@blamejs/exceptd-skills 0.13.68 → 0.13.70

package/data/attack-techniques.json

@@ -1610,7 +1610,8 @@
       "DS0022"
     ],
     "cve_refs": [
-      "BUG-2026-NIGHTMARE-ECLIPSE-UNDEFEND"
+      "BUG-2026-NIGHTMARE-ECLIPSE-UNDEFEND",
+      "CVE-2026-45498"
     ],
     "description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.",
     "description_full": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware) Adversaries may trigger a denial-of-service attack via legitimate system processes. It has been previously observed that the Windows Time Travel Debugging (TTD) monitor driver can be used to initiate a debugging session for a security tool (e.g., an EDR) and render the tool non-functional. By hooking the debugger into the EDR process, all child processes from the EDR will be automatically suspended. The attacker can terminate any EDR helper processes (unprotected by Windows Protected Process Light) by abusing the Process Explorer driver. In combination this will halt any attempt to restart services and cause the tool to crash.(Citation: Cocomazzi FIN7 Reboot) Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) For example, adversaries may abuse the Windows process mitigation policy to block certain endpoint detection and response (EDR) products from loading their user-mode code via DLLs. By spawning a process with the PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON attribute using API calls like UpdateProcThreadAttribute, adversaries may evade detection by endpoint security solutions that rely on DLLs that are not signed by Microsoft. Alternatively, they may add new directories to an EDR tool’s exclusion list, enabling them to hide malicious files via [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012).(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021) Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369) In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor. Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk) Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)",
@@ -2663,7 +2664,8 @@
     "last_verified": "2026-05-19",
     "notes": "Added v0.13.17 to support DoS-class KEV bulk imports.",
     "cve_refs": [
-      "CVE-2025-6543"
+      "CVE-2025-6543",
+      "CVE-2026-45498"
     ],
     "description_full": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014) An Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS). To perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets. Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices. Botnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016) In cases where traffic manipulation is used, there may be points in the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.(Citation: ArsTechnica Great Firewall of China) For attacks attempting to saturate the providing network, see [Network Denial of Service](https://attack.mitre.org/techniques/T1498).",
     "platforms": [
@@ -3346,7 +3348,10 @@
       "Windows"
     ],
     "stix_id": "attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2026-34926"
+    ]
   },
   "T1074": {
     "id": "T1074",
@@ -3439,7 +3444,10 @@
       "Windows"
     ],
     "stix_id": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2026-34926"
+    ]
   },
   "T1087": {
     "id": "T1087",

