@blamejs/exceptd-skills 0.14.27 → 0.15.0

package/data/attack-techniques.json

@@ -546,6 +546,7 @@
       "CVE-2025-21085",
       "CVE-2025-2746",
       "CVE-2025-2747",
+      "CVE-2025-31161",
       "CVE-2025-32975",
       "CVE-2025-34026",
       "CVE-2025-49706",
@@ -824,6 +825,8 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2024-21762",
+      "CVE-2025-0282",
+      "CVE-2025-22457",
       "CVE-2026-0300",
       "CVE-2026-39987"
     ],
@@ -935,6 +938,7 @@
       "CVE-2024-6587",
       "CVE-2024-7694",
       "CVE-2024-8069",
+      "CVE-2025-0282",
       "CVE-2025-10035",
       "CVE-2025-1094",
       "CVE-2025-11371",
@@ -955,6 +959,7 @@
       "CVE-2025-20393",
       "CVE-2025-21042",
       "CVE-2025-21043",
+      "CVE-2025-22457",
       "CVE-2025-24016",
       "CVE-2025-24893",
       "CVE-2025-25257",
@@ -968,6 +973,8 @@
       "CVE-2025-30202",
       "CVE-2025-30397",
       "CVE-2025-31125",
+      "CVE-2025-31161",
+      "CVE-2025-31324",
       "CVE-2025-32432",
       "CVE-2025-32433",
       "CVE-2025-32444",
@@ -12011,7 +12018,10 @@
     "stix_id": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb",
     "last_verified": "2026-05-19",
     "_auto_imported": true,
-    "_intake_method": "mitre-attack-stix"
+    "_intake_method": "mitre-attack-stix",
+    "cve_refs": [
+      "CVE-2025-31324"
+    ]
   },
   "T1505.004": {
     "id": "T1505.004",

