",
3314
+ "ai_discovery_date": "2025-09-02",
3315
+ "ai_assist_factor": "none"
3316
+ },
3317
+ "CVE-2025-55241": {
3318
+ "name": "Microsoft Entra ID Cross-Tenant Actor Token Impersonation",
3319
+ "lesson_date": "2026-05-18",
3320
+ "attack_vector": {
3321
+ "description": "Attacker requests an undocumented 'Actor' token from a benign tenant and presents it to the legacy Azure AD Graph endpoint in a target tenant. The API fails to validate the originating-tenant claim and authorises the impersonated identity, bypassing MFA, Conditional Access, and tenant-level audit. Demonstrated Global Admin impersonation across arbitrary tenants.",
3322
+ "privileges_required": "low-privilege identity in any Entra tenant",
3323
+ "complexity": "low once the Actor-token primitive is known",
3324
+ "ai_factor": "Not AI-discovered. Researcher Dirk-Jan Mollema disclosure; no AI tool credit."
3325
+ },
3326
+ "framework_coverage": {
3327
+ "NIST-800-53-AC-6": {
3328
+ "covered": true,
3329
+ "adequate": false,
3330
+ "gap": "Cross-tenant authority validation is not an enumerated control; least-privilege assumed within tenant boundary."
3331
+ },
3332
+ "NIST-800-53-IA-8": {
3333
+ "covered": true,
3334
+ "adequate": false,
3335
+ "gap": "Identity-provider-side flaw escapes federation trust boundary assumptions."
3336
+ },
3337
+ "ISO-27001-2022-A.5.15": {
3338
+ "covered": true,
3339
+ "adequate": false,
3340
+ "gap": "Access control bound to tenant identity; cross-tenant trust validation undefined."
3341
+ },
3342
+ "EU-AI-Act-Art15": {
3343
+ "covered": true,
3344
+ "adequate": false,
3345
+ "gap": "Cloud-identity primitives underpinning agentic systems are not in scope; supply-chain identity validation gap."
3346
+ }
3347
+ },
3348
+ "new_control_requirements": [
3349
+ {
3350
+ "id": "NEW-CTRL-058",
3351
+ "name": "CLOUD-CONTROL-PLANE-CROSS-TENANT-CLAIM-VALIDATION",
3352
+ "description": "IdPs must validate originating-tenant claim on every cross-tenant token-bearing call and log it to a tenant-immutable channel. Customers must monitor for impossible-actor patterns.",
3353
+ "evidence": "CVE-2025-55241 — Actor token impersonation bypassed every tenant-side control because the legacy API did not validate the originating-tenant claim.",
3354
+ "gap_closes": [
3355
+ "NIST-800-53-AC-6",
3356
+ "NIST-800-53-IA-8",
3357
+ "ISO-27001-2022-A.5.15"
3358
+ ]
3359
+ }
3360
+ ],
3361
+ "compliance_exposure_score": {
3362
+ "percent_audit_passing_orgs_still_exposed": 100,
3363
+ "basis": "Pre-fix, every Entra tenant globally was exposed; no operator-side compensating control existed. Microsoft fixed server-side before public disclosure, so post-fix exposure is zero — the compliance story is about whether operators have telemetry to detect future control-plane bugs of this class.",
3364
+ "theater_pattern": "vendor_management"
3365
+ },
3366
+ "ai_discovered_zeroday": false,
3367
+ "ai_discovery_source": "human_researcher",
3368
+ "ai_discovery_date": "2025-07-14",
3369
+ "ai_assist_factor": "none"
3370
+ },
3371
+ "CVE-2025-21085": {
3372
+ "name": "Cisco Duo Authentication Proxy Credential Disclosure in Logs",
3373
+ "lesson_date": "2026-05-18",
3374
+ "attack_vector": {
3375
+ "description": "Authproxy debug-level logging emits cleartext credentials during LDAP/AD password-change operations. Local authenticated attacker (or post-compromise lateral mover) reads authproxy.log to recover credentials.",
3376
+ "privileges_required": "local authenticated read on the Duo Auth Proxy host with debug logging enabled",
3377
+ "complexity": "low — read a file",
3378
+ "ai_factor": "Not AI-discovered. Cisco PSIRT internal discovery; no AI tool credit."
3379
+ },
3380
+ "framework_coverage": {
3381
+ "NIST-800-53-AU-9": {
3382
+ "covered": true,
3383
+ "adequate": false,
3384
+ "gap": "Log-content classification is operator-defined; sensitive-data-in-logs is a recurring pattern across identity middleware."
3385
+ },
3386
+ "ISO-27001-2022-A.8.15": {
3387
+ "covered": true,
3388
+ "adequate": false,
3389
+ "gap": "Logging integrity vs sensitive-content separation underspecified."
3390
+ },
3391
+ "PCI-DSS-4.0-10.5": {
3392
+ "covered": true,
3393
+ "adequate": false,
3394
+ "gap": "Logs containing authentication secrets violate scope-isolation assumptions."
3395
+ }
3396
+ },
3397
+ "new_control_requirements": [
3398
+ {
3399
+ "id": "NEW-CTRL-059",
3400
+ "name": "SENSITIVE-DATA-IN-LOGS-LINT",
3401
+ "description": "Identity middleware must lint log output for credential-shaped strings at every severity level; CI must reject builds whose log statements emit secret-tagged fields.",
3402
+ "evidence": "CVE-2025-21085 — Duo Auth Proxy emitted cleartext credentials at debug level.",
3403
+ "gap_closes": [
3404
+ "NIST-800-53-AU-9",
3405
+ "ISO-27001-2022-A.8.15",
3406
+ "PCI-DSS-4.0-10.5"
3407
+ ]
3408
+ }
3409
+ ],
3410
+ "compliance_exposure_score": {
3411
+ "percent_audit_passing_orgs_still_exposed": 55,
3412
+ "basis": "Debug logging is commonly enabled during onboarding/troubleshooting and rarely re-disabled; log-content sensitivity audits seldom check identity middleware specifically.",
3413
+ "theater_pattern": "detection_gap"
3414
+ },
3415
+ "ai_discovered_zeroday": false,
3416
+ "ai_discovery_source": "vendor_research",
3417
+ "ai_discovery_date": "2025-09-04",
3418
+ "ai_assist_factor": "none"
3419
+ },
3420
+ "CVE-2025-1094": {
3421
+ "name": "PostgreSQL psql SQL Injection via Invalid UTF-8 → ACE",
3422
+ "lesson_date": "2026-05-18",
3423
+ "attack_vector": {
3424
+ "description": "Invalid UTF-8 byte sequences interact with libpq string-escaping and psql meta-command processing to permit SQL injection escalated to arbitrary command execution. Exploited in the BeyondTrust and US Treasury breaches.",
3425
+ "privileges_required": "none (network-reachable PostgreSQL with attacker-controlled input)",
3426
+ "complexity": "moderate (Metasploit module published)",
3427
+ "ai_factor": "Not AI-discovered. Rapid7 incident-triage disclosure during BeyondTrust investigation; no AI tool credit."
3428
+ },
3429
+ "framework_coverage": {
3430
+ "NIST-800-53-SI-10": {
3431
+ "covered": true,
3432
+ "adequate": false,
3433
+ "gap": "Input-validation control assumes UTF-8 well-formedness; invalid-byte handling is implementation-defined."
3434
+ },
3435
+ "PCI-DSS-4.0-6.2.4": {
3436
+ "covered": true,
3437
+ "adequate": false,
3438
+ "gap": "Critical-class injection patch SLA (30 days) insufficient for KEV + ACE + public PoC."
3439
+ },
3440
+ "ISO-27001-2022-A.8.28": {
3441
+ "covered": true,
3442
+ "adequate": false,
3443
+ "gap": "Secure coding for input validation; UTF-8 invalidity not enumerated."
3444
+ },
3445
+ "NIS2-Art21-patch-management": {
3446
+ "covered": true,
3447
+ "adequate": false,
3448
+ "gap": "30-day patch window inconsistent with KEV deadline."
3449
+ }
3450
+ },
3451
+ "new_control_requirements": [
3452
+ {
3453
+ "id": "NEW-CTRL-001",
3454
+ "name": "CISA-KEV-RESPONSE-SLA",
3455
+ "description": "4h KEV-listing mitigation SLA applies; breach-confirmed exploitation makes this load-bearing.",
3456
+ "evidence": "CVE-2025-1094 — KEV-listed 2025-02-13; BeyondTrust + US Treasury breaches.",
3457
+ "gap_closes": [
3458
+ "NIST-800-53-SI-10",
3459
+ "PCI-DSS-4.0-6.2.4",
3460
+ "NIS2-Art21-patch-management"
3461
+ ]
3462
+ }
3463
+ ],
3464
+ "compliance_exposure_score": {
3465
+ "percent_audit_passing_orgs_still_exposed": 72,
3466
+ "basis": "PostgreSQL is widely deployed across audit-passing organisations; the KEV-deadline patch window is rarely met for database servers due to maintenance-window scheduling.",
3467
+ "theater_pattern": "patch_management"
3468
+ },
3469
+ "ai_discovered_zeroday": false,
3470
+ "ai_discovery_source": "vendor_research",
3471
+ "ai_discovery_date": "2025-02-13",
3472
+ "ai_assist_factor": "none"
3473
+ },
3474
+ "CVE-2025-49844": {
3475
+ "name": "Redis Lua Use-After-Free RCE (RediShell)",
3476
+ "lesson_date": "2026-05-18",
3477
+ "attack_vector": {
3478
+ "description": "13-year-old UAF in the Redis Lua interpreter. Post-auth attacker sends a crafted Lua EVAL script that escapes the sandbox and executes as the redis-server process. Default Redis deployments without auth enable unauthenticated exploitation.",
3479
+ "privileges_required": "network-reachable EVAL access (no auth on default deployments)",
3480
+ "complexity": "moderate (sandbox escape primitive published by Wiz Research)",
3481
+ "ai_factor": "Not AI-discovered. Wiz Research human-led disclosure; no AI tool credit."
