@blamejs/exceptd-skills 0.13.69 → 0.13.71

package/data/attack-techniques.json

@@ -1080,6 +1080,10 @@
     "name": "Exploitation for Client Execution",
     "version": "v19",
     "cve_refs": [
+      "CVE-2009-1537",
+      "CVE-2009-3459",
+      "CVE-2010-0249",
+      "CVE-2010-0806",
       "CVE-2014-3931",
       "CVE-2018-14634",
       "CVE-2020-9715",
@@ -1610,7 +1614,8 @@
       "DS0022"
     ],
     "cve_refs": [
-      "BUG-2026-NIGHTMARE-ECLIPSE-UNDEFEND"
+      "BUG-2026-NIGHTMARE-ECLIPSE-UNDEFEND",
+      "CVE-2026-45498"
     ],
     "description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.",
     "description_full": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware) Adversaries may trigger a denial-of-service attack via legitimate system processes. It has been previously observed that the Windows Time Travel Debugging (TTD) monitor driver can be used to initiate a debugging session for a security tool (e.g., an EDR) and render the tool non-functional. By hooking the debugger into the EDR process, all child processes from the EDR will be automatically suspended. The attacker can terminate any EDR helper processes (unprotected by Windows Protected Process Light) by abusing the Process Explorer driver. In combination this will halt any attempt to restart services and cause the tool to crash.(Citation: Cocomazzi FIN7 Reboot) Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) For example, adversaries may abuse the Windows process mitigation policy to block certain endpoint detection and response (EDR) products from loading their user-mode code via DLLs. By spawning a process with the PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON attribute using API calls like UpdateProcThreadAttribute, adversaries may evade detection by endpoint security solutions that rely on DLLs that are not signed by Microsoft. Alternatively, they may add new directories to an EDR tool’s exclusion list, enabling them to hide malicious files via [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012).(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021) Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369) In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor. Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk) Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)",
@@ -2663,7 +2668,8 @@
     "last_verified": "2026-05-19",
     "notes": "Added v0.13.17 to support DoS-class KEV bulk imports.",
     "cve_refs": [
-      "CVE-2025-6543"
+      "CVE-2025-6543",
+      "CVE-2026-45498"
     ],
     "description_full": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014) An Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS). To perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets. Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices. Botnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016) In cases where traffic manipulation is used, there may be points in the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.(Citation: ArsTechnica Great Firewall of China) For attacks attempting to saturate the providing network, see [Network Denial of Service](https://attack.mitre.org/techniques/T1498).",
     "platforms": [
@@ -4247,7 +4253,10 @@
       "ESXi"
     ],
     "stix_id": "attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2008-4250"
+    ]
   },
   "T1211": {
     "id": "T1211",

package/data/cve-catalog.json

@@ -55,7 +55,7 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.038,
+      "current_rate": 0.037,
       "current_floor_enforced_by_test": 0.03,
       "ladder_to_target": [
         0.03,
@@ -9698,6 +9698,523 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Trend Micro Apex One on-premise contains a directory traversal that lets a pre-authenticated local attacker modify a key table to inject malicious code deployed to agents."