package/data/cve-catalog.json

@@ -9587,6 +9587,229 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Microsoft Defender (Malware Protection Engine) improperly resolves links before file access, allowing local privilege elevation to SYSTEM."
   },
+  "CVE-2026-34926": {
+    "name": "Trend Micro Apex One Directory Traversal → Malicious Agent Code Deployment",
+    "type": "RCE",
+    "cvss_score": 6.7,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L",
+    "cvss_note": "NVD CVSS v3.1 base 6.7 (MEDIUM). High privileges (PR:H — server admin) and high complexity (AC:H) gate it, but Scope:Changed reflects the real impact: the directory traversal lets an attacker on the Apex One management server inject code that the server then deploys to every managed agent — a fleet-wide push from the security tool's own deployment channel.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-21",
+    "cisa_kev_due_date": "2026-06-04",
+    "cisa_kev_due_date_note": "CISA KEV remediation deadline for the 2026-05-21 listing; verified against the live KEV catalog.",
+    "poc_available": false,
+    "poc_description": "CISA KEV-listed (confirmed exploitation). No public proof-of-concept repository referenced by NVD or the Trend Micro advisory at curation time.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Reported through Trend Micro / ZDI coordinated disclosure; no AI-discovery attribution surfaced.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization reported.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CISA added the CVE to the KEV catalog on 2026-05-21 (confirmed-exploitation attestation).",
+    "affected": "Trend Micro Apex One on-premise (before 14.0.0.17079) and Apex One SaaS (before 14.0.20731).",
+    "affected_versions": [
+      "Trend Micro Apex One (on-premise) < 14.0.0.17079",
+      "Trend Micro Apex One (SaaS) < 14.0.20731"
+    ],
+    "vector": "A relative path-traversal flaw (CWE-23) on the Apex One on-premise management server lets an attacker who already has server access and administrative credentials modify a key table and inject malicious code that the server deploys to its managed agents. The trust the endpoints place in the management server's deployment channel turns a post-admin server foothold into fleet-wide agent code execution (Scope:Changed).",
+    "complexity": "high",
+    "complexity_notes": "NVD AC:H, PR:H: requires server access plus already-obtained administrative credentials. This is a post-admin-compromise propagation primitive, not an initial-access RCE — its value to an attacker is turning one server into the whole agent fleet.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Vendor fix via product update — Apex One on-premise 14.0.0.17079 / SaaS 14.0.20731 or later; application update, no host reboot.",
+    "vendor_update_paths": [
+      "Update Apex One on-premise to 14.0.0.17079 or later; Apex One SaaS to 14.0.20731 or later."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "30-day flaw-remediation SLA is inadequate for a KEV-listed actively-exploited flaw; the CISA KEV due date (2026-06-04) is the binding clock.",
+      "ISO-27001-2022-A.8.8": "Vulnerability-management clause does not differentiate routinely-disclosed CVEs from KEV-listed actively-exploited ones.",
+      "NIS2-Art21-patch-management": "Article 21 measures mandate patching but do not treat the EDR/endpoint-management server's agent-deployment channel as a high-blast-radius supply-chain control plane that must be hardened and monitored.",
+      "DORA-Art-9": "ICT protection measures assume the endpoint-management platform is trustworthy; abuse of its own deployment channel to push code to agents is outside the typical control narrative.",
+      "UK-CAF-B4": "System Security objective expects remediation but does not call out the management-server → agent deployment path as a privileged trust boundary requiring integrity controls.",
+      "AU-ISM-1546": "Patch-application timeframe control is product-agnostic; it does not address the fleet-wide propagation risk of a compromised endpoint-management server."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1072",
+      "T1083"
+    ],
+    "rwep_score": 52,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 0,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P2 (RWEP 52 per lib/scoring.js). KEV-listed with confirmed exploitation. blast_radius=22: the management server's deployment channel reaches the whole agent fleet, but PR:H/AC:H (requires pre-existing server admin) caps practical reach below an unauthenticated RCE. No verified public PoC. patch_available -15 (vendor update).",
+    "epss_score": null,
+    "epss_date": "2026-05-24",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-34926",
+    "cwe_refs": [
+      "CWE-23",
+      "CWE-22"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Modification of the Apex One server's agent-deployment key table or staged agent payloads by a process/path outside the normal product update workflow.",
+        "Apex One management server pushing an agent update/package that was not initiated by a sanctioned administrator action (deployment from an anomalous session or off-hours).",
+        "Path-traversal sequences (`..\\` / `../`) in requests to Apex One on-premise server endpoints that handle file or key-table writes.",
+        "On-premise Apex One server below 14.0.0.17079 (or SaaS below 14.0.20731) — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the NVD CVE-2026-34926 mechanism (CWE-23 relative path traversal enabling key-table modification and malicious agent deployment) and the Trend Micro advisory; no public packet/payload capture available at curation time."
+    },
+    "source_verified": "2026-05-24",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-34926",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": "CVE-2026-34926",
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "medium",
+        "published_date": "2026-05-21"
+      },
+      {
+        "vendor": "Trend Micro",
+        "advisory_id": "CVE-2026-34926",
+        "url": "https://success.trendmicro.com/solution/CVE-2026-34926",
+        "severity": "medium",
+        "published_date": "2026-05-21"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-34926",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34926",
+        "severity": "medium",
+        "published_date": "2026-05-21"
+      }
+    ],
+    "last_updated": "2026-05-24",
+    "discovery_attribution_note": "Manually curated from NVD + CISA KEV (added 2026-05-21, due 2026-06-04). CWE-23 relative path traversal on the Apex One on-premise management server enabling key-table modification and malicious code deployment to managed agents. Postdates the v0.13.17 bulk KEV intake (catalog version 2026.05.15).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Trend Micro Apex One on-premise contains a directory traversal that lets a pre-authenticated local attacker modify a key table to inject malicious code deployed to agents."
+  },
+  "CVE-2026-45498": {