3482
+ },
3483
+ "framework_coverage": {
3484
+ "NIST-800-53-CM-7": {
3485
+ "covered": true,
3486
+ "adequate": false,
3487
+ "gap": "Default-deny on Lua scripting not enumerated; Redis ships with EVAL enabled."
3488
+ },
3489
+ "ISO-27001-2022-A.8.9": {
3490
+ "covered": true,
3491
+ "adequate": false,
3492
+ "gap": "Configuration baselines for in-memory stores rarely disable Lua scripting."
3493
+ },
3494
+ "PCI-DSS-4.0-6.3.3": {
3495
+ "covered": true,
3496
+ "adequate": false,
3497
+ "gap": "30-day SLA insufficient for CVSS 10.0 + 13-year backdoor-class regression."
3498
+ },
3499
+ "OWASP-API-Security-Top-10-API8:2023": {
3500
+ "covered": true,
3501
+ "adequate": false,
3502
+ "gap": "Server-side script execution as data primitive is endemic to Redis defaults."
3503
+ }
3504
+ },
3505
+ "new_control_requirements": [
3506
+ {
3507
+ "id": "NEW-CTRL-060",
3508
+ "name": "DATABASE-SERVER-SIDE-SCRIPTING-DEFAULT-DENY",
3509
+ "description": "In-memory and document datastores must ship with server-side scripting disabled by default; re-enabling requires documented threat-model acceptance.",
3510
+ "evidence": "CVE-2025-49844 — 13-year Lua UAF became unauthenticated RCE on default-deployed Redis because EVAL ships enabled.",
3511
+ "gap_closes": [
3512
+ "NIST-800-53-CM-7",
3513
+ "ISO-27001-2022-A.8.9",
3514
+ "OWASP-API-Security-Top-10-API8:2023"
3515
+ ]
3516
+ },
3517
+ {
3518
+ "id": "NEW-CTRL-061",
3519
+ "name": "IN-MEMORY-DATASTORE-MEMORY-DISCLOSURE-NETWORK-EXPOSURE-AUDIT",
3520
+ "description": "Quarterly inventory of Redis / KeyDB / Valkey direct-internet exposure.",
3521
+ "evidence": "CVE-2025-49844 — internet-exposed Redis instances without auth are an unauthenticated RCE substrate.",
3522
+ "gap_closes": [
3523
+ "PCI-DSS-4.0-6.3.3"
3524
+ ]
3525
+ }
3526
+ ],
3527
+ "compliance_exposure_score": {
3528
+ "percent_audit_passing_orgs_still_exposed": 78,
3529
+ "basis": "Default Redis configuration ships Lua scripting enabled; auditors do not typically test for it. Shodan-visible unauthenticated Redis populations remain high years into the disclosure cycle.",
3530
+ "theater_pattern": "secure_coding_theater"
3531
+ },
3532
+ "ai_discovered_zeroday": false,
3533
+ "ai_discovery_source": "vendor_research",
3534
+ "ai_discovery_date": "2025-10-06",
3535
+ "ai_assist_factor": "none"
3536
+ },
3537
+ "CVE-2025-14847": {
3538
+ "name": "MongoDB Server zlib Heap-Memory Disclosure (MongoBleed)",
3539
+ "lesson_date": "2026-05-18",
3540
+ "attack_vector": {
3541
+ "description": "Mismatched length fields in zlib-compressed wire-protocol headers cause MongoDB Server to return uninitialized heap memory to unauthenticated clients. Heap can contain prior request data, session keys, document fragments.",
3542
+ "privileges_required": "none (unauthenticated network reach to MongoDB)",
3543
+ "complexity": "low (public exploit code; opportunistic scanning observed)",
3544
+ "ai_factor": "Not AI-discovered. Bitsight + MongoDB-coordinated disclosure; no AI tool credit."
3545
+ },
3546
+ "framework_coverage": {
3547
+ "NIST-800-53-SC-28": {
3548
+ "covered": true,
3549
+ "adequate": false,
3550
+ "gap": "Encryption-at-rest controls do not address in-memory leak."
3551
+ },
3552
+ "ISO-27001-2022-A.8.24": {
3553
+ "covered": true,
3554
+ "adequate": false,
3555
+ "gap": "Cryptographic protection in transit assumed; heap-disclosure escapes both."
3556
+ },
3557
+ "PCI-DSS-4.0-3.5": {
3558
+ "covered": true,
3559
+ "adequate": false,
3560
+ "gap": "Cardholder data potentially exposed via uninitialised-memory leak even when at-rest encryption is correct."
3561
+ },
3562
+ "GDPR-Art32": {
3563
+ "covered": true,
3564
+ "adequate": false,
3565
+ "gap": "Confidentiality-by-design control insufficient for memory-disclosure class."
3566
+ }
3567
+ },
3568
+ "new_control_requirements": [
3569
+ {
3570
+ "id": "NEW-CTRL-061",
3571
+ "name": "IN-MEMORY-DATASTORE-MEMORY-DISCLOSURE-NETWORK-EXPOSURE-AUDIT",
3572
+ "description": "Memory-disclosure-class CVEs against datastores must be treated as data-exfiltration incidents; quarterly direct-internet exposure audit.",
3573
+ "evidence": "CVE-2025-14847 (MongoBleed) — unauthenticated heap leak escapes both at-rest and in-transit encryption.",
3574
+ "gap_closes": [
3575
+ "NIST-800-53-SC-28",
3576
+ "ISO-27001-2022-A.8.24",
3577
+ "PCI-DSS-4.0-3.5",
3578
+ "GDPR-Art32"
3579
+ ]
3580
+ }
3581
+ ],
3582
+ "compliance_exposure_score": {
3583
+ "percent_audit_passing_orgs_still_exposed": 70,
3584
+ "basis": "MongoDB direct-internet exposure remains common; memory-disclosure-class CVEs rarely trigger the same response posture as RCE despite equivalent breach-notification implications.",
3585
+ "theater_pattern": "detection_gap"
3586
+ },
3587
+ "ai_discovered_zeroday": false,
3588
+ "ai_discovery_source": "vendor_research",
3589
+ "ai_discovery_date": "2025-11-19",
3590
+ "ai_assist_factor": "none"
3591
+ },
3592
+ "CVE-2025-8671": {
3593
+ "name": "HTTP/2 MadeYouReset DoS (Rapid Reset successor)",
3594
+ "lesson_date": "2026-05-18",
3595
+ "attack_vector": {
3596
+ "description": "Malformed WINDOW_UPDATE / PRIORITY / DATA frames trigger server-side stream resets while the backend continues processing, bypassing MAX_CONCURRENT_STREAMS and exhausting resources. Estimated 2.8M+ internet-facing instances vulnerable across Tomcat, Netty, Varnish, Fastly, F5.",
3597
+ "privileges_required": "none (unauthenticated single connection)",
3598
+ "complexity": "low (public PoC tooling)",
3599
+ "ai_factor": "Not AI-discovered. Tel Aviv University academic protocol-fuzzing research paired with Imperva production traffic analysis. Specific AI-fuzzing tool credit was not published — proposal records the closest enum match as academic_ai_fuzzing but the published research did not attribute the discovery to a specific AI fuzzing system."
3600
+ },
3601
+ "framework_coverage": {
3602
+ "NIST-800-53-SC-5": {
3603
+ "covered": true,
3604
+ "adequate": false,
3605
+ "gap": "DoS-protection controls do not enumerate HTTP/2 stream-reset bypass class."
3606
+ },
3607
+ "ISO-27001-2022-A.8.9": {
3608
+ "covered": true,
3609
+ "adequate": false,
3610
+ "gap": "Configuration baselines do not address HTTP/2 protocol-implementation differences across servers."
3611
+ },
3612
+ "OWASP-API-Security-Top-10-API4:2023": {
3613
+ "covered": true,
3614
+ "adequate": false,
3615
+ "gap": "Rate-limiting at HTTP layer ineffective against per-connection HTTP/2 stream amplification."
3616
+ },
3617
+ "NIS2-Art21-availability": {
3618
+ "covered": true,
3619
+ "adequate": false,
3620
+ "gap": "Availability-class threat under-specified for protocol-implementation bugs."
3621
+ }
3622
+ },
3623
+ "new_control_requirements": [
3624
+ {
3625
+ "id": "NEW-CTRL-062",
3626
+ "name": "HTTP2-STREAM-RESET-ACCOUNTING",
3627
+ "description": "HTTP/2 implementations must account in-flight backend work against MAX_CONCURRENT_STREAMS regardless of client-visible stream resets; per-connection completion budgets must survive stream-reset bypass patterns.",
3628
+ "evidence": "CVE-2025-8671 — server-side stream resets bypassed MAX_CONCURRENT_STREAMS while backend continued processing.",
3629
+ "gap_closes": [
3630
+ "NIST-800-53-SC-5",
3631
+ "OWASP-API-Security-Top-10-API4:2023",
3632
+ "NIS2-Art21-availability"
3633
+ ]
3634
+ }
3635
+ ],
3636
+ "compliance_exposure_score": {
3637
+ "percent_audit_passing_orgs_still_exposed": 65,
3638
+ "basis": "HTTP/2 implementations are widespread but rarely audited at protocol-implementation depth; the Rapid Reset → MadeYouReset → next-variant cadence suggests the protocol-fuzzing surface is far from exhausted.",
3639
+ "theater_pattern": "detection_gap"
3640
+ },
3641
+ "ai_discovered_zeroday": false,
3642
+ "ai_discovery_source": "academic_ai_fuzzing",
3643
+ "ai_discovery_date": "2025-08-13",
3644
+ "ai_assist_factor": "low"
3645
+ },
3646
+ "CVE-2025-6965": {
3647
+ "name": "SQLite Memory Corruption (Big Sleep AI pre-emptive discovery)",
3648
+ "lesson_date": "2026-05-18",
3649
+ "attack_vector": {
3650
+ "description": "Integer overflow yielding out-of-bounds array read in SQLite. Attacker who can inject arbitrary SQL statements into an application triggers the overflow; memory disclosure / corruption depending on context. SQLite has extremely broad downstream footprint (embedded systems, mobile OS, browsers, AI/ML pipelines, every Python/Node/Go runtime).",
3651
+ "privileges_required": "ability to inject arbitrary SQL into a SQLite-backed application",
3652
+ "complexity": "moderate",
3653
+ "ai_factor": "Big Sleep — Google DeepMind + Project Zero AI agent (Gemini-backed). First documented case of an AI agent foiling exploitation of an in-the-wild zero-day; Google publicly stated this was 'the first time an AI agent has been used to directly foil efforts to exploit a vulnerability in the wild.' AI surfaced the bug from threat-intelligence signals before any operator-observable exploit landed."