   },
+  "CVE-2026-45498": {
+    "name": "Microsoft Defender Remote Denial of Service (Antimalware Platform)",
+    "type": "DoS",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 7.5 (HIGH) — network, no-auth, availability-only. (Some early press reported 4.0; NVD's authoritative score is 7.5.) The impact is defense impairment: remotely knocking out Microsoft Defender removes the host's AV/EDR coverage, enabling follow-on intrusion.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-20",
+    "cisa_kev_due_date": "2026-06-03",
+    "cisa_kev_due_date_note": "CISA KEV (FCEB) remediation deadline for the 2026-05-20 listing; verified against the live KEV catalog (same batch as CVE-2026-41091).",
+    "poc_available": false,
+    "poc_description": "CISA KEV-listed with Microsoft 'Exploitation Detected'. No public proof-of-concept repository verified at curation time.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Reported through Microsoft's MSRC process; no AI-discovery attribution surfaced.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization reported.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Microsoft flagged 'Exploitation Detected'; CISA added the CVE to the KEV catalog on 2026-05-20 alongside CVE-2026-41091 (Defender LPE). Help Net Security and The Hacker News reported active exploitation 2026-05-21.",
+    "affected": "Microsoft Defender Antimalware Platform versions 4.18.26030.3011 through 4.18.26040.7, excluding the fixed build 4.18.26040.7.",
+    "affected_versions": [
+      "Microsoft Defender Antimalware Platform >= 4.18.26030.3011, < 4.18.26040.7"
+    ],
+    "vector": "Uncontrolled resource consumption (CWE-400) in the Microsoft Defender antimalware platform, reachable over the network without authentication, lets an attacker crash or hang Defender. Because the result is loss of AV/EDR availability, the bug is a defense-impairment primitive (ATT&CK T1562.001): an attacker can disable endpoint protection ahead of, or during, an intrusion.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:N — remote, unauthenticated, low-complexity. Availability-only (C:N/I:N/A:H).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "Microsoft Defender antimalware-platform auto-update (platform updates apply without reboot)"
+    ],
+    "live_patch_notes": "Defender's antimalware platform auto-updates; the fixed build is 4.18.26040.7 and applies without reboot. The exposed population is environments that pin or delay platform updates — verify the deployed platform version is >= 4.18.26040.7.",
+    "vendor_update_paths": [
+      "Ensure the Microsoft Defender Antimalware Platform is updated to 4.18.26040.7 or later (auto-update is the default; confirm it is not blocked by a managed-update policy)."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "30-day flaw-remediation SLA is inadequate for a KEV-listed actively-exploited flaw; the CISA KEV due date (2026-06-03) is the binding clock.",
+      "ISO-27001-2022-A.8.8": "Vulnerability-management clause does not differentiate routinely-disclosed CVEs from KEV-listed ones, nor require monitoring AV/EDR availability as a control whose loss is itself a security event.",
+      "NIS2-Art21-patch-management": "Article 21 measures treat the AV/EDR as a protective control but do not require detecting when that control is remotely disabled — a precondition this DoS creates.",
+      "DORA-Art-9": "ICT protection measures assume endpoint protection is present; remote loss of that protection is outside the typical availability-monitoring narrative for security tooling.",
+      "UK-CAF-B4": "System Security objective expects remediation but does not call out resilience/availability monitoring of the endpoint-protection agent itself.",
+      "AU-ISM-1546": "Patch-application timeframe control is product-agnostic; it does not address remote denial of the security agent as a defense-evasion enabler."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1562.001",
+      "T1499"
+    ],
+    "rwep_score": 45,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 0,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P2 (RWEP 45 per lib/scoring.js). KEV-listed with confirmed exploitation; blast_radius=25 — Defender is present on virtually every Windows endpoint and the DoS is remote + unauthenticated. No verified public PoC; auto-update / no-reboot remediation lowers urgency (patch_available -15, live_patch_available -10). The significance is defense impairment: a remotely-disable-able AV is an intrusion enabler.",
+    "epss_score": null,
+    "epss_date": "2026-05-24",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-45498",
+    "cwe_refs": [
+      "CWE-400"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Microsoft Defender service (WinDefend / MsMpEng) crash, hang, or repeated restart loop coinciding with inbound network activity to the host.",
+        "Gaps in Defender / AMSI telemetry forwarding to the SIEM that begin abruptly and are not explained by a sanctioned update or reboot — the host going dark on AV/EDR.",
+        "Deployed Defender antimalware platform version below 4.18.26040.7 on hosts that otherwise receive auto-updates — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from the NVD CVE-2026-45498 mechanism (CWE-400 uncontrolled resource consumption, network/no-auth, availability impact on the Defender platform) and Microsoft's advisory; no public packet/payload capture available at curation time."
