@blamejs/exceptd-skills 0.14.26 → 0.14.28

package/data/playbooks/framework.json

@@ -49,6 +49,7 @@
       "ai-api",
       "ai-discovered-cve-triage",
       "cicd-pipeline-compromise",
+      "citation-hygiene",
       "cloud-iam-incident",
       "crypto",
       "crypto-codebase",

package/data/playbooks/sbom.json

@@ -85,6 +85,7 @@
       "ai-api",
       "ai-discovered-cve-triage",
       "cicd-pipeline-compromise",
+      "citation-hygiene",
       "cloud-iam-incident",
       "containers",
       "crypto",

package/data/zeroday-lessons.json

@@ -17746,5 +17746,496 @@
     ],
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2025-30066": {
+    "name": "tj-actions/changed-files GitHub Action Supply-Chain Compromise",
+    "lesson_date": "2026-05-28",
+    "attack_vector": {
+      "description": "A stolen Personal Access Token repointed the action's mutable release tags (v1..v45.0.7) to a malicious commit (0e58ed8) that dumped CI/CD secrets into publicly readable GitHub Actions workflow logs. ~23,000 repositories referenced the action; any consumer pinning by tag rather than commit SHA pulled the trojaned code on its next run.",
+      "privileges_required": "none — automatic for any workflow that ran the tag-pinned action during the window",
+      "complexity": "low to use once tags were repointed; the access required a leaked maintainer PAT",
+      "ai_factor": "No AI involvement documented in discovery or weaponization. Static base64 Python memory-dump payload."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Pinning every GitHub Action to a full-length 40-character commit SHA rather than a mutable tag. A SHA reference cannot be silently repointed.",
+        "was_this_required": false,
+        "framework_requiring_it": "OWASP CICD-SEC-3 (recommended, not mandated as default)",
+        "adequacy": "SHA pinning fully prevents tag-repointing, but the documented usage pattern for the action was tag pinning, so the safe configuration was opt-in."
+      },
+      "detection": {
+        "what_would_have_worked": "Egress/behavior monitoring on CI runners (e.g. Harden-Runner) that flags unexpected network calls or secret-shaped output from a build step — the mechanism by which the compromise was first observed.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Effective but rarely deployed; most pipelines have no runner egress baseline."
+      },
+      "response": {
+        "what_would_have_worked": "Rotate every secret exposed to affected workflows during 2025-03-14/15 and repin to a known-good SHA. GitHub purged the malicious commit and the action was restored at v46.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4 / SR-11",
+        "adequacy": "Rotation is mandatory but only as good as the org's ability to enumerate which secrets each workflow could read."
+      }
+    },
+    "framework_coverage": {
+      "SLSA-v1.0-Build-L3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Build provenance does not bind a consumer's tag reference to a specific source revision; a repointed mutable tag substitutes the build inputs silently."
+      },
+      "NIST-800-218-SSDF-PW.4": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Component-reuse controls assume the upstream artifact is immutable; an action tag is mutable with no publisher-side tamper control."
+      },
+      "NIST-800-53-SR-11": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Component-authenticity verification assumes signed/versioned artifacts; unsigned action tags carry no integrity guarantee."
+      },
+      "OWASP-CICD-SEC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Dependency-chain abuse: SHA pinning is the control but tag pinning is the documented default usage."