+    "name": "Microsoft Defender Remote Denial of Service (Antimalware Platform)",
+    "type": "DoS",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 7.5 (HIGH) — network, no-auth, availability-only. (Some early press reported 4.0; NVD's authoritative score is 7.5.) The impact is defense impairment: remotely knocking out Microsoft Defender removes the host's AV/EDR coverage, enabling follow-on intrusion.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-20",
+    "cisa_kev_due_date": "2026-06-03",
+    "cisa_kev_due_date_note": "CISA KEV (FCEB) remediation deadline for the 2026-05-20 listing; verified against the live KEV catalog (same batch as CVE-2026-41091).",
+    "poc_available": false,
+    "poc_description": "CISA KEV-listed with Microsoft 'Exploitation Detected'. No public proof-of-concept repository verified at curation time.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Reported through Microsoft's MSRC process; no AI-discovery attribution surfaced.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization reported.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Microsoft flagged 'Exploitation Detected'; CISA added the CVE to the KEV catalog on 2026-05-20 alongside CVE-2026-41091 (Defender LPE). Help Net Security and The Hacker News reported active exploitation 2026-05-21.",
+    "affected": "Microsoft Defender Antimalware Platform versions 4.18.26030.3011 through 4.18.26040.7, excluding the fixed build 4.18.26040.7.",
+    "affected_versions": [
+      "Microsoft Defender Antimalware Platform >= 4.18.26030.3011, < 4.18.26040.7"
+    ],
+    "vector": "Uncontrolled resource consumption (CWE-400) in the Microsoft Defender antimalware platform, reachable over the network without authentication, lets an attacker crash or hang Defender. Because the result is loss of AV/EDR availability, the bug is a defense-impairment primitive (ATT&CK T1562.001): an attacker can disable endpoint protection ahead of, or during, an intrusion.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:N — remote, unauthenticated, low-complexity. Availability-only (C:N/I:N/A:H).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "Microsoft Defender antimalware-platform auto-update (platform updates apply without reboot)"
+    ],
+    "live_patch_notes": "Defender's antimalware platform auto-updates; the fixed build is 4.18.26040.7 and applies without reboot. The exposed population is environments that pin or delay platform updates — verify the deployed platform version is >= 4.18.26040.7.",
+    "vendor_update_paths": [
+      "Ensure the Microsoft Defender Antimalware Platform is updated to 4.18.26040.7 or later (auto-update is the default; confirm it is not blocked by a managed-update policy)."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "30-day flaw-remediation SLA is inadequate for a KEV-listed actively-exploited flaw; the CISA KEV due date (2026-06-03) is the binding clock.",
+      "ISO-27001-2022-A.8.8": "Vulnerability-management clause does not differentiate routinely-disclosed CVEs from KEV-listed ones, nor require monitoring AV/EDR availability as a control whose loss is itself a security event.",
+      "NIS2-Art21-patch-management": "Article 21 measures treat the AV/EDR as a protective control but do not require detecting when that control is remotely disabled — a precondition this DoS creates.",
+      "DORA-Art-9": "ICT protection measures assume endpoint protection is present; remote loss of that protection is outside the typical availability-monitoring narrative for security tooling.",
+      "UK-CAF-B4": "System Security objective expects remediation but does not call out resilience/availability monitoring of the endpoint-protection agent itself.",
+      "AU-ISM-1546": "Patch-application timeframe control is product-agnostic; it does not address remote denial of the security agent as a defense-evasion enabler."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1562.001",
+      "T1499"
+    ],
+    "rwep_score": 45,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 0,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P2 (RWEP 45 per lib/scoring.js). KEV-listed with confirmed exploitation; blast_radius=25 — Defender is present on virtually every Windows endpoint and the DoS is remote + unauthenticated. No verified public PoC; auto-update / no-reboot remediation lowers urgency (patch_available -15, live_patch_available -10). The significance is defense impairment: a remotely-disable-able AV is an intrusion enabler.",
+    "epss_score": null,
+    "epss_date": "2026-05-24",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-45498",
+    "cwe_refs": [
+      "CWE-400"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Microsoft Defender service (WinDefend / MsMpEng) crash, hang, or repeated restart loop coinciding with inbound network activity to the host.",
+        "Gaps in Defender / AMSI telemetry forwarding to the SIEM that begin abruptly and are not explained by a sanctioned update or reboot — the host going dark on AV/EDR.",
+        "Deployed Defender antimalware platform version below 4.18.26040.7 on hosts that otherwise receive auto-updates — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the NVD CVE-2026-45498 mechanism (CWE-400 uncontrolled resource consumption, network/no-auth, availability impact on the Defender platform) and Microsoft's advisory; no public packet/payload capture available at curation time."
+    },
+    "source_verified": "2026-05-24",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-45498",
+      "https://www.helpnetsecurity.com/2026/05/21/microsoft-defender-vulnerabilities-cve-2026-41091-cve-2026-45498/",
+      "https://thehackernews.com/2026/05/microsoft-warns-of-two-actively.html",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": "CVE-2026-45498",
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "high",
+        "published_date": "2026-05-20"
+      },
+      {
+        "vendor": "Microsoft (MSRC)",
+        "advisory_id": "CVE-2026-45498",
+        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45498",
+        "severity": "high",
+        "published_date": "2026-05-20"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-45498",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45498",
+        "severity": "high",
+        "published_date": "2026-05-20"
+      }
+    ],
+    "last_updated": "2026-05-24",
+    "discovery_attribution_note": "Manually curated from NVD (CVSS 7.5, CWE-400) + Microsoft MSRC ('Exploitation Detected') + CISA KEV (added 2026-05-20, due 2026-06-03) + Help Net Security / The Hacker News (2026-05-21). Companion to CVE-2026-41091 in the same Defender advisory. Postdates the v0.13.17 bulk KEV intake (catalog version 2026.05.15).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Defender contains an uncontrolled-resource-consumption flaw allowing a remote, unauthenticated denial of service that disables endpoint protection."
+  },
   "CVE-2025-32432": {
     "name": "Craft CMS Code Injection Vulnerability",
     "type": "RCE",