+    },
+    "source_verified": "2026-05-24",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-45498",
+      "https://www.helpnetsecurity.com/2026/05/21/microsoft-defender-vulnerabilities-cve-2026-41091-cve-2026-45498/",
+      "https://thehackernews.com/2026/05/microsoft-warns-of-two-actively.html",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": "CVE-2026-45498",
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "high",
+        "published_date": "2026-05-20"
+      },
+      {
+        "vendor": "Microsoft (MSRC)",
+        "advisory_id": "CVE-2026-45498",
+        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45498",
+        "severity": "high",
+        "published_date": "2026-05-20"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-45498",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45498",
+        "severity": "high",
+        "published_date": "2026-05-20"
+      }
+    ],
+    "last_updated": "2026-05-24",
+    "discovery_attribution_note": "Manually curated from NVD (CVSS 7.5, CWE-400) + Microsoft MSRC ('Exploitation Detected') + CISA KEV (added 2026-05-20, due 2026-06-03) + Help Net Security / The Hacker News (2026-05-21). Companion to CVE-2026-41091 in the same Defender advisory. Postdates the v0.13.17 bulk KEV intake (catalog version 2026.05.15).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Defender contains an uncontrolled-resource-consumption flaw allowing a remote, unauthenticated denial of service that disables endpoint protection."
+  },
+  "CVE-2008-4250": {
+    "name": "Microsoft Windows Server Service RPC Buffer Overflow (MS08-067)",
+    "type": "RCE",
+    "cvss_score": 9.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "Operator estimate for a legacy CVE re-listed to CISA KEV on 2026-05-20 (CVSSv2 was 10.0). Refine via `exceptd refresh --advisory CVE-2008-4250 --apply`.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-20",
+    "cisa_kev_due_date": "2026-06-03",
+    "poc_available": true,
+    "poc_description": "Long-public, weaponized RCE (Metasploit ms08_067_netapi; the Conficker worm and later Stuxnet used it). Re-listed to KEV for renewed exploitation against unpatched / legacy Windows hosts.",
+    "ai_discovered": false,
+    "ai_discovery_source": "unknown",
+    "ai_discovery_notes": "Legacy CVE (2008); no AI-discovery provenance.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "Legacy weaponization (worm/exploit-kit era); not AI-assisted.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CISA KEV re-listing 2026-05-20 attests renewed active exploitation, typically against unpatched / end-of-life Windows in OT and legacy enterprise environments.",
+    "affected": "Microsoft Windows (Server service) — legacy supported builds of the MS08-067 era; see Microsoft MS08-067 for affected versions.",
+    "affected_versions": [
+      "Microsoft Windows 2000 / XP / Server 2003 / Vista / Server 2008 (per MS08-067)"
+    ],
+    "vector": "A crafted RPC request to the Windows Server service triggers a buffer overflow allowing unauthenticated remote code execution — wormable. The canonical legacy network RCE.",
+    "complexity": "low",
+    "complexity_notes": "Unauthenticated, network-reachable, reliable public exploit. The patch has existed since 2008; exposure is purely unpatched / legacy systems.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Microsoft patch MS08-067 (2008); requires reboot. No live-patch primitive.",
+    "vendor_update_paths": [
+      "Apply MS08-067; decommission or isolate any remaining unpatched / end-of-life Windows hosts."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "An 18-year-old patched CVE re-appearing on KEV exposes the gap between 'patch released' and 'patch deployed' across legacy/OT estates; SI-2's flaw-remediation SLA assumes assets are in the managed patch program at all.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely covers end-of-life assets that no longer receive routine scanning; a KEV re-listing of a legacy RCE is the signal that those assets are being hunted.",
+      "NIST-800-53-AC-6": "Least-privilege presumes a working boundary; an unauthenticated wormable RCE on a reachable legacy host has none."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1210"
+    ],
+    "rwep_score": 70,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 15,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "rwep_notes": "P1 — KEV-listed, weaponized, confirmed exploitation. blast_radius=15 reflects that exposure is constrained to unpatched / legacy estates rather than the full modern Windows population. Draft (KEV-gap-fill) pending per-CVE enrichment.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this KEV-gap-fill draft.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2008-4250",
+    "cwe_refs": [
+      "CWE-119"
+    ],
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://nvd.nist.gov/vuln/detail/CVE-2008-4250"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": "CVE-2008-4250",
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "critical",
+        "published_date": "2026-05-20"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manual KEV-gap-fill: legacy CVE re-listed to CISA KEV 2026-05-20 (renewed exploitation against unpatched / legacy Windows). Draft pending enrichment; postdates the v0.13.17 bulk intake (KEV catalog 2026.05.15).",
+    "_auto_imported": true,
+    "_intake_method": "manual-kev-gap-fill-2026-05-20",
+    "_kev_short_description": "Microsoft Windows Server service contains a buffer overflow allowing unauthenticated wormable remote code execution (MS08-067)."