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-111",
+        "name": "ACTION-COMMIT-SHA-PINNING-ENFORCEMENT",
+        "description": "Every third-party CI/CD action (GitHub Actions, GitLab CI includes, etc.) must be referenced by a full-length commit SHA, never a mutable tag or branch. Enforce via policy check in the pipeline linter; a tag/branch reference to a third-party action is a hard fail.",
+        "evidence": "CVE-2025-30066 — tags v1..v45.0.7 were repointed to malicious commit 0e58ed8; only SHA-pinned consumers were unaffected.",
+        "gap_closes": [
+          "SLSA-v1.0-Build-L3",
+          "OWASP-CICD-SEC-3",
+          "NIST-800-53-SR-11"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 85,
+      "basis": "Most pipelines pin actions by tag per the documented usage pattern, and few audit frameworks mandate SHA pinning as a hard control. Secrets leaked to public logs before any audit could react.",
+      "theater_pattern": "supply_chain_first_party_only"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_date": "2025-03-14",
+    "ai_assist_factor": "none"
+  },
+  "CVE-2025-30154": {
+    "name": "reviewdog/action-setup GitHub Action Supply-Chain Compromise",
+    "lesson_date": "2026-05-28",
+    "attack_vector": {
+      "description": "reviewdog/action-setup@v1 was trojaned on 2025-03-11 to dump exposed secrets to GitHub Actions workflow logs. Because five other reviewdog actions invoke action-setup@v1 internally, consumers were affected transitively even when they SHA-pinned the outer reviewdog action. Assessed as the pivot that leaked the PAT later used in the tj-actions compromise (CVE-2025-30066).",
+      "privileges_required": "none — automatic via transitive action inclusion during the window",
+      "complexity": "low to use; defeated consumer-side SHA pinning of the outer action",
+      "ai_factor": "No AI involvement documented."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Transitive SHA pinning — verifying that an action's OWN internal dependencies are SHA-pinned, not just the action a consumer references directly. Preferring actions that pin their dependencies by SHA.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Consumer-side SHA pinning is insufficient when the pinned action references a mutable tag internally; the control must extend one tier deeper."
+      },
+      "detection": {
+        "what_would_have_worked": "CI runner egress/behavior monitoring flagging secret-shaped output from a reviewdog step.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Effective but rarely deployed."
+      },
+      "response": {
+        "what_would_have_worked": "Rotate secrets exposed during 2025-03-11 18:42-20:31 UTC; repin all reviewdog actions to known-good SHAs predating the compromise.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4 / SR-11",
+        "adequacy": "Mandatory; complicated by the transitive inclusion masking which workflows were actually affected."
+      }
+    },
+    "framework_coverage": {
+      "SLSA-v1.0-Build-L3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Provenance does not cover transitively-included actions; SHA-pinning the outer action still pulled a tag-referenced malicious inner action."
+      },
+      "NIST-800-53-SR-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Supply-chain inventory captures direct dependencies; a second-tier action (action-setup pulled by action-shellcheck) escapes that inventory."
+      },
+      "OWASP-CICD-SEC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Transitive dependency-chain abuse — consumer SHA pinning is necessary but insufficient."
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-112",
+        "name": "TRANSITIVE-ACTION-DEPENDENCY-INTEGRITY",
+        "description": "CI/CD action vetting must extend to the actions a referenced action invokes internally. Prefer actions that SHA-pin their own dependencies; where a dependency is tag-referenced, treat the whole chain as unpinned regardless of how the outer action is pinned.",
+        "evidence": "CVE-2025-30154 — action-setup@v1 (tag) was trojaned and reached consumers who SHA-pinned action-shellcheck/staticcheck/ast-grep/typos/composite-template.",
+        "gap_closes": [
+          "SLSA-v1.0-Build-L3",
+          "NIST-800-53-SR-3",
+          "OWASP-CICD-SEC-3"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 88,
+      "basis": "Even organizations that adopted SHA pinning (the recommended control) were exposed because the malicious code was a transitive tag-referenced dependency of an action they had pinned correctly.",
+      "theater_pattern": "supply_chain_first_party_only"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_date": "2025-03-11",
+    "ai_assist_factor": "none"
+  },
+  "CVE-2026-48027": {
+    "name": "Nx Console IDE Extension Supply-Chain Compromise",
+    "lesson_date": "2026-05-28",
+    "attack_vector": {
+      "description": "A malicious Nx Console 18.95.0 was published to the Visual Studio Marketplace (~18 min) and OpenVSX (~36 min) on 2026-05-19. On install/activation it fetched an obfuscated payload that harvested developer credentials from multiple sources on the endpoint. The compromise sits upstream of the CI pipeline — on the developer's machine, where the same secrets a pipeline protects are stored.",
+      "privileges_required": "none beyond install/auto-update of the extension during the window; payload ran with the developer's local privileges",
+      "complexity": "low to use; required publishing under the legitimate publisher identity",
+      "ai_factor": "AI-CLI abuse is not asserted for this specific extension compromise. The Nx ecosystem's earlier August 2025 's1ngularity' npm compromise weaponized installed AI CLI assistants for secret enumeration — a distinct incident noted only as context."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Consumer-verifiable publisher signatures on IDE marketplace extensions, plus disabling auto-update on security-critical developer hosts and verifying publisher/version before updating.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "VS Code/OpenVSX extensions carry no consumer-verifiable publisher signature; version-and-publisher review is manual and rarely performed."