3654
+ },
3655
+ "framework_coverage": {
3656
+ "NIST-800-53-SI-10": {
3657
+ "covered": true,
3658
+ "adequate": false,
3659
+ "gap": "Application-layer SQL filtering assumed; embedded-SQLite attack surface often invisible to AppSec scope."
3660
+ },
3661
+ "ISO-27001-2022-A.8.28": {
3662
+ "covered": true,
3663
+ "adequate": false,
3664
+ "gap": "Secure-coding controls do not cover bundled-library memory-safety regressions."
3665
+ },
3666
+ "EU-AI-Act-Art15": {
3667
+ "covered": true,
3668
+ "adequate": false,
3669
+ "gap": "AI-system robustness — discovered by AI, prevented by AI; framework has no concept of AI-defender attribution credit."
3670
+ }
3671
+ },
3672
+ "new_control_requirements": [
3673
+ {
3674
+ "id": "NEW-CTRL-024",
3675
+ "name": "AI-DISCOVERY-RESPONSE-SLA",
3676
+ "description": "AI-discovered vulnerabilities must enter the patch program on the AI-discovery-date timestamp, not the public-disclosure timestamp.",
3677
+ "evidence": "CVE-2025-6965 — Big Sleep discovery preceded the operator-visible disclosure cycle; orgs that wait for NVD publication miss the actual exposure window.",
3678
+ "gap_closes": [
3679
+ "NIST-800-53-SI-10",
3680
+ "ISO-27001-2022-A.8.28"
3681
+ ]
3682
+ },
3683
+ {
3684
+ "id": "NEW-CTRL-071",
3685
+ "name": "AI-DISCOVERY-CREDIT-IN-COMPLIANCE-EVIDENCE",
3686
+ "description": "Compliance evidence packs must record AI-tool contribution to vulnerability discovery as a distinct positive control modality.",
3687
+ "evidence": "CVE-2025-6965 — Big Sleep AI-defender contribution has no attribution path under EU AI Act Art.15 or ISO/IEC 42001.",
3688
+ "gap_closes": [
3689
+ "EU-AI-Act-Art15"
3690
+ ]
3691
+ }
3692
+ ],
3693
+ "compliance_exposure_score": {
3694
+ "percent_audit_passing_orgs_still_exposed": 70,
3695
+ "basis": "Bundled-SQLite inventory is rarely maintained; AI-discovery cadence outpaces operator patch-program cadence on most estates.",
3696
+ "theater_pattern": "vulnerability_management_theater"
3697
+ },
3698
+ "ai_discovered_zeroday": true,
3699
+ "ai_discovery_source": "vendor_research",
3700
+ "ai_discovery_date": "2025-07-15",
3701
+ "ai_assist_factor": "very_high"
3702
+ },
3703
+ "CVE-2026-22778": {
3704
+ "name": "vLLM Multimodal Heap Overflow RCE via JPEG2000 / FFmpeg / OpenCV",
3705
+ "lesson_date": "2026-05-18",
3706
+ "attack_vector": {
3707
+ "description": "Unauthenticated network attacker submits a malicious video URL to a vLLM multimodal API endpoint; bundled FFmpeg JPEG2000 decoder inside OpenCV triggers a heap overflow yielding RCE as the vLLM service user (commonly running with GPU + model-weight + credential access). Earlier vLLM versions leaked a heap address via a PIL error message, supplying the ASLR-defeat primitive.",
3708
+ "privileges_required": "none (unauthenticated network reach to the vLLM multimodal API)",
3709
+ "complexity": "moderate (multimodal-input attack surface novel to most AppSec programs)",
3710
+ "ai_factor": "Not AI-discovered. OX Security human research disclosure; no AI tool credit."
3711
+ },
3712
+ "framework_coverage": {
3713
+ "NIST-800-53-SI-3": {
3714
+ "covered": true,
3715
+ "adequate": false,
3716
+ "gap": "Inference-server input validation not enumerated; multimodal-input surface novel to most AppSec programs."
3717
+ },
3718
+ "EU-AI-Act-Art15": {
3719
+ "covered": true,
3720
+ "adequate": false,
3721
+ "gap": "AI-system robustness controls reference adversarial inputs but not host RCE via multimodal decoder."
3722
+ },
3723
+ "ISO-IEC-42001-AIMS": {
3724
+ "covered": true,
3725
+ "adequate": false,
3726
+ "gap": "AI Management System lacks specific multimodal-input validation requirement."
3727
+ }
3728
+ },
3729
+ "new_control_requirements": [
3730
+ {
3731
+ "id": "NEW-CTRL-063",
3732
+ "name": "MULTIMODAL-INFERENCE-INPUT-DECODER-ISOLATION",
3733
+ "description": "Inference servers must isolate media-decoder stacks in a separate process / sandbox with no GPU / model-weight / credential access. Decoder-class CVEs trigger inference-server SLA, not generic library SLA.",
3734
+ "evidence": "CVE-2026-22778 — FFmpeg 5.1.x JPEG2000 decoder bundled inside OpenCV led to RCE as the vLLM service.",
3735
+ "gap_closes": [
3736
+ "NIST-800-53-SI-3",
3737
+ "EU-AI-Act-Art15",
3738
+ "ISO-IEC-42001-AIMS"
3739
+ ]
3740
+ }
3741
+ ],
3742
+ "compliance_exposure_score": {
3743
+ "percent_audit_passing_orgs_still_exposed": 85,
3744
+ "basis": "Multimodal inference servers are rarely architected with decoder-process isolation; bundled-codec inventory is essentially never maintained at AppSec depth.",
3745
+ "theater_pattern": "ai_supply_chain_trust"
3746
+ },
3747
+ "ai_discovered_zeroday": false,
3748
+ "ai_discovery_source": "vendor_research",
3749
+ "ai_discovery_date": "2026-01-15",
3750
+ "ai_assist_factor": "none"
3751
+ },
3752
+ "CVE-2026-7482": {
3753
+ "name": "Ollama Bleeding Llama Heap Memory Disclosure",
3754
+ "lesson_date": "2026-05-18",
3755
+ "attack_vector": {
3756
+ "description": "Crafted file upload to Ollama's model-quantization API causes out-of-bounds heap read; server process memory (potentially including model weights, conversation context, API keys) leaks to unauthenticated network clients. Ollama ships with no default authentication.",
3757
+ "privileges_required": "none (unauthenticated network reach to the Ollama API)",
3758
+ "complexity": "low (public PoC)",
3759
+ "ai_factor": "Not AI-discovered. Coordinated disclosure to Ollama security team; no AI tool credit."
3760
+ },
3761
+ "framework_coverage": {
3762
+ "NIST-800-53-AC-3": {
3763
+ "covered": true,
3764
+ "adequate": false,
3765
+ "gap": "Ollama ships with no default authentication; control assumes operator hardens deployment."
3766
+ },
3767
+ "EU-AI-Act-Art10": {
3768
+ "covered": true,
3769
+ "adequate": false,
3770
+ "gap": "Data-governance controls do not enumerate model-server memory-disclosure class."
3771
+ },
3772
+ "ISO-IEC-42001-AIMS": {
3773
+ "covered": true,
3774
+ "adequate": false,
3775
+ "gap": "AI management system lacks default-deny network exposure expectation for local-model servers."
3776
+ },
3777
+ "OWASP-LLM-Top-10-LLM06": {
3778
+ "covered": true,
3779
+ "adequate": false,
3780
+ "gap": "Sensitive information disclosure — class applies but no implementation guidance for local-model servers."
3781
+ }
3782
+ },
3783
+ "new_control_requirements": [
3784
+ {
3785
+ "id": "NEW-CTRL-065",
3786
+ "name": "AI-MODEL-SERVER-DEFAULT-AUTHENTICATION",
3787
+ "description": "Local-model and inference servers must ship with authentication enabled by default and refuse non-loopback binding without explicit configuration.",
3788
+ "evidence": "CVE-2026-7482 — heap disclosure to unauthenticated network clients because Ollama defaults are network-permissive.",
3789
+ "gap_closes": [
3790
+ "NIST-800-53-AC-3",
3791
+ "EU-AI-Act-Art10",
3792
+ "ISO-IEC-42001-AIMS",
3793
+ "OWASP-LLM-Top-10-LLM06"
3794
+ ]
3795
+ }
3796
+ ],
3797
+ "compliance_exposure_score": {
3798
+ "percent_audit_passing_orgs_still_exposed": 80,
3799
+ "basis": "Ollama / local-model server inventory and network-exposure audits are rare; default-deploy posture is widely accepted as good enough.",
3800
+ "theater_pattern": "ai_supply_chain_trust"
3801
+ },
3802
+ "ai_discovered_zeroday": false,
3803
+ "ai_discovery_source": "vendor_research",
3804
+ "ai_discovery_date": "2026-04-14",
3805
+ "ai_assist_factor": "none"
3806
+ },
3807
+ "CVE-2025-68664": {
3808
+ "name": "LangChain Core LangGrinch Serialization Injection",
3809
+ "lesson_date": "2026-05-18",
3810
+ "attack_vector": {
3811
+ "description": "dumps() / dumpd() do not escape free-form dictionaries containing the internal 'lc' key marker. Prompt-injection-controlled LLM response fields (additional_kwargs / response_metadata) survive a dumps/dumpd → loads round-trip and are rehydrated as legitimate LangChain objects, enabling secret extraction and downstream RCE in pipelines that further evaluate the deserialised object.",
3812
+ "privileges_required": "ability to inject content into the LLM's response (prompt injection via tool result, RAG document, web search result, email, etc.)",
3813
+ "complexity": "moderate (requires prompt-injection primitive plus pipeline that round-trips LLM output)",
3814
+ "ai_factor": "Not AI-discovered. Cyata human research team disclosure via prompt-injection attack-surface analysis. AI is the weaponisation primitive (LLM emits the payload-shaped response) — ai_assisted_weaponization=true in source — but not the discovery side."