package/data/cwe-catalog.json

@@ -101,7 +101,8 @@
       "CVE-2025-27920",
       "CVE-2025-4632",
       "CVE-2025-6218",
-      "CVE-2025-8110"
+      "CVE-2025-8110",
+      "CVE-2026-34926"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-AC-3",
@@ -2110,7 +2111,8 @@
     "related_weaknesses": [],
     "evidence_cves": [
       "CVE-2024-27199",
-      "CVE-2025-64446"
+      "CVE-2025-64446",
+      "CVE-2026-34926"
     ],
     "last_verified": "2026-05-18",
     "notes": "Added v0.13.17 KEV bulk-import."
@@ -2886,7 +2888,9 @@
       "CWE-2000"
     ],
     "related_weaknesses": [],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2026-45498"
+    ],
     "last_verified": "2026-05-19",
     "notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
     "_auto_imported": true,

package/data/framework-control-gaps.json

@@ -1517,6 +1517,7 @@
       "CVE-2026-33634",
       "CVE-2026-34197",
       "CVE-2026-34621",
+      "CVE-2026-34926",
       "CVE-2026-3502",
       "CVE-2026-35616",
       "CVE-2026-3909",
@@ -1524,6 +1525,7 @@
       "CVE-2026-41091",
       "CVE-2026-41940",
       "CVE-2026-42945",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-5281"
@@ -1714,9 +1716,11 @@
       "CVE-2025-38352",
       "CVE-2025-43300",
       "CVE-2026-31431",
+      "CVE-2026-34926",
       "CVE-2026-39884",
       "CVE-2026-41091",
       "CVE-2026-45321",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "MAL-2026-3083"
@@ -2440,6 +2444,7 @@
       "CVE-2026-33825",
       "CVE-2026-34197",
       "CVE-2026-34621",
+      "CVE-2026-34926",
       "CVE-2026-3502",
       "CVE-2026-35616",
       "CVE-2026-3909",
@@ -2450,6 +2455,7 @@
       "CVE-2026-42945",
       "CVE-2026-43284",
       "CVE-2026-43500",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "CVE-2026-5281",
@@ -4694,9 +4700,11 @@
       "CVE-2025-34291",
       "CVE-2026-0300",
       "CVE-2026-20182",
+      "CVE-2026-34926",
       "CVE-2026-41091",
       "CVE-2026-42897",
       "CVE-2026-42945",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333"
     ],
@@ -5181,7 +5189,9 @@
     "evidence_cves": [
       "CVE-2024-21762",
       "CVE-2025-34291",
+      "CVE-2026-34926",
       "CVE-2026-41091",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333",
       "MAL-2026-SHAI-HULUD-OSS"
@@ -5217,7 +5227,9 @@
     "evidence_cves": [
       "CVE-2024-21762",
       "CVE-2025-34291",
+      "CVE-2026-34926",
       "CVE-2026-41091",
+      "CVE-2026-45498",
       "CVE-2026-46300",
       "CVE-2026-46333"
     ],