+      },
+      "detection": {
+        "what_would_have_worked": "Endpoint monitoring flagging an IDE extension host process reading credential stores (Git config, ~/.npmrc, SSH keys, cloud credentials, wallet files) or fetching a second-stage payload after update.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Developer endpoints are seldom instrumented for IDE-extension behavior."
+      },
+      "response": {
+        "what_would_have_worked": "Upgrade to clean Nx Console 18.100.0; if 18.95.0 was installed on 2026-05-19, treat the host as compromised and rotate all developer credentials.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; exposure window was short but the credential blast radius per host is large."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SR-11": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Component-authenticity verification does not extend to IDE marketplace extensions, which carry no consumer-verifiable publisher signature."
+      },
+      "NIST-800-218-SSDF-PW.4": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Trusted-component reuse assumes the marketplace artifact matches reviewed source; a malicious version under the legitimate publisher identity defeats that."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Technical-vulnerability management for developer endpoints rarely inventories IDE extensions or their auto-update behavior as a managed surface."
+      }
+    },
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-113",
+        "name": "IDE-EXTENSION-MARKETPLACE-INTEGRITY",
+        "description": "Treat IDE extensions as a managed software supply-chain surface: inventory installed extensions, pin/approve versions for security-critical hosts, disable silent auto-update where feasible, and monitor extension-host processes for credential-store access and unexpected egress.",
+        "evidence": "CVE-2026-48027 — a malicious Nx Console 18.95.0 was live in two marketplaces for minutes and harvested developer credentials on install/update.",
+        "gap_closes": [
+          "NIST-800-53-SR-11",
+          "ISO-27001-2022-A.8.8"
+        ]
+      }
+    ],
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 92,
+      "basis": "Almost no organization manages developer IDE extensions as a vetted software surface; marketplace publication under a legitimate identity bypasses endpoint controls and auto-update delivers the malicious version before review.",
+      "theater_pattern": "endpoint_dev_tooling_unmanaged"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_date": "2026-05-19",
+    "ai_assist_factor": "none"
+  },
+  "CVE-2025-0282": {
+    "name": "Ivanti Connect Secure stack-overflow preauth RCE (SPAWN ecosystem)",
+    "lesson_date": "2026-05-28",
+    "attack_vector": {
+      "description": "Unauthenticated stack-based buffer overflow in Ivanti Connect Secure reachable over the network. Exploited as a zero-day from mid-December 2024 by the suspected China-nexus cluster UNC5337/UNC5221, deploying the SPAWN malware ecosystem (SPAWNANT/SPAWNMOLE/SPAWNSNAIL), the PHASEJAM dropper, and the DRYHOOK credential stealer, before the 2025-01-08 advisory. Patch-in-place is insufficient where the appliance is already compromised.",
+      "privileges_required": "none (unauthenticated network reach to an internet-facing Connect Secure appliance)",
+      "complexity": "high to weaponize reliably (AC:H), but functioning exploitation was in-the-wild at disclosure and mass-scanning followed",
+      "ai_factor": "Not AI-discovered — vendor/Mandiant incident investigation. No AI involvement documented."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Upgrade to Connect Secure 22.7R2.5 (Policy Secure 22.7R1.2, Neurons for ZTA 22.7R2.3) under a perimeter-device compressed-SLA tier (NEW-CTRL-030), and restrict the appliance management/web surface to known operator ranges where the tenancy model permits.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation, added 2025-01-08)",
+        "adequacy": "Patch fixes the overflow but does not evict SPAWN-ecosystem persistence; on any Integrity Checker Tool indicator the device must be factory-reset and rebuilt (NEW-CTRL-032 perimeter-compromise-rebuild-not-patch), not upgraded in place."