3815
+ },
3816
+ "framework_coverage": {
3817
+ "NIST-AI-RMF-MEASURE-2.7": {
3818
+ "covered": true,
3819
+ "adequate": false,
3820
+ "gap": "Prompt-injection-driven serialisation round-trip not in published AI-risk taxonomy."
3821
+ },
3822
+ "EU-AI-Act-Art15": {
3823
+ "covered": true,
3824
+ "adequate": false,
3825
+ "gap": "Robustness control does not enumerate serialisation-deserialisation chain as an attack surface."
3826
+ },
3827
+ "ISO-IEC-42001-AIMS-A.6.2.5": {
3828
+ "covered": true,
3829
+ "adequate": false,
3830
+ "gap": "Lifecycle controls do not include LLM-output trust-zone separation."
3831
+ },
3832
+ "OWASP-LLM-Top-10-LLM01": {
3833
+ "covered": true,
3834
+ "adequate": "reference only",
3835
+ "gap": "Prompt injection enumerated; no implementation requirement for serialisation trust boundaries."
3836
+ },
3837
+ "OWASP-LLM-Top-10-LLM02": {
3838
+ "covered": true,
3839
+ "adequate": "reference only",
3840
+ "gap": "Insecure output handling enumerated; serialisation round-trip is the specific instance."
3841
+ }
3842
+ },
3843
+ "new_control_requirements": [
3844
+ {
3845
+ "id": "NEW-CTRL-064",
3846
+ "name": "LLM-OUTPUT-DESERIALIZATION-TRUST-ZONE",
3847
+ "description": "LLM responses must cross a serialisation trust boundary; frameworks must refuse to rehydrate framework-internal object markers from LLM-output-derived fields.",
3848
+ "evidence": "CVE-2025-68664 — LangChain dumps()/dumpd() did not escape the 'lc' marker in attacker-controlled LLM response fields.",
3849
+ "gap_closes": [
3850
+ "NIST-AI-RMF-MEASURE-2.7",
3851
+ "EU-AI-Act-Art15",
3852
+ "ISO-IEC-42001-AIMS-A.6.2.5",
3853
+ "OWASP-LLM-Top-10-LLM02"
3854
+ ]
3855
+ },
3856
+ {
3857
+ "id": "NEW-CTRL-005",
3858
+ "name": "AI-TOOL-INPUT-SANITIZATION",
3859
+ "description": "External-source content reaching the LLM must be treated as adversarial; pairs with NEW-CTRL-064 on the output side.",
3860
+ "evidence": "CVE-2025-68664 — prompt-injection upstream is the trigger; output-side trust zone is the closure.",
3861
+ "gap_closes": [
3862
+ "OWASP-LLM-Top-10-LLM01"
3863
+ ]
3864
+ }
3865
+ ],
3866
+ "compliance_exposure_score": {
3867
+ "percent_audit_passing_orgs_still_exposed": 92,
3868
+ "basis": "Production LangChain deployments commonly round-trip LLM responses through dumps/loads without any trust boundary; no compliance framework requires it.",
3869
+ "theater_pattern": "ai_supply_chain_trust"
3870
+ },
3871
+ "ai_discovered_zeroday": false,
3872
+ "ai_discovery_source": "vendor_research",
3873
+ "ai_discovery_date": "2025-12-09",
3874
+ "ai_assist_factor": "medium"
3875
+ },
3876
+ "CVE-2025-22224": {
3877
+ "name": "VMware ESXi/Workstation VMCI TOCTOU → VMX Host Code Execution",
3878
+ "lesson_date": "2026-05-18",
3879
+ "attack_vector": {
3880
+ "description": "Local administrative privilege on a guest VM exploits a TOCTOU race in VMCI (Virtual Machine Communication Interface), leading to OOB write in the VMX host process — VM escape to hypervisor. Huntress PDB-path evidence ('2024_02_19' folder) suggests the exploit chain pre-dated disclosure by ~12 months. Used in ransomware operations per CISA February 2026 follow-up.",
3881
+ "privileges_required": "local guest-admin in a VM on the host",
3882
+ "complexity": "moderate (TOCTOU race; in-wild PoC predates disclosure)",
3883
+ "ai_factor": "Not AI-discovered. Microsoft Threat Intelligence Center disclosure; no AI tool credit."
3884
+ },
3885
+ "framework_coverage": {
3886
+ "NIST-800-53-SC-39": {
3887
+ "covered": true,
3888
+ "adequate": false,
3889
+ "gap": "Hypervisor isolation control assumes guest-to-host boundary is intact; TOCTOU race breaks it."
3890
+ },
3891
+ "ISO-27001-2022-A.8.21": {
3892
+ "covered": true,
3893
+ "adequate": false,
3894
+ "gap": "Network segregation assumed at the virtualization layer; VM-escape sidesteps."
3895
+ },
3896
+ "PCI-DSS-4.0-2.2.3": {
3897
+ "covered": true,
3898
+ "adequate": false,
3899
+ "gap": "Multi-tenant segmentation premise violated."
3900
+ },
3901
+ "NIS2-Art21-business-continuity": {
3902
+ "covered": true,
3903
+ "adequate": false,
3904
+ "gap": "Hypervisor compromise blast radius covers all tenants on the host."
3905
+ },
3906
+ "FedRAMP-SC-7": {
3907
+ "covered": true,
3908
+ "adequate": false,
3909
+ "gap": "Boundary protection assumes hypervisor as trust anchor."
3910
+ }
3911
+ },
3912
+ "new_control_requirements": [
3913
+ {
3914
+ "id": "NEW-CTRL-001",
3915
+ "name": "CISA-KEV-RESPONSE-SLA",
3916
+ "description": "4h KEV-listing mitigation SLA on the hypervisor estate.",
3917
+ "evidence": "CVE-2025-22224 — KEV-listed 2025-03-04; ransomware-confirmed in-wild use.",
3918
+ "gap_closes": [
3919
+ "NIST-800-53-SC-39"
3920
+ ]
3921
+ },
3922
+ {
3923
+ "id": "NEW-CTRL-068",
3924
+ "name": "HYPERVISOR-VM-ESCAPE-TENANCY-ASSUMPTION",
3925
+ "description": "Multi-tenant virtualization must treat any guest-admin as a hypervisor adversary; KEV-listed hypervisor CVEs trigger 24h SLA regardless of tenancy.",
3926
+ "evidence": "CVE-2025-22224 — ~12 months of pre-disclosure in-wild use blew through every tenancy assumption.",
3927
+ "gap_closes": [
3928
+ "ISO-27001-2022-A.8.21",
3929
+ "PCI-DSS-4.0-2.2.3",
3930
+ "NIS2-Art21-business-continuity",
3931
+ "FedRAMP-SC-7"
3932
+ ]
3933
+ }
3934
+ ],
3935
+ "compliance_exposure_score": {
3936
+ "percent_audit_passing_orgs_still_exposed": 82,
3937
+ "basis": "Hypervisor patch cadence is structurally slow due to maintenance-window scheduling; ransomware operators target the window directly.",
3938
+ "theater_pattern": "patch_management"
3939
+ },
3940
+ "ai_discovered_zeroday": false,
3941
+ "ai_discovery_source": "vendor_research",
3942
+ "ai_discovery_date": "2025-03-04",
3943
+ "ai_assist_factor": "none"
3944
+ },
3945
+ "CVE-2025-22225": {
3946
+ "name": "VMware ESXi Arbitrary Kernel Write (VM-escape chain, ransomware-active)",
3947
+ "lesson_date": "2026-05-18",
3948
+ "attack_vector": {
3949
+ "description": "Arbitrary kernel-write primitive inside the VMX process used to write to ESXi kernel memory and execute as the hypervisor. Chained with CVE-2025-22224 (TOCTOU) and CVE-2025-22226 (memory leak) for full VM-escape → hypervisor-management access.",
3950
+ "privileges_required": "code execution inside the VMX process (typically from CVE-2025-22224 chain step)",
3951
+ "complexity": "moderate (chain component; ransomware-confirmed)",
3952
+ "ai_factor": "Not AI-discovered. Microsoft Threat Intelligence Center co-disclosure; no AI tool credit."
3953
+ },
3954
+ "framework_coverage": {
3955
+ "NIST-800-53-SC-39": {
3956
+ "covered": true,
3957
+ "adequate": false,
3958
+ "gap": "Same hypervisor-isolation gap as CVE-2025-22224; ransomware-confirmed."
3959
+ },
3960
+ "PCI-DSS-4.0-2.2.3": {
3961
+ "covered": true,
3962
+ "adequate": false,
3963
+ "gap": "Multi-tenant assumption violated."
3964
+ },
3965
+ "ISO-27001-2022-A.8.21": {
3966
+ "covered": true,
3967
+ "adequate": false,
3968
+ "gap": "Network segregation assumed at the virtualization layer; chain breaks it."
3969
+ },
3970
+ "DORA-Art10": {
3971
+ "covered": true,
3972
+ "adequate": false,
3973
+ "gap": "ICT third-party concentration risk realised at the hypervisor layer."