package/data/zeroday-lessons.json

@@ -6023,6 +6023,96 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2026-34926": {
+    "name": "Trend Micro Apex One Directory Traversal → Malicious Agent Code Deployment",
+    "lesson_date": "2026-05-24",
+    "attack_vector": {
+      "description": "A relative path traversal (CWE-23) on the Apex One on-premise management server lets an attacker with server admin access modify a key table and inject malicious code that the server deploys to all managed agents — fleet-wide code execution through the security tool's own trusted deployment channel.",
+      "privileges_required": "server access + already-obtained administrative credentials (PR:H)",
+      "complexity": "high (NVD AC:H) — post-admin-compromise propagation primitive, not initial access",
+      "ai_factor": "Not AI-discovered. The lesson: an endpoint-management server's agent-deployment channel is a high-blast-radius supply-chain control plane — its integrity must be monitored, because a foothold on the server becomes the entire agent fleet. Surfaced by the CISA-KEV poller after the v0.13.17 bulk intake."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "30-day SLA inadequate for a KEV-listed flaw; KEV due date (2026-06-04) is the binding clock."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not differentiate routinely-disclosed CVEs from KEV-listed ones, nor treat the agent-deployment channel as a control plane needing integrity monitoring."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 45,
+      "basis": "Orgs audit endpoint protection for coverage and patch SLA but rarely monitor the integrity of the management server's agent-deployment channel; a post-admin foothold there is treated as 'already game over' rather than as a fleet-propagation risk to contain.",
+      "theater_pattern": "detection_gap"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-078",
+        "name": "ENDPOINT-MGMT-DEPLOYMENT-CHANNEL-INTEGRITY",
+        "description": "Treat the EDR/endpoint-management server's agent-deployment channel (package/key-table → agent push) as a privileged supply-chain control plane: integrity-monitor the deployment artifacts and key tables, alert on agent pushes not tied to a sanctioned admin action, and patch the management server to the fixed build (Apex One on-prem 14.0.0.17079 / SaaS 14.0.20731) as a KEV-priority item. A server foothold must not silently become fleet-wide agent code execution.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-34926",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "NIS2-Art21-patch-management"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-45498": {
+    "name": "Microsoft Defender Remote Denial of Service (Antimalware Platform)",
+    "lesson_date": "2026-05-24",
+    "attack_vector": {
+      "description": "Uncontrolled resource consumption (CWE-400) in the Microsoft Defender antimalware platform, reachable over the network without authentication, lets an attacker crash or hang Defender — remotely removing the host's AV/EDR coverage (defense impairment, ATT&CK T1562.001).",
+      "privileges_required": "none — remote, unauthenticated (NVD AV:N / PR:N)",
+      "complexity": "low (NVD AC:L); availability-only (C:N/I:N/A:H)",
+      "ai_factor": "Not AI-discovered. The lesson: AV/EDR availability is itself a control, and its remote loss is a security event, not just an outage — a disable-able defender is an intrusion enabler. Surfaced by the CISA-KEV poller after the v0.13.17 bulk intake."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "30-day SLA inadequate for a KEV-listed flaw; KEV due date (2026-06-03) is the binding clock."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not treat remote loss of AV/EDR availability as a monitored security event distinct from a routine outage."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 55,
+      "basis": "Most programs verify AV/EDR is deployed but do not alarm when it is remotely disabled; a host going dark on Defender telemetry is often treated as an IT availability blip, not a defense-evasion precursor.",
+      "theater_pattern": "detection_gap"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-079",
+        "name": "AV-EDR-AVAILABILITY-MONITORING",
+        "description": "Treat loss of AV/EDR availability as a first-class security event: alarm when an endpoint stops reporting Defender/EDR telemetry or its protection service crashes/restarts abnormally, correlate with inbound network activity, and patch the Defender antimalware platform to the fixed build (4.18.26040.7) as a KEV-priority item. A remotely-disable-able defender must not fail silent.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2026-45498",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "ISO-27001-2022-A.8.8",
+          "DORA-Art-9"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-32432": {
     "name": "Craft CMS Code Injection Vulnerability",
     "lesson_date": "2026-05-18",