+      },
+      "detection": {
+        "what_would_have_worked": "Ivanti Integrity Checker Tool (ICT) scans; alerting on appliance outbound connections to non-management destinations; file-integrity baselining for SPAWN artifacts.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "ICT is necessary to distinguish patch-sufficient from rebuild-required; detection alone does not remediate a confirmed preauth RCE under active exploitation."
+      },
+      "response": {
+        "what_would_have_worked": "Treat any internet-facing Connect Secure exposed before 2025-01-08 as potentially compromised; factory-reset/rebuild on ICT indicators; rotate all appliance and downstream credentials (admin, VPN-user, RADIUS, LDAP bind).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Operationally expensive but necessary; patch-in-place left SPAWN persistence on compromised devices."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "30-day patch SLA is orders of magnitude longer than the observed exploitation window (zero-day, in-wild weeks before disclosure). Reboot-required firmware breaks the maintenance-window assumption and patch-in-place is insufficient on compromised appliances."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Appropriate timescales undefined; the standard 30-day interpretation is unsafe for an unauthenticated preauth flaw on an internet-facing device/server with public exploitation."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats this class as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA."
+      },
+      "DORA-Art-9": {
+        "covered": true,
+        "adequate": false,
+        "gap": "ICT incident management presumes vendor-patch cadence; the exposure window opened inside the financial-entity SLA."
+      },
+      "UK-CAF-B4": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Silent on the reality that a patched device can still carry attacker persistence seeded before the patch; cleanup/rebuild verification is required."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 ML3 (48h) is closer to reality than NIST SI-2 but still misses the mass-scanning window for this internet-facing class."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 65,
+      "basis": "Internet-facing VPN concentrators are routinely run by audited orgs without a documented compressed-SLA patch-and-rebuild procedure; the standard 30-day SLA and patch-in-place habit were active exposure for a zero-day with nation-state and later ransomware use.",
+      "theater_pattern": "patch_management"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
+  },
+  "CVE-2025-22457": {
+    "name": "Ivanti Connect Secure stack-overflow preauth RCE (mis-triaged DoS weaponized to RCE)",
+    "lesson_date": "2026-05-28",
+    "attack_vector": {
+      "description": "Unauthenticated stack-based buffer overflow in Ivanti Connect Secure initially assessed as a low-risk DoS and patched in 22.7R2.6 (2025-02-11), then weaponized to RCE and exploited in the wild from mid-March 2025 by UNC5221 using the TRAILBLAZE in-memory dropper and BRUSHFIRE passive backdoor. Fleets that deprioritized the fix on the basis of its initial DoS rating were exploited after the patch shipped.",
+      "privileges_required": "none (unauthenticated network reach to an internet-facing Connect Secure appliance)",
+      "complexity": "high to weaponize (AC:H); the public RCE understanding lagged the patch, extending effective exposure",
+      "ai_factor": "Not AI-discovered — vendor/Mandiant incident investigation. No AI involvement documented."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Upgrade to Connect Secure 22.7R2.6 (Policy Secure 22.7R1.4, ZTA Gateways 22.8R2.2). Critically: prioritize internet-facing-appliance patches by exposure class (NEW-CTRL-030), not solely by the initially-published CVSS — a DoS-rated flaw on a preauth perimeter surface must be treated as latent-RCE until proven otherwise.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation, added 2025-04-04)",
+        "adequacy": "Patch is definitive once applied, but SLA models keyed on initial CVSS under-protected fleets; rebuild required on compromise indicators (NEW-CTRL-032)."