3974
+ }
3975
+ },
3976
+ "new_control_requirements": [
3977
+ {
3978
+ "id": "NEW-CTRL-001",
3979
+ "name": "CISA-KEV-RESPONSE-SLA",
3980
+ "description": "4h KEV-listing mitigation SLA; same VMSA-2025-0004 cluster as CVE-2025-22224.",
3981
+ "evidence": "CVE-2025-22225 — KEV-listed 2025-03-04; CISA Feb 2026 follow-up confirmed ransomware exploitation.",
3982
+ "gap_closes": [
3983
+ "NIST-800-53-SC-39",
3984
+ "DORA-Art10"
3985
+ ]
3986
+ },
3987
+ {
3988
+ "id": "NEW-CTRL-068",
3989
+ "name": "HYPERVISOR-VM-ESCAPE-TENANCY-ASSUMPTION",
3990
+ "description": "Same hypervisor tenancy posture as CVE-2025-22224.",
3991
+ "evidence": "CVE-2025-22225 — chain component in the same ransomware-confirmed exploitation cluster.",
3992
+ "gap_closes": [
3993
+ "ISO-27001-2022-A.8.21",
3994
+ "PCI-DSS-4.0-2.2.3"
3995
+ ]
3996
+ }
3997
+ ],
3998
+ "compliance_exposure_score": {
3999
+ "percent_audit_passing_orgs_still_exposed": 82,
4000
+ "basis": "Same hypervisor patch-cadence gap as CVE-2025-22224.",
4001
+ "theater_pattern": "patch_management"
4002
+ },
4003
+ "ai_discovered_zeroday": false,
4004
+ "ai_discovery_source": "vendor_research",
4005
+ "ai_discovery_date": "2025-03-04",
4006
+ "ai_assist_factor": "none"
4007
+ },
4008
+ "CVE-2025-22226": {
4009
+ "name": "VMware ESXi HGFS Memory Leak (VM-escape chain helper)",
4010
+ "lesson_date": "2026-05-18",
4011
+ "attack_vector": {
4012
+ "description": "HGFS (Host Guest File System) memory leak provides the heap-address oracle used to weaponise CVE-2025-22224 + CVE-2025-22225. Local guest-admin reads VMX-process memory via the leak primitive and supplies heap addresses for the TOCTOU + arbitrary-write CVEs in the same chain. Broadcom characterised as 'observed in attacks'.",
4013
+ "privileges_required": "local guest-admin",
4014
+ "complexity": "low (information-disclosure read primitive)",
4015
+ "ai_factor": "Not AI-discovered. Microsoft Threat Intelligence Center co-disclosure; no AI tool credit."
4016
+ },
4017
+ "framework_coverage": {
4018
+ "NIST-800-53-SC-28": {
4019
+ "covered": true,
4020
+ "adequate": false,
4021
+ "gap": "Memory-protection control assumes process isolation; leak escapes."
4022
+ },
4023
+ "ISO-27001-2022-A.8.24": {
4024
+ "covered": true,
4025
+ "adequate": false,
4026
+ "gap": "In-transit / at-rest crypto irrelevant to in-memory disclosure."
4027
+ },
4028
+ "FedRAMP-SC-4": {
4029
+ "covered": true,
4030
+ "adequate": false,
4031
+ "gap": "Information in shared resources — direct violation."
4032
+ }
4033
+ },
4034
+ "new_control_requirements": [
4035
+ {
4036
+ "id": "NEW-CTRL-001",
4037
+ "name": "CISA-KEV-RESPONSE-SLA",
4038
+ "description": "4h KEV-listing mitigation SLA; same VMSA-2025-0004 cluster.",
4039
+ "evidence": "CVE-2025-22226 — KEV-listed 2025-03-04; the heap-address oracle that makes the chain reliable.",
4040
+ "gap_closes": [
4041
+ "NIST-800-53-SC-28",
4042
+ "FedRAMP-SC-4"
4043
+ ]
4044
+ },
4045
+ {
4046
+ "id": "NEW-CTRL-068",
4047
+ "name": "HYPERVISOR-VM-ESCAPE-TENANCY-ASSUMPTION",
4048
+ "description": "Same hypervisor tenancy posture as CVE-2025-22224.",
4049
+ "evidence": "CVE-2025-22226 — without this leak the rest of the chain is unreliable; chain-component classification still triggers the tenancy-assumption control.",
4050
+ "gap_closes": [
4051
+ "ISO-27001-2022-A.8.24"
4052
+ ]
4053
+ }
4054
+ ],
4055
+ "compliance_exposure_score": {
4056
+ "percent_audit_passing_orgs_still_exposed": 80,
4057
+ "basis": "Memory-leak-class CVEs on hypervisors are commonly downgraded by operator patch programs; chain-context elevates them.",
4058
+ "theater_pattern": "patch_management"
4059
+ },
4060
+ "ai_discovered_zeroday": false,
4061
+ "ai_discovery_source": "vendor_research",
4062
+ "ai_discovery_date": "2025-03-04",
4063
+ "ai_assist_factor": "none"
4064
+ },
4065
+ "MAL-2024-PYPI-ULTRALYTICS-XMRIG": {
4066
+ "name": "ultralytics PyPI Compromise → XMRig Cryptominer (60M-download AI library)",
4067
+ "lesson_date": "2026-05-18",
4068
+ "attack_vector": {
4069
+ "description": "GitHub Actions script-injection in the ultralytics build pipeline allowed openimbot to inject a post-install downloader after code review. Resulting wheel pulled XMRig from attacker infrastructure. ultralytics 8.3.41 and 8.3.42 (the first 'remediation' release inadvertently re-shipped the malicious code) — clean release 8.3.43. ~60M monthly downloads; the package powers many production CV / model-training pipelines.",
4070
+ "privileges_required": "none (any developer / CI runs `pip install ultralytics`)",
4071
+ "complexity": "low for downstream consumers; build-pipeline injection required upstream",
4072
+ "ai_factor": "Not AI-discovered. ReversingLabs + Wiz + HiddenLayer concurrent ecosystem-telemetry detection; no AI tool credit."
4073
+ },
4074
+ "framework_coverage": {
4075
+ "NIST-800-218-SSDF-PO.4.2": {
4076
+ "covered": true,
4077
+ "adequate": false,
4078
+ "gap": "Build-environment hardening guidance generic; GitHub Actions script-injection class persists."
4079
+ },
4080
+ "SLSA-3": {
4081
+ "covered": true,
4082
+ "adequate": false,
4083
+ "gap": "Build provenance attestation gap — the injected code shipped with valid attestation paths."
4084
+ },
4085
+ "ISO-27001-2022-A.8.30": {
4086
+ "covered": true,
4087
+ "adequate": false,
4088
+ "gap": "Outsourced development control does not address ecosystem-package build-pipeline injection."
4089
+ },
4090
+ "EU-AI-Act-Art10": {
4091
+ "covered": true,
4092
+ "adequate": false,
4093
+ "gap": "Data governance — compromised AI library is in scope but framework lacks supply-chain control prescription."
4094
+ },
4095
+ "OpenSSF-Scorecard-PinnedDependenciesID": {
4096
+ "covered": true,
4097
+ "adequate": false,
4098
+ "gap": "Float-version installs propagate compromise instantly; pin-by-hash mitigates only at deploy time."
4099
+ }
4100
+ },
4101
+ "new_control_requirements": [
4102
+ {
4103
+ "id": "NEW-CTRL-011",
4104
+ "name": "GHA-WORKFLOW-SCRIPT-INJECTION-SINK-BAN",
4105
+ "description": "GitHub Actions workflows must ban dangerous expression sinks (run: with `${{ github.event.* }}` interpolation, etc.); CI must lint workflows for the injection class.",
4106
+ "evidence": "MAL-2024-PYPI-ULTRALYTICS-XMRIG — the original injection vector was a GHA expression-injection sink.",
4107
+ "gap_closes": [
4108
+ "NIST-800-218-SSDF-PO.4.2"
4109
+ ]
4110
+ },
4111
+ {
4112
+ "id": "NEW-CTRL-026",
4113
+ "name": "NPM-CI-IGNORE-SCRIPTS-DEFAULT",
4114
+ "description": "Equivalent posture for pip: `pip install --no-binary` / cached wheel review; reject post-install code execution by default in CI.",
4115
+ "evidence": "MAL-2024-PYPI-ULTRALYTICS-XMRIG — the malicious payload activated via post-install downloader.",
4116
+ "gap_closes": [
4117
+ "ISO-27001-2022-A.8.30"
4118
+ ]
4119
+ },
4120
+ {
4121
+ "id": "NEW-CTRL-027",
4122
+ "name": "MAINTAINER-TOKEN-COMPROMISE-RESPONSE-PLAYBOOK",
4123
+ "description": "Maintainer-token compromise must have a 24h response playbook; 8.3.42 re-shipped the malicious code because the response was rushed.",
4124
+ "evidence": "MAL-2024-PYPI-ULTRALYTICS-XMRIG — the inadvertent re-ship of malicious code in 8.3.42 demonstrates the absent playbook.",
4125
+ "gap_closes": [
4126
+ "SLSA-3",
4127
+ "EU-AI-Act-Art10"
4128
+ ]
4129
+ }
4130
+ ],
4131
+ "compliance_exposure_score": {
4132
+ "percent_audit_passing_orgs_still_exposed": 90,
4133
+ "basis": "AI-library supply chain is essentially unmanaged at SLSA-3 depth across audit-passing organisations; ~60M-download package compromise demonstrates the blast radius.",
4134
+ "theater_pattern": "ai_supply_chain_trust"
4135
+ },
4136
+ "ai_discovered_zeroday": false,
4137
+ "ai_discovery_source": "vendor_research",
4138
+ "ai_discovery_date": "2024-12-05",
4139
+ "ai_assist_factor": "none"
4140
+ },
4141
+ "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER": {
4142
+ "name": "BufferZoneCorp RubyGems + Go Module Sleeper-to-Payload Credential Theft Campaign",
4143
+ "lesson_date": "2026-05-18",
4144
+ "attack_vector": {
4145
+ "description": "Sleeper-to-payload supply chain attack: packages published with clean README + minimal functionality, silently updated to malicious payload after trust accrual. Ruby gems harvested env vars + SSH keys + AWS credentials + .npmrc + .netrc + GitHub CLI config + RubyGems credentials to a hidden C2 endpoint. Go modules modified GITHUB_ENV, poisoned GOPROXY, weakened checksum protections, tampered with go.sum, and planted fake `go` wrappers in workflow execution paths.",
4146
+ "privileges_required": "none (any CI / dev runs `bundle install` / `go get`)",
4147
+ "complexity": "low for downstream; sustained over time upstream",
4148
+ "ai_factor": "Not AI-discovered. Socket.dev human research disclosure; no AI tool credit."
4149
+ },
4150
+ "framework_coverage": {
4151
+ "NIST-800-218-SSDF-PO.4.2": {
4152
+ "covered": true,
4153
+ "adequate": false,
4154
+ "gap": "Sleeper pattern defeats one-time package audit."