+  },
+  "CVE-2009-1537": {
+    "name": "Microsoft DirectShow QuickTime Parsing Memory Corruption",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "Operator estimate for a legacy CVE re-listed to CISA KEV 2026-05-20. Refine via `exceptd refresh --advisory CVE-2009-1537 --apply`.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-20",
+    "cisa_kev_due_date": "2026-06-03",
+    "poc_available": true,
+    "poc_description": "Public client-side exploit (malicious media file) from the MS09-028 era; re-listed for renewed exploitation on legacy systems.",
+    "ai_discovered": false,
+    "ai_discovery_source": "unknown",
+    "ai_discovery_notes": "Legacy CVE (2009); no AI-discovery provenance.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "Legacy weaponization; not AI-assisted.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CISA KEV re-listing 2026-05-20 attests renewed active exploitation against legacy systems.",
+    "affected": "Microsoft DirectX / DirectShow (QuickTime content parsing) on legacy Windows — see MS09-028.",
+    "affected_versions": [
+      "Microsoft Windows 2000 / XP / Server 2003 DirectX (per MS09-028)"
+    ],
+    "vector": "Parsing a maliciously crafted QuickTime media file in Microsoft DirectShow corrupts memory (NULL-byte overwrite class), allowing remote code execution when a user opens the file.",
+    "complexity": "low",
+    "complexity_notes": "Client-side: requires the victim to open crafted media. Public exploit; patch since 2009.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Microsoft patch MS09-028 (2009); requires reboot.",
+    "vendor_update_paths": [
+      "Apply MS09-028; decommission or isolate unpatched / end-of-life Windows hosts."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Re-listing of a legacy patched client-side RCE exposes the patch-deployment gap on legacy endpoints.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely scans end-of-life client systems where this remains exploitable.",
+      "NIST-800-53-AC-6": "Client-side RCE runs with the victim user's privileges; least-privilege limits but does not prevent it."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1203"
+    ],
+    "rwep_score": 70,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 15,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "rwep_notes": "P1 — KEV-listed legacy client-side RCE; blast_radius=15 (legacy-constrained). Draft (KEV-gap-fill).",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this KEV-gap-fill draft.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2009-1537",
+    "cwe_refs": [
+      "CWE-787"
+    ],
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://nvd.nist.gov/vuln/detail/CVE-2009-1537"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": "CVE-2009-1537",
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "high",
+        "published_date": "2026-05-20"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manual KEV-gap-fill: legacy CVE re-listed to CISA KEV 2026-05-20. Draft pending enrichment.",
+    "_auto_imported": true,
+    "_intake_method": "manual-kev-gap-fill-2026-05-20",
+    "_kev_short_description": "Microsoft DirectShow QuickTime parsing memory corruption allowing remote code execution via a crafted media file."
+  },
+  "CVE-2009-3459": {
+    "name": "Adobe Acrobat and Reader Heap-Based Buffer Overflow",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "Operator estimate for a legacy CVE re-listed to CISA KEV 2026-05-20. Refine via `exceptd refresh --advisory CVE-2009-3459 --apply`.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-20",
+    "cisa_kev_due_date": "2026-06-03",
+    "poc_available": true,
+    "poc_description": "Public client-side exploit (malicious PDF) from the 2009 Adobe Acrobat/Reader era; re-listed for renewed exploitation on unpatched readers.",
+    "ai_discovered": false,
+    "ai_discovery_source": "unknown",
+    "ai_discovery_notes": "Legacy CVE (2009); no AI-discovery provenance.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "Legacy weaponization; not AI-assisted.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CISA KEV re-listing 2026-05-20 attests renewed active exploitation against unpatched Acrobat/Reader installs.",
+    "affected": "Adobe Acrobat and Reader (2009-era versions) — see Adobe APSB09-15.",
+    "affected_versions": [
+      "Adobe Acrobat / Reader 9.x and earlier (per APSB09-15)"
+    ],
+    "vector": "A crafted PDF triggers a heap-based buffer overflow in Adobe Acrobat/Reader, allowing remote code execution when the document is opened.",
+    "complexity": "low",
+    "complexity_notes": "Client-side: requires opening a malicious PDF. Public exploit; patch since 2009.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Adobe patch APSB09-15 (2009); application update.",
+    "vendor_update_paths": [