+      },
+      "detection": {
+        "what_would_have_worked": "ICT scans; alerting on TRAILBLAZE/BRUSHFIRE artifacts and anomalous appliance egress.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch exploitation of fleets that delayed the low-rated patch."
+      },
+      "response": {
+        "what_would_have_worked": "Factory-reset/rebuild on compromise indicators; rotate appliance and downstream credentials; re-baseline patch prioritization to flag preauth-perimeter DoS flaws for accelerated remediation.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Standard appliance-compromise response; the durable lesson is severity mis-triage of a perimeter preauth flaw."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "A flaw patched as low-risk DoS was weaponized to RCE; CVSS-keyed SLA prioritization left fleets unpatched against the real critical risk. The 30-day window far exceeds the weaponization-to-mass-exploitation interval, and reboot-required firmware breaks the maintenance-window assumption."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Appropriate timescales undefined; the standard 30-day interpretation is unsafe for an unauthenticated preauth flaw on an internet-facing device/server with public exploitation."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats this class as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA."
+      },
+      "DORA-Art-9": {
+        "covered": true,
+        "adequate": false,
+        "gap": "ICT incident management presumes vendor-patch cadence; the exposure window opened inside the financial-entity SLA."
+      },
+      "UK-CAF-B4": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Silent on the reality that a patched device can still carry attacker persistence seeded before the patch; cleanup/rebuild verification is required."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 ML3 (48h) is closer to reality than NIST SI-2 but still misses the mass-scanning window for this internet-facing class."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "CVSS-keyed patch SLAs are near-universal; a perimeter preauth flaw mis-rated as DoS is exactly the case where that model fails, and most audited orgs had no exposure-class override.",
+      "theater_pattern": "patch_management"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
+  },
+  "CVE-2025-31324": {
+    "name": "SAP NetWeaver Visual Composer Metadata Uploader unauthenticated file-upload RCE",
+    "lesson_date": "2026-05-28",
+    "attack_vector": {
+      "description": "The Visual Composer Metadata Uploader endpoint (/developmentserver/metadatauploader) lacks an authorization check, letting an unauthenticated attacker upload a JSP webshell that runs with SAP service privileges. Mass-exploited from April 2025; frequently chained with the NetWeaver deserialization flaw CVE-2025-42999, with webshell access leading to hands-on-keyboard follow-on including ransomware staging.",
+      "privileges_required": "none (unauthenticated POST to an internet-facing NetWeaver server with Visual Composer enabled)",
+      "complexity": "low — single unauthenticated request; webshell IOCs widely published",
+      "ai_factor": "Not AI-discovered — identified during incident investigation (ReliaQuest). No AI involvement documented."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply SAP Security Note 3594142 promptly under an internet-facing-application compressed SLA (NEW-CTRL-030); where patching is delayed, block /developmentserver/metadatauploader at the proxy and disable Visual Composer if unused.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation, added 2025-04-29)",
+        "adequacy": "Patch closes the upload path, but patch-in-place without webshell hunting leaves attacker-dropped JSP shells resident — cleanup is a required, separate step."
+      },
+      "detection": {
+        "what_would_have_worked": "Alerting on unauthenticated POSTs to /developmentserver/metadatauploader; file-integrity monitoring of the servlet_jsp/irj root for new JSP files (helper.jsp, cache.jsp, random names); SAP service account spawning shells.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Webshell detection is necessary to catch resident persistence after patching."
+      },
+      "response": {
+        "what_would_have_worked": "Hunt for and remove JSP webshells under the servlet root; assume service-account credential compromise and rotate; review for the chained CVE-2025-42999 deserialization activity.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary; many operators patched without removing the resident webshells."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "CVSS 10.0 unauthenticated file-upload RCE on an internet-facing ERP application server; the 30-day patch SLA far exceeds the days-scale mass-exploitation window, and webshell persistence means patch-in-place leaves the attacker resident."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Appropriate timescales undefined; the standard 30-day interpretation is unsafe for an unauthenticated preauth flaw on an internet-facing device/server with public exploitation."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats this class as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA."