4155
+ },
4156
+ "SLSA-3": {
4157
+ "covered": true,
4158
+ "adequate": false,
4159
+ "gap": "Build provenance ineffective against post-trust-accrual malicious update."
4160
+ },
4161
+ "ISO-27001-2022-A.5.21": {
4162
+ "covered": true,
4163
+ "adequate": false,
4164
+ "gap": "Supplier security control depends on initial assessment; does not address temporal trust drift."
4165
+ },
4166
+ "OpenSSF-Scorecard-PinnedDependenciesID": {
4167
+ "covered": true,
4168
+ "adequate": false,
4169
+ "gap": "Pinned dependency mitigates only if hash-pinned, not version-pinned."
4170
+ },
4171
+ "NIS2-Art21-supply-chain": {
4172
+ "covered": true,
4173
+ "adequate": false,
4174
+ "gap": "Supply-chain control assumes initial vetting; sleeper pattern not enumerated."
4175
+ }
4176
+ },
4177
+ "new_control_requirements": [
4178
+ {
4179
+ "id": "NEW-CTRL-069",
4180
+ "name": "ECOSYSTEM-PACKAGE-TEMPORAL-TRUST-DRIFT-DETECTION",
4181
+ "description": "Pin by content hash; monitor for behaviour deltas (new network egress, new postinstall scripts, new permissions); treat publisher-account churn as leading indicator.",
4182
+ "evidence": "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER — sleeper pattern defeated audit and version-pinning.",
4183
+ "gap_closes": [
4184
+ "NIST-800-218-SSDF-PO.4.2",
4185
+ "SLSA-3",
4186
+ "ISO-27001-2022-A.5.21",
4187
+ "OpenSSF-Scorecard-PinnedDependenciesID",
4188
+ "NIS2-Art21-supply-chain"
4189
+ ]
4190
+ },
4191
+ {
4192
+ "id": "NEW-CTRL-026",
4193
+ "name": "NPM-CI-IGNORE-SCRIPTS-DEFAULT",
4194
+ "description": "Equivalent posture for Bundler / Go: refuse postinstall / init-hook execution from new or recently-updated dependencies by default in CI.",
4195
+ "evidence": "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER — Go module init hooks rewrote GOPROXY and go.sum.",
4196
+ "gap_closes": []
4197
+ }
4198
+ ],
4199
+ "compliance_exposure_score": {
4200
+ "percent_audit_passing_orgs_still_exposed": 88,
4201
+ "basis": "Temporal trust drift detection is essentially never deployed in audit-passing organisations; one-time supplier vetting is the norm.",
4202
+ "theater_pattern": "vendor_management"
4203
+ },
4204
+ "ai_discovered_zeroday": false,
4205
+ "ai_discovery_source": "vendor_research",
4206
+ "ai_discovery_date": "2026-05-12",
4207
+ "ai_assist_factor": "none"
4208
+ },
4209
+ "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER": {
4210
+ "name": "PyPI Colorama Typosquat Campaign → Solana Credential / Crypto Stealer",
4211
+ "lesson_date": "2026-05-18",
4212
+ "attack_vector": {
4213
+ "description": "11 PyPI typosquats of `colorama` (>150M downloads/month) and `colorizr` published 2025-05-04 to 2025-05-24, split across four payload variants targeting the Solana ecosystem. Install-time code exfiltrates browser credentials, crypto wallets, Facebook/Telegram/Roblox session material, and Solana wallet artifacts.",
4214
+ "privileges_required": "none (developer typo / autocomplete on `pip install`)",
4215
+ "complexity": "low",
4216
+ "ai_factor": "Not AI-discovered. Imperva + Checkmarx + Check Point ecosystem-telemetry detection; no AI tool credit."
4217
+ },
4218
+ "framework_coverage": {
4219
+ "NIST-800-218-SSDF-PO.4.2": {
4220
+ "covered": true,
4221
+ "adequate": false,
4222
+ "gap": "Typosquat detection not enumerated in standard SSDF practices."
4223
+ },
4224
+ "ISO-27001-2022-A.5.21": {
4225
+ "covered": true,
4226
+ "adequate": false,
4227
+ "gap": "Supplier control does not address ecosystem-name-confusion class."
4228
+ },
4229
+ "OpenSSF-Scorecard-PinnedDependenciesID": {
4230
+ "covered": true,
4231
+ "adequate": false,
4232
+ "gap": "Pin-by-hash mitigates only at deploy time; install-time typosquat persists."
4233
+ },
4234
+ "GDPR-Art32": {
4235
+ "covered": true,
4236
+ "adequate": false,
4237
+ "gap": "Confidentiality breach via developer-endpoint compromise underspecified."
4238
+ }
4239
+ },
4240
+ "new_control_requirements": [
4241
+ {
4242
+ "id": "NEW-CTRL-070",
4243
+ "name": "TYPOSQUAT-INSTALL-TIME-NAME-CONFUSION-GUARD",
4244
+ "description": "CI + developer workstations must run install-time typosquat guards (Levenshtein-distance check against top-N ecosystem packages, install-time prompt on first-seen package names).",
4245
+ "evidence": "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER — 11 typosquats exfiltrated browser credentials and Solana wallets at install time.",
4246
+ "gap_closes": [
4247
+ "NIST-800-218-SSDF-PO.4.2",
4248
+ "ISO-27001-2022-A.5.21",
4249
+ "OpenSSF-Scorecard-PinnedDependenciesID",
4250
+ "GDPR-Art32"
4251
+ ]
4252
+ }
4253
+ ],
4254
+ "compliance_exposure_score": {
4255
+ "percent_audit_passing_orgs_still_exposed": 85,
4256
+ "basis": "Install-time typosquat guards are essentially never deployed at workstation depth; supplier-list controls do not enumerate the class.",
4257
+ "theater_pattern": "vendor_management"
4258
+ },
4259
+ "ai_discovered_zeroday": false,
4260
+ "ai_discovery_source": "vendor_research",
4261
+ "ai_discovery_date": "2025-05-25",
4262
+ "ai_assist_factor": "none"
4263
+ },
4264
+ "CVE-2025-0133": {
4265
+ "name": "Palo Alto Networks GlobalProtect Reflected XSS (XBOW AI-discovered)",
4266
+ "lesson_date": "2026-05-18",
4267
+ "attack_vector": {
4268
+ "description": "Reflected XSS triggered via a crafted link processed by the GlobalProtect captive-portal. Executes JavaScript in the authenticated user's browser context, enabling credential-phishing originating from the legitimate VPN portal hostname. Affected over 2,000 internet-facing hosts at disclosure.",
4269
+ "privileges_required": "user interaction (click on crafted link to the legitimate portal)",
4270
+ "complexity": "low",
4271
+ "ai_factor": "XBOW autonomous-pentest AI discovered the bug during a HackerOne VDP engagement scoped to GlobalProtect. Notable because XBOW reached #1 on the HackerOne US Q2 2025 leaderboard ahead of every human researcher in the same program ranking — first publicly-attributed AI-tool CVE against Palo Alto."
4272
+ },
4273
+ "framework_coverage": {
4274
+ "NIST-800-53-SI-10": {
4275
+ "covered": true,
4276
+ "adequate": false,
4277
+ "gap": "Input validation assumes static-analysis coverage; AI-discovery surfaced bugs missed by conventional tooling."
4278
+ },
4279
+ "ISO-27001-2022-A.8.28": {
4280
+ "covered": true,
4281
+ "adequate": false,
4282
+ "gap": "Secure coding controls do not enumerate AI-assisted discovery as a positive defence modality."
4283
+ },
4284
+ "OWASP-Top-10-2021-A03": {
4285
+ "covered": true,
4286
+ "adequate": false,
4287
+ "gap": "Injection class — XSS in security-control-plane software."
4288
+ },
4289
+ "EU-AI-Act-Art15": {
4290
+ "covered": true,
4291
+ "adequate": false,
4292
+ "gap": "Robustness control does not address AI-assisted-discovery contribution credit."
4293
+ }
4294
+ },
4295
+ "new_control_requirements": [
4296
+ {
4297
+ "id": "NEW-CTRL-024",
4298
+ "name": "AI-DISCOVERY-RESPONSE-SLA",
4299
+ "description": "AI-discovered vulnerabilities enter the patch program on the AI-discovery-date timestamp.",
4300
+ "evidence": "CVE-2025-0133 — XBOW disclosure cadence outpaces conventional bug-bounty triage.",
4301
+ "gap_closes": [
4302
+ "NIST-800-53-SI-10"
4303
+ ]
4304
+ },
4305
+ {
4306
+ "id": "NEW-CTRL-030",
4307
+ "name": "PERIMETER-DEVICE-ZERODAY-SLA-TIER",
4308
+ "description": "Perimeter devices (VPN concentrators, gateways) require a separate compressed-SLA tier; XSS on the captive-portal hostname enables credential-phishing from the legitimate brand.",
4309
+ "evidence": "CVE-2025-0133 — over 2,000 internet-facing GlobalProtect hosts exposed at disclosure.",
4310
+ "gap_closes": [
4311
+ "OWASP-Top-10-2021-A03"
4312
+ ]
4313
+ },
4314
+ {
4315
+ "id": "NEW-CTRL-071",
4316
+ "name": "AI-DISCOVERY-CREDIT-IN-COMPLIANCE-EVIDENCE",
4317
+ "description": "Compliance evidence packs must record AI-tool contribution.",
4318
+ "evidence": "CVE-2025-0133 — XBOW topped the HackerOne leaderboard; no compliance attribution path exists for this contribution.",
4319
+ "gap_closes": [
4320
+ "ISO-27001-2022-A.8.28",
4321
+ "EU-AI-Act-Art15"
4322
+ ]
4323
+ }
4324
+ ],
4325
+ "compliance_exposure_score": {
4326
+ "percent_audit_passing_orgs_still_exposed": 70,
4327
+ "basis": "Perimeter-device XSS is commonly out of scope of organisational threat models for VPN concentrators; AI-discovery outpaces patch programs.",
4328
+ "theater_pattern": "vulnerability_management_theater"
4329
+ },
4330
+ "ai_discovered_zeroday": true,
4331
+ "ai_discovery_source": "bug_bounty_ai_augmented",
4332
+ "ai_discovery_date": "2025-05-14",
4333
+ "ai_assist_factor": "very_high"
4334
+ },
4335
+ "CVE-2025-59529": {
4336
+ "name": "Avahi Simple Protocol Server Connection-Limit DoS (ZeroPath AI-discovered)",
4337
+ "lesson_date": "2026-05-18",
4338
+ "attack_vector": {
4339
+ "description": "avahi-daemon Simple Protocol Server continues accepting clients after the configured connection limit should have engaged. Local or network-reachable attacker opens repeated connections; daemon ignores connection-cap configuration and exhausts file descriptors / memory, denying service-discovery on the host.",
4340
+ "privileges_required": "local or network-reachable (where avahi-daemon is exposed)",
4341
+ "complexity": "low",
4342
+ "ai_factor": "ZeroPath AI-SAST during code analysis of the Avahi project. Notable as a business-logic-class detection — the category most resistant to conventional pattern-based SAST and most accelerated by LLM-driven analysis."