+      "Update Adobe Acrobat / Reader to a supported version; remove end-of-life installs."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Re-listing of a legacy document-handler RCE exposes the patch-deployment gap for client applications on unmanaged endpoints.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management often omits third-party desktop apps (PDF readers) on legacy endpoints.",
+      "NIST-800-53-AC-6": "Document-handler RCE runs with the opening user's privileges."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1203"
+    ],
+    "rwep_score": 70,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 15,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "rwep_notes": "P1 — KEV-listed legacy client-side RCE; blast_radius=15 (legacy-constrained). Draft (KEV-gap-fill).",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this KEV-gap-fill draft.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2009-3459",
+    "cwe_refs": [
+      "CWE-122"
+    ],
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://nvd.nist.gov/vuln/detail/CVE-2009-3459"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": "CVE-2009-3459",
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "high",
+        "published_date": "2026-05-20"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manual KEV-gap-fill: legacy CVE re-listed to CISA KEV 2026-05-20. Draft pending enrichment.",
+    "_auto_imported": true,
+    "_intake_method": "manual-kev-gap-fill-2026-05-20",
+    "_kev_short_description": "Adobe Acrobat and Reader heap-based buffer overflow allowing remote code execution via a crafted PDF."
+  },
+  "CVE-2010-0249": {
+    "name": "Microsoft Internet Explorer Use-After-Free (Operation Aurora)",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "Operator estimate for a legacy CVE re-listed to CISA KEV 2026-05-20. The Operation Aurora IE 0-day (2010). Refine via `exceptd refresh --advisory CVE-2010-0249 --apply`.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-20",
+    "cisa_kev_due_date": "2026-06-03",
+    "poc_available": true,
+    "poc_description": "Public, weaponized (Metasploit ie_aurora) — the original Operation Aurora intrusion set used it against Google and others in 2010. Re-listed for renewed exploitation against legacy IE.",
+    "ai_discovered": false,
+    "ai_discovery_source": "unknown",
+    "ai_discovery_notes": "Legacy CVE (2010); no AI-discovery provenance.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "Legacy nation-state weaponization (Aurora); not AI-assisted.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CISA KEV re-listing 2026-05-20 attests renewed active exploitation against legacy Internet Explorer installs.",
+    "affected": "Microsoft Internet Explorer 6/7/8 (per MS10-002).",
+    "affected_versions": [
+      "Microsoft Internet Explorer 6 / 7 / 8 (per MS10-002)"
+    ],
+    "vector": "A use-after-free in Internet Explorer's HTML rendering allows remote code execution when the victim visits a crafted page — the technique used in the 2010 Operation Aurora campaign.",
+    "complexity": "low",
+    "complexity_notes": "Client-side drive-by: visiting a crafted page. Public weaponized exploit; patch since 2010.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Microsoft patch MS10-002 (2010); requires reboot.",
+    "vendor_update_paths": [
+      "Apply MS10-002; decommission legacy Internet Explorer / end-of-life Windows."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Re-listing of the Aurora IE 0-day exposes the gap for legacy browsers still reachable in OT / kiosk / legacy estates.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely tracks end-of-life browsers that remain in use on legacy systems.",
+      "NIST-800-53-AC-6": "Browser RCE runs with the victim user's privileges; an Aurora-class chain then pivots."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1203"
+    ],
+    "rwep_score": 70,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 15,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "rwep_notes": "P1 — KEV-listed, historically nation-state-weaponized (Aurora) client-side RCE; blast_radius=15 (legacy-constrained). Draft (KEV-gap-fill).",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this KEV-gap-fill draft.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2010-0249",
+    "cwe_refs": [
+      "CWE-416"
+    ],
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://nvd.nist.gov/vuln/detail/CVE-2010-0249"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": "CVE-2010-0249",
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "high",
+        "published_date": "2026-05-20"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manual KEV-gap-fill: legacy CVE (Operation Aurora) re-listed to CISA KEV 2026-05-20. Draft pending enrichment.",
+    "_auto_imported": true,
+    "_intake_method": "manual-kev-gap-fill-2026-05-20",
+    "_kev_short_description": "Microsoft Internet Explorer use-after-free allowing remote code execution via a crafted web page (Operation Aurora)."