+      },
+      "DORA-Art-9": {
+        "covered": true,
+        "adequate": false,
+        "gap": "ICT incident management presumes vendor-patch cadence; the exposure window opened inside the financial-entity SLA."
+      },
+      "UK-CAF-B4": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Silent on the reality that a patched device can still carry attacker persistence seeded before the patch; cleanup/rebuild verification is required."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 ML3 (48h) is closer to reality than NIST SI-2 but still misses the mass-scanning window for this internet-facing class."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 75,
+      "basis": "SAP NetWeaver estates are business-critical and change-controlled, so emergency patching of an internet-facing component routinely loses to change windows; webshell hunting after patch is rarely part of the documented procedure.",
+      "theater_pattern": "patch_management"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
+  },
+  "CVE-2025-31161": {
+    "name": "CrushFTP HTTP authorization-header authentication bypass (crushadmin takeover)",
+    "lesson_date": "2026-05-28",
+    "attack_vector": {
+      "description": "A crafted HTTP Authorization header bypasses authentication and assumes any known/guessable account, including crushadmin, granting administrative control of the file-transfer server (unless fronted by a DMZ proxy instance). Exploited in the wild March-April 2025. The managed-file-transfer class is a proven ransomware/data-extortion initial-access vector (MOVEit lineage).",
+      "privileges_required": "none (unauthenticated network reach to an internet-facing CrushFTP instance without a DMZ proxy)",
+      "complexity": "low — single crafted request; public exploitation details",
+      "ai_factor": "Not AI-discovered — reported by Outpost24. No AI involvement documented."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Upgrade to CrushFTP 10.8.4 / 11.3.1 under an internet-facing-service compressed SLA (NEW-CTRL-030); deploy the DMZ proxy instance as a structural mitigation that breaks the direct auth path.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation, added 2025-04-07)",
+        "adequacy": "Patch is definitive; the DMZ-proxy mode is an architecture-level control that mitigated even pre-patch. Most exposed instances ran without it."
+      },
+      "detection": {
+        "what_would_have_worked": "Alerting on unexpected crushadmin logins or newly-created admin accounts; anomalous Authorization headers preceding admin access; egress from the file server to remote-management infrastructure.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch the account takeover; the MFT class is a high-value ransomware target."
+      },
+      "response": {
+        "what_would_have_worked": "Audit for unauthorized admin sessions/accounts; rotate credentials; review transferred-file access logs for data exfiltration given the MFT data-extortion pattern.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary; the extortion risk is the stored/transited data, not just server control."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Unauthenticated admin takeover on an internet-facing managed-file-transfer server — a proven ransomware/data-extortion vector. The 30-day patch SLA is exploitation acceptance; the exposure window opened within days of public details."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Appropriate timescales undefined; the standard 30-day interpretation is unsafe for an unauthenticated preauth flaw on an internet-facing device/server with public exploitation."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats this class as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA."
+      },
+      "DORA-Art-9": {
+        "covered": true,
+        "adequate": false,
+        "gap": "ICT incident management presumes vendor-patch cadence; the exposure window opened inside the financial-entity SLA."
+      },
+      "UK-CAF-B4": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Silent on the reality that a patched device can still carry attacker persistence seeded before the patch; cleanup/rebuild verification is required."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 ML3 (48h) is closer to reality than NIST SI-2 but still misses the mass-scanning window for this internet-facing class."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 68,
+      "basis": "MFT servers are internet-facing by function and hold high-value data; audited orgs routinely run them without a compressed-SLA procedure or the structural DMZ-proxy mitigation, and the MOVEit precedent shows the class is a primary extortion target.",
+      "theater_pattern": "patch_management"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   }
 }