4343
+ },
4344
+ "framework_coverage": {
4345
+ "NIST-800-53-SC-5": {
4346
+ "covered": true,
4347
+ "adequate": false,
4348
+ "gap": "Default-allow connection acceptance behaviour escapes generic DoS-protection control."
4349
+ },
4350
+ "ISO-27001-2022-A.8.9": {
4351
+ "covered": true,
4352
+ "adequate": false,
4353
+ "gap": "Configuration baseline assumes configured-limit-enforced; business-logic bypass not enumerated."
4354
+ },
4355
+ "ENISA-IoT-security-baseline": {
4356
+ "covered": true,
4357
+ "adequate": false,
4358
+ "gap": "IoT-device service-discovery hardening unspecified for business-logic class."
4359
+ },
4360
+ "EU-AI-Act-Art15": {
4361
+ "covered": true,
4362
+ "adequate": false,
4363
+ "gap": "Framework does not credit AI-assisted-defender finding."
4364
+ }
4365
+ },
4366
+ "new_control_requirements": [
4367
+ {
4368
+ "id": "NEW-CTRL-024",
4369
+ "name": "AI-DISCOVERY-RESPONSE-SLA",
4370
+ "description": "AI-discovered vulnerabilities enter the patch program on the AI-discovery-date timestamp.",
4371
+ "evidence": "CVE-2025-59529 — ZeroPath disclosure cadence outpaces conventional SAST triage.",
4372
+ "gap_closes": [
4373
+ "NIST-800-53-SC-5",
4374
+ "ISO-27001-2022-A.8.9"
4375
+ ]
4376
+ },
4377
+ {
4378
+ "id": "NEW-CTRL-071",
4379
+ "name": "AI-DISCOVERY-CREDIT-IN-COMPLIANCE-EVIDENCE",
4380
+ "description": "Compliance evidence packs must record AI-tool contribution; business-logic-class detection is the AI-defender comparative advantage.",
4381
+ "evidence": "CVE-2025-59529 — ZeroPath business-logic-class detection has no SAMM / SSDF attribution.",
4382
+ "gap_closes": [
4383
+ "ENISA-IoT-security-baseline",
4384
+ "EU-AI-Act-Art15"
4385
+ ]
4386
+ }
4387
+ ],
4388
+ "compliance_exposure_score": {
4389
+ "percent_audit_passing_orgs_still_exposed": 60,
4390
+ "basis": "Avahi is ubiquitous on Linux desktops / IoT; business-logic-class DoS is commonly downgraded by patch programs.",
4391
+ "theater_pattern": "vulnerability_management_theater"
4392
+ },
4393
+ "ai_discovered_zeroday": true,
4394
+ "ai_discovery_source": "bug_bounty_ai_augmented",
4395
+ "ai_discovery_date": "2025-09-23",
4396
+ "ai_assist_factor": "very_high"
4397
+ },
4398
+ "CVE-2025-55319": {
4399
+ "name": "Visual Studio Code Agentic-AI Command Injection (ZeroPath AI-discovered)",
4400
+ "lesson_date": "2026-05-18",
4401
+ "attack_vector": {
4402
+ "description": "Adversarial content in an AI tool response or external MCP server message reaches a shell-execution primitive inside VS Code's agentic integration, executing attacker-controlled commands as the developer.",
4403
+ "privileges_required": "ability to deliver adversarial content into the agent's tool / MCP response surface",
4404
+ "complexity": "moderate (high-AC per CVSS but trivial once the primitive is known)",
4405
+ "ai_factor": "ZeroPath AI-SAST analysing the VS Code agentic-AI surface. Doubly relevant: AI defender finding a bug in an AI-assistant surface; AI agent is also the weaponisation primitive (it transforms a crafted tool response into a shell command). Qualifies under both limbs of AGENTS.md Hard Rule #7."
4406
+ },
4407
+ "framework_coverage": {
4408
+ "NIST-AI-RMF-MEASURE-2.7": {
4409
+ "covered": true,
4410
+ "adequate": false,
4411
+ "gap": "Prompt-injection-to-shell pathway underspecified in AI-RMF measurement guidance."
4412
+ },
4413
+ "EU-AI-Act-Art15": {
4414
+ "covered": true,
4415
+ "adequate": false,
4416
+ "gap": "Agentic-AI host-execution boundary not enumerated as a robustness control."
4417
+ },
4418
+ "ISO-IEC-42001-AIMS-A.6.2.5": {
4419
+ "covered": true,
4420
+ "adequate": false,
4421
+ "gap": "AI lifecycle controls do not address IDE-resident agentic primitives."
4422
+ },
4423
+ "OWASP-LLM-Top-10-LLM01": {
4424
+ "covered": true,
4425
+ "adequate": "reference only",
4426
+ "gap": "Prompt injection enumerated; no IDE-host-execution requirement."
4427
+ },
4428
+ "OWASP-LLM-Top-10-LLM07": {
4429
+ "covered": true,
4430
+ "adequate": "reference only",
4431
+ "gap": "Insecure Plugin Design directly applicable to MCP integration class."
4432
+ }
4433
+ },
4434
+ "new_control_requirements": [
4435
+ {
4436
+ "id": "NEW-CTRL-066",
4437
+ "name": "AGENTIC-IDE-HOST-EXECUTION-SANDBOX",
4438
+ "description": "Agentic AI in IDEs must route shell-execution through per-invocation confirmation or a sandbox isolated from developer credentials.",
4439
+ "evidence": "CVE-2025-55319 — adversarial tool / MCP content reached a shell primitive directly.",
4440
+ "gap_closes": [
4441
+ "NIST-AI-RMF-MEASURE-2.7",
4442
+ "EU-AI-Act-Art15",
4443
+ "ISO-IEC-42001-AIMS-A.6.2.5",
4444
+ "OWASP-LLM-Top-10-LLM07"
4445
+ ]
4446
+ },
4447
+ {
4448
+ "id": "NEW-CTRL-004",
4449
+ "name": "AI-TOOL-ACTION-AUTHORIZATION",
4450
+ "description": "AI tools must have explicitly scoped permissions; implied authorisation from context is insufficient.",
4451
+ "evidence": "CVE-2025-55319 — agent acted on adversarial content without explicit authorisation.",
4452
+ "gap_closes": [
4453
+ "OWASP-LLM-Top-10-LLM01"
4454
+ ]
4455
+ },
4456
+ {
4457
+ "id": "NEW-CTRL-053",
4458
+ "name": "MCP-SERVER-CONFIG-ALLOWLIST",
4459
+ "description": "MCP server inventory + allowlist limits the adversarial-content surface that can reach the IDE agent.",
4460
+ "evidence": "CVE-2025-55319 — external MCP server messages were a documented delivery path.",
4461
+ "gap_closes": []
4462
+ },
4463
+ {
4464
+ "id": "NEW-CTRL-071",
4465
+ "name": "AI-DISCOVERY-CREDIT-IN-COMPLIANCE-EVIDENCE",
4466
+ "description": "Record AI-defender contribution.",
4467
+ "evidence": "CVE-2025-55319 — ZeroPath disclosure; framework attribution gap.",
4468
+ "gap_closes": []
4469
+ }
4470
+ ],
4471
+ "compliance_exposure_score": {
4472
+ "percent_audit_passing_orgs_still_exposed": 95,
4473
+ "basis": "Developer-workstation agentic-AI host-execution sandboxes are essentially non-existent across audit-passing organisations; the agentic IDE class is widely deployed without per-invocation auth gates.",
4474
+ "theater_pattern": "ai_supply_chain_trust"
4475
+ },
4476
+ "ai_discovered_zeroday": true,
4477
+ "ai_discovery_source": "bug_bounty_ai_augmented",
4478
+ "ai_discovery_date": "2025-09-09",
4479
+ "ai_assist_factor": "very_high"
4480
+ },
4481
+ "CVE-2025-53767": {
4482
+ "name": "Azure OpenAI SSRF Privilege Escalation (ZeroPath AI-discovered)",
4483
+ "lesson_date": "2026-05-18",
4484
+ "attack_vector": {
4485
+ "description": "Authenticated low-privilege tenant user issues SSRF request that crosses the cloud-tenant boundary, escalating into administrative or cross-tenant context within the Azure OpenAI control plane. Microsoft fixed server-side before any public PoC.",
4486
+ "privileges_required": "low-privilege authenticated tenant identity",
4487
+ "complexity": "moderate",
4488
+ "ai_factor": "ZeroPath AI agent analysing Azure OpenAI control-plane attack surface. AI-defender against AI-service control plane."
4489
+ },
4490
+ "framework_coverage": {
4491
+ "NIST-800-53-SC-7": {
4492
+ "covered": true,
4493
+ "adequate": false,
4494
+ "gap": "Boundary protection assumes east-west traffic within cloud-tenant boundary is filtered; SSRF crosses it."
4495
+ },
4496
+ "FedRAMP-AC-4": {
4497
+ "covered": true,
4498
+ "adequate": false,
4499
+ "gap": "Information flow control assumed tenant-isolated."