+  },
+  "CVE-2010-0806": {
+    "name": "Microsoft Internet Explorer Use-After-Free (iepeers)",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "Operator estimate for a legacy CVE re-listed to CISA KEV 2026-05-20. Refine via `exceptd refresh --advisory CVE-2010-0806 --apply`.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2026-05-20",
+    "cisa_kev_due_date": "2026-06-03",
+    "poc_available": true,
+    "poc_description": "Public, weaponized (Metasploit ie_iepeers_pointer) — exploited in the wild in 2010. Re-listed for renewed exploitation against legacy IE.",
+    "ai_discovered": false,
+    "ai_discovery_source": "unknown",
+    "ai_discovery_notes": "Legacy CVE (2010); no AI-discovery provenance.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "Legacy weaponization; not AI-assisted.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "CISA KEV re-listing 2026-05-20 attests renewed active exploitation against legacy Internet Explorer installs.",
+    "affected": "Microsoft Internet Explorer 6/7 (per MS10-018).",
+    "affected_versions": [
+      "Microsoft Internet Explorer 6 / 7 (per MS10-018)"
+    ],
+    "vector": "A use-after-free in Internet Explorer's iepeers.dll allows remote code execution when the victim visits a crafted page.",
+    "complexity": "low",
+    "complexity_notes": "Client-side drive-by. Public weaponized exploit; patch since 2010.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Microsoft patch MS10-018 (2010); requires reboot.",
+    "vendor_update_paths": [
+      "Apply MS10-018; decommission legacy Internet Explorer / end-of-life Windows."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Re-listing of a legacy IE 0-day exposes the patch-deployment gap for end-of-life browsers in legacy estates.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely tracks end-of-life browsers still in use.",
+      "NIST-800-53-AC-6": "Browser RCE runs with the victim user's privileges."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1203"
+    ],
+    "rwep_score": 70,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 15,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "rwep_notes": "P1 — KEV-listed legacy client-side RCE; blast_radius=15 (legacy-constrained). Draft (KEV-gap-fill).",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this KEV-gap-fill draft.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2010-0806",
+    "cwe_refs": [
+      "CWE-416"
+    ],
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://nvd.nist.gov/vuln/detail/CVE-2010-0806"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": "CVE-2010-0806",
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "high",
+        "published_date": "2026-05-20"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manual KEV-gap-fill: legacy CVE re-listed to CISA KEV 2026-05-20. Draft pending enrichment.",
+    "_auto_imported": true,
+    "_intake_method": "manual-kev-gap-fill-2026-05-20",
+    "_kev_short_description": "Microsoft Internet Explorer iepeers.dll use-after-free allowing remote code execution via a crafted web page."
+  },
   "CVE-2025-32432": {
     "name": "Craft CMS Code Injection Vulnerability",
     "type": "RCE",

package/data/cwe-catalog.json

@@ -1131,6 +1131,8 @@
       "kernel-lpe-triage"
     ],
     "evidence_cves": [
+      "CVE-2010-0249",
+      "CVE-2010-0806",
       "CVE-2020-9715",
       "CVE-2023-41974",
       "CVE-2023-43000",
@@ -1554,6 +1556,7 @@
       "kernel-lpe-triage"
     ],
     "evidence_cves": [
+      "CVE-2009-1537",
       "CVE-2021-22555",
       "CVE-2023-3519",
       "CVE-2024-21762",
@@ -2210,6 +2213,7 @@
     ],
     "related_weaknesses": [],
     "evidence_cves": [
+      "CVE-2008-4250",
       "CVE-2014-3931",
       "CVE-2025-14174",
       "CVE-2025-31277",
@@ -2716,6 +2720,7 @@
     ],
     "related_weaknesses": [],
     "evidence_cves": [
+      "CVE-2009-3459",
       "CVE-2025-32706",
       "CVE-2026-22778"
     ],
@@ -2888,7 +2893,9 @@
       "CWE-2000"
     ],
     "related_weaknesses": [],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2026-45498"
+    ],
     "last_verified": "2026-05-19",
     "notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
     "_auto_imported": true,