4500
+ },
4501
+ "EU-AI-Act-Art15": {
4502
+ "covered": true,
4503
+ "adequate": false,
4504
+ "gap": "Robustness control does not enumerate AI-service control-plane SSRF."
4505
+ },
4506
+ "ISO-IEC-42001-AIMS": {
4507
+ "covered": true,
4508
+ "adequate": false,
4509
+ "gap": "AI Management System silent on managed-AI-service supply chain risk."
4510
+ }
4511
+ },
4512
+ "new_control_requirements": [
4513
+ {
4514
+ "id": "NEW-CTRL-058",
4515
+ "name": "CLOUD-CONTROL-PLANE-CROSS-TENANT-CLAIM-VALIDATION",
4516
+ "description": "Cloud control planes must validate cross-tenant authority; managed-AI services inherit the same posture.",
4517
+ "evidence": "CVE-2025-53767 — SSRF crossed the Azure OpenAI tenant boundary into administrative context.",
4518
+ "gap_closes": [
4519
+ "NIST-800-53-SC-7",
4520
+ "FedRAMP-AC-4"
4521
+ ]
4522
+ },
4523
+ {
4524
+ "id": "NEW-CTRL-071",
4525
+ "name": "AI-DISCOVERY-CREDIT-IN-COMPLIANCE-EVIDENCE",
4526
+ "description": "Record AI-defender contribution to managed-AI-service security.",
4527
+ "evidence": "CVE-2025-53767 — ZeroPath against Azure OpenAI control plane; no compliance attribution path.",
4528
+ "gap_closes": [
4529
+ "EU-AI-Act-Art15",
4530
+ "ISO-IEC-42001-AIMS"
4531
+ ]
4532
+ }
4533
+ ],
4534
+ "compliance_exposure_score": {
4535
+ "percent_audit_passing_orgs_still_exposed": 100,
4536
+ "basis": "Pre-fix, every Azure OpenAI tenant globally was exposed; no operator-side compensating control existed. Post-fix exposure is zero — the compliance story is about telemetry coverage for future managed-AI control-plane bugs.",
4537
+ "theater_pattern": "vendor_management_ai"
4538
+ },
4539
+ "ai_discovered_zeroday": true,
4540
+ "ai_discovery_source": "bug_bounty_ai_augmented",
4541
+ "ai_discovery_date": "2025-08-19",
4542
+ "ai_assist_factor": "very_high"
4543
+ },
4544
+ "CVE-2025-10725": {
4545
+ "name": "Red Hat OpenShift AI Privilege Escalation (ZeroPath AI-discovered)",
4546
+ "lesson_date": "2026-05-18",
4547
+ "attack_vector": {
4548
+ "description": "Authenticated low-privilege tenant user leverages an RBAC primitive in the OpenShift AI platform overlay to escalate privileges across the control-plane boundary. The platform extends the conventional Kubernetes RBAC surface; tenant-isolation tests against the underlying API server miss the overlay.",
4549
+ "privileges_required": "low-privilege authenticated tenant identity in OpenShift AI",
4550
+ "complexity": "high",
4551
+ "ai_factor": "ZeroPath AI agent analysing OpenShift AI integration surface. AI defender finding bugs in AI-deployment platform — class anchor for AGENTS.md Hard Rule #7."
4552
+ },
4553
+ "framework_coverage": {
4554
+ "NIST-800-53-AC-6": {
4555
+ "covered": true,
4556
+ "adequate": false,
4557
+ "gap": "Least-privilege enforced at conventional Kubernetes RBAC layer; AI-platform overlay extends attack surface."
4558
+ },
4559
+ "FedRAMP-AC-3": {
4560
+ "covered": true,
4561
+ "adequate": false,
4562
+ "gap": "Access enforcement at API server assumed; OpenShift AI overlay introduces additional control plane."
4563
+ },
4564
+ "EU-AI-Act-Art15": {
4565
+ "covered": true,
4566
+ "adequate": false,
4567
+ "gap": "AI-platform deployment surface not enumerated in robustness controls."
4568
+ },
4569
+ "ISO-IEC-42001-AIMS-A.6.2.5": {
4570
+ "covered": true,
4571
+ "adequate": false,
4572
+ "gap": "AI lifecycle controls do not address managed-AI-platform tenant isolation."
4573
+ }
4574
+ },
4575
+ "new_control_requirements": [
4576
+ {
4577
+ "id": "NEW-CTRL-067",
4578
+ "name": "AI-PLATFORM-CONTROL-PLANE-RBAC-OVERLAY-AUDIT",
4579
+ "description": "Tenant-isolation tests must exercise the AI-platform overlay control plane, not just the underlying Kubernetes RBAC.",
4580
+ "evidence": "CVE-2025-10725 — low-privilege user escalated via the platform overlay beyond what Kubernetes-RBAC tests would surface.",
4581
+ "gap_closes": [
4582
+ "NIST-800-53-AC-6",
4583
+ "FedRAMP-AC-3"
4584
+ ]
4585
+ },
4586
+ {
4587
+ "id": "NEW-CTRL-071",
4588
+ "name": "AI-DISCOVERY-CREDIT-IN-COMPLIANCE-EVIDENCE",
4589
+ "description": "Record AI-defender contribution against AI-deployment platforms.",
4590
+ "evidence": "CVE-2025-10725 — ZeroPath against Red Hat OpenShift AI.",
4591
+ "gap_closes": [
4592
+ "EU-AI-Act-Art15",
4593
+ "ISO-IEC-42001-AIMS-A.6.2.5"
4594
+ ]
4595
+ }
4596
+ ],
4597
+ "compliance_exposure_score": {
4598
+ "percent_audit_passing_orgs_still_exposed": 90,
4599
+ "basis": "AI-platform overlay RBAC audits are essentially never performed; tenant-isolation evidence stops at Kubernetes RBAC depth.",
4600
+ "theater_pattern": "access_control_theater"
4601
+ },
4602
+ "ai_discovered_zeroday": true,
4603
+ "ai_discovery_source": "bug_bounty_ai_augmented",
4604
+ "ai_discovery_date": "2025-09-29",
4605
+ "ai_assist_factor": "very_high"
4606
+ },
4607
+ "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP": {
4608
+ "name": "Big Sleep AI Open-Source 20-Vulnerability Disclosure Tranche (FFmpeg + ImageMagick + others)",
4609
+ "lesson_date": "2026-05-18",
4610
+ "attack_vector": {
4611
+ "description": "Pre-emptive AI-agent discovery tranche covering FFmpeg, ImageMagick, and other open-source media / utility libraries. Bugs reported through standard upstream-vendor responsible-disclosure with patches landing before public PoC. Composite entry — per-CVE detail is being published by Google as the tranche disclosure unfolds. Representative path: memory-corruption in a media-decoder triggered by crafted file processed via library API.",
4612
+ "privileges_required": "varies per CVE in the tranche",
4613
+ "complexity": "varies per CVE",
4614
+ "ai_factor": "Big Sleep — Google DeepMind + Project Zero AI agent (Gemini-backed). First 20 vulnerabilities Big Sleep found, disclosed by Heather Adkins on 2025-08-04. Both targets (FFmpeg, ImageMagick) have massive downstream redistribution surface."
4615
+ },
4616
+ "framework_coverage": {
4617
+ "NIST-800-218-SSDF-PW.7.1": {
4618
+ "covered": true,
4619
+ "adequate": false,
4620
+ "gap": "Code review by automated tools — frameworks lack specific AI-discovery attribution model."
4621
+ },
4622
+ "EU-AI-Act-Art15": {
4623
+ "covered": true,
4624
+ "adequate": false,
4625
+ "gap": "Framework does not enumerate AI-as-defender contribution to robustness control."
4626
+ },
4627
+ "ISO-IEC-42001-AIMS": {
4628
+ "covered": true,
4629
+ "adequate": false,
4630
+ "gap": "AI Management System silent on AI-vulnerability-discovery as a positive control surface."
4631
+ },
4632
+ "OWASP-SAMM-Code-Review": {
4633
+ "covered": true,
4634
+ "adequate": false,
4635
+ "gap": "AI-tooling not enumerated as a SAMM code-review modality."
4636
+ }
4637
+ },
4638
+ "new_control_requirements": [
4639
+ {
4640
+ "id": "NEW-CTRL-024",
4641
+ "name": "AI-DISCOVERY-RESPONSE-SLA",
4642
+ "description": "AI-discovered vulnerabilities enter the patch program on the AI-discovery-date timestamp; downstream consumers of bundled FFmpeg / ImageMagick must monitor the Big Sleep disclosure cadence directly, not wait for NVD.",
4643
+ "evidence": "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP — tranche cadence outpaces NVD publication.",
4644
+ "gap_closes": [
4645
+ "NIST-800-218-SSDF-PW.7.1"
4646
+ ]
4647
+ },
4648
+ {
4649
+ "id": "NEW-CTRL-071",
4650
+ "name": "AI-DISCOVERY-CREDIT-IN-COMPLIANCE-EVIDENCE",
4651
+ "description": "Compliance evidence packs must record AI-tool contribution as a distinct positive control modality.",
4652
+ "evidence": "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP — Big Sleep tranche has no SSDF / SAMM / 42001 attribution path.",
4653
+ "gap_closes": [
4654
+ "EU-AI-Act-Art15",
4655
+ "ISO-IEC-42001-AIMS",
4656
+ "OWASP-SAMM-Code-Review"
4657
+ ]
4658
+ }
4659
+ ],
4660
+ "compliance_exposure_score": {
4661
+ "percent_audit_passing_orgs_still_exposed": 75,
4662
+ "basis": "Bundled-FFmpeg / ImageMagick inventory across consuming projects is rare; AI-discovery cadence outpaces operator patch programs. Composite-entry rating — refine when per-CVE detail lands.",
4663
+ "theater_pattern": "vulnerability_management_theater"
4664
+ },
4665
+ "ai_discovered_zeroday": true,
4666
+ "ai_discovery_source": "vendor_research",
4667
+ "ai_discovery_date": "2025-08-04",
4668
+ "ai_assist_factor": "very_high"
2922
4669
  }
2923
4670
  }