package/data/cve-catalog.json

@@ -92,6 +92,427 @@
     },
     "last_threat_review": "2026-05-15"
   },
+  "CVE-2025-0282": {
+    "ai_assisted_weaponization": false,
+    "name": "Ivanti Connect Secure / Policy Secure / Neurons for ZTA stack-overflow preauth RCE",
+    "type": "stack-based-buffer-overflow-preauth-rce",
+    "cvss_score": 9,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS 3.1 base 9.0 (AC:H reflects the constraint on reliably winning the overflow); unauthenticated network reach (PR:N/UI:N) with scope-changed full compromise of the appliance.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2025-01-08",
+    "poc_available": true,
+    "poc_description": "Stack-based buffer overflow in the Ivanti Connect Secure web/IF-T component reachable by an unauthenticated remote attacker. Mandiant and Ivanti disclosed active zero-day exploitation on 2025-01-08; public technical write-ups and detection content (watchTowr, Rapid7, Mandiant) followed within days. Exploitation deploys the SPAWN malware ecosystem (SPAWNANT installer, SPAWNMOLE tunneler, SPAWNSNAIL SSH backdoor), the PHASEJAM dropper, and the DRYHOOK credential stealer.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Discovered by Ivanti/Mandiant during active-incident investigation; no AI tooling credited.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Zero-day exploited from at least mid-December 2024 by the suspected China-nexus cluster UNC5337 (assessed within UNC5221) before the 2025-01-08 advisory. CISA KEV-listed same day; later flagged for known ransomware-campaign use. Ivanti's Integrity Checker Tool (ICT) is the primary on-box detection. CISA directed agencies to apply the patch and, where compromise indicators are present, factory-reset and rebuild rather than patch-in-place.",
+    "affected": "Ivanti Connect Secure before 22.7R2.5, Ivanti Policy Secure before 22.7R1.2, and Ivanti Neurons for ZTA gateways before 22.7R2.3. Any internet-facing Connect Secure VPN appliance is in scope.",
+    "affected_versions": [
+      "Ivanti Connect Secure < 22.7R2.5",
+      "Ivanti Policy Secure < 22.7R1.2",
+      "Ivanti Neurons for ZTA gateways < 22.7R2.3"
+    ],
+    "vector": "Unauthenticated remote attacker sends crafted input that overflows a stack buffer in the Connect Secure web surface, achieving code execution on the appliance. No interim configuration workaround fully mitigates an internet-exposed appliance; Ivanti's guidance is to patch and, on indicators of compromise, factory-reset.",
+    "complexity": "high",
+    "complexity_notes": "AC:H — reliably winning the overflow requires defeating appliance mitigations, but functioning exploitation was already in-the-wild at disclosure and mass-scanning followed.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Connect Secure firmware upgrade requires an appliance reboot; no live-patching primitive. Patch alone is insufficient where ICT indicates compromise — a factory reset / rebuild is required to evict SPAWN-ecosystem persistence.",
+    "vendor_update_paths": [
+      "Ivanti Connect Secure 22.7R2.5+",
+      "Ivanti Policy Secure 22.7R1.2+",
+      "Ivanti Neurons for ZTA gateways 22.7R2.3+",
+      "On any ICT compromise indicator: factory reset and rebuild rather than patch-in-place; rotate all appliance and downstream credentials"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "30-day patch SLA is orders of magnitude longer than the observed exploitation window (zero-day, in-the-wild weeks before disclosure, mass-scanning within hours of advisory). Reboot-required firmware upgrade breaks the standard maintenance-window assumption, and patch-in-place is insufficient where the appliance is already compromised.",
+      "ISO-27001-2022-A.8.8": "'Appropriate timescales' undefined; the standard 30-day interpretation is unsafe for an unauthenticated preauth flaw on an internet-facing appliance/server with public exploitation and confirmed in-wild use.",
+      "NIS2-Art21-network-security": "EU NIS2 treats this class as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA; operators typically learn of the flaw via vendor advisory, not a regulatory channel.",
+      "DORA-Art-9": "ICT incident management presumes vendor-patch cadence; the appliance/server exposure window opened hours after disclosure, far inside the financial-entity remediation SLA.",
+      "UK-CAF-B4": "System security principle is silent on the operational reality that a patched device can still carry attacker persistence seeded before the patch; cleanup/rebuild verification is required, not just patch application.",
+      "AU-ISM-1546": "Essential 8 patch-applications ML3 (48h) is closer to reality than NIST SI-2 but still misses the mass-scanning window for this internet-facing class.",
+      "PCI-DSS-4.0-6.3.3": "30-day critical-patch window is exploitation acceptance for an unauthenticated preauth flaw on a perimeter device/server in or adjacent to the CDE."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1133"
+    ],
+    "rwep_score": 85,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "rwep_notes": "RWEP 85. KEV (+25) + PoC/in-wild tradecraft (+20) + confirmed exploitation (+20) + blast_radius 30 (every internet-facing Connect Secure appliance; nation-state initial access plus later ransomware use) - patch_available (-15) + reboot_required (+5). Live-patch credit unavailable (appliance firmware). Σ factors === rwep_score.",
+    "epss_score": 0.94129,
+    "epss_date": "2026-05-28",
+    "epss_note": "FIRST EPSS 0.94129 (99.92nd percentile) as of 2026-05-28.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-0282",
+    "cwe_refs": [
+      "CWE-121",
+      "CWE-787"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Ivanti Integrity Checker Tool (ICT) reporting new or mismatched files / failed scan on a Connect Secure appliance.",
+        "SPAWN-ecosystem artifacts (SPAWNANT, SPAWNMOLE, SPAWNSNAIL) or PHASEJAM/DRYHOOK on the appliance.",
+        "Connect Secure appliance running a version below 22.7R2.5 and reachable from the internet."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-0282, CISA KEV, and the Mandiant / Ivanti / watchTowr public analyses."
+    },
+    "source_verified": "2026-05-28",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-0282",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day",
+      "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-Gateways-CVE-2025-0282-CVE-2025-0283"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Ivanti",
+        "advisory_id": "CVE-2025-0282",
+        "url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-Gateways-CVE-2025-0282-CVE-2025-0283",
+        "severity": "critical",
+        "published_date": "2025-01-08"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-0282",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0282",
+        "severity": "critical",
+        "published_date": "2025-01-08"
+      }
+    ],
+    "last_updated": "2026-05-28",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2025-0282 (CWE-121/CWE-787, CVSS 9.0) + CISA KEV (added 2025-01-08, ransomware-flagged) + Mandiant/Ivanti analyses. The January 2025 Connect Secure zero-day; complements the existing Ivanti EPMM/EPM entries (this is the Connect Secure VPN product) and the perimeter-appliance class exemplified by CVE-2024-21762.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Ivanti Connect Secure stack-overflow preauth RCE (CWE-121), zero-day exploited by a China-nexus cluster with the SPAWN malware ecosystem; patch to 22.7R2.5 and rebuild on any ICT compromise indicator."
+  },
+  "CVE-2025-22457": {
+    "ai_assisted_weaponization": false,
+    "name": "Ivanti Connect Secure / Policy Secure / ZTA Gateways stack-overflow preauth RCE (weaponized follow-on)",
+    "type": "stack-based-buffer-overflow-preauth-rce",
+    "cvss_score": 9,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS 3.1 base 9.0. Initially assessed by Ivanti as a low-risk DoS and patched in 22.7R2.6 (2025-02-11); subsequently re-assessed as remotely exploitable for code execution after in-the-wild RCE exploitation was observed.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2025-04-04",
+    "poc_available": true,
+    "poc_description": "Stack-based buffer overflow in Connect Secure reachable unauthenticated. Mandiant/Ivanti reported active exploitation beginning mid-March 2025 by UNC5221, using the TRAILBLAZE in-memory dropper and the BRUSHFIRE passive backdoor alongside the SPAWN ecosystem. The bug was patched in 22.7R2.6 before it was understood to be RCE-capable, so unpatched fleets were exploited after the fix shipped.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Vendor/Mandiant incident-driven; no AI tooling credited.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Confirmed in-the-wild RCE exploitation from mid-March 2025 by UNC5221; CISA KEV-listed 2025-04-04, later ransomware-flagged. Demonstrates the 'mis-triaged severity' failure mode — a flaw patched as low-risk DoS was weaponized to RCE, so SLA prioritization keyed on the initial CVSS under-protected fleets.",
+    "affected": "Ivanti Connect Secure before 22.7R2.6, Ivanti Policy Secure before 22.7R1.4, and Ivanti ZTA Gateways before 22.8R2.2.",
+    "affected_versions": [
+      "Ivanti Connect Secure < 22.7R2.6",
+      "Ivanti Policy Secure < 22.7R1.4",
+      "Ivanti ZTA Gateways < 22.8R2.2"
+    ],
+    "vector": "Unauthenticated remote stack overflow in the Connect Secure web surface achieving code execution on the appliance. Patch-in-place insufficient on compromised devices; factory reset required where indicators are present.",
+    "complexity": "high",
+    "complexity_notes": "AC:H, but functioning exploitation was in-the-wild and the patch predated public RCE understanding, extending the effective exposure window.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Appliance firmware upgrade requires reboot; no live patch. Rebuild required on compromise indicators.",
+    "vendor_update_paths": [
+      "Ivanti Connect Secure 22.7R2.6+",
+      "Ivanti Policy Secure 22.7R1.4+",
+      "Ivanti ZTA Gateways 22.8R2.2+",
+      "On any compromise indicator: factory reset and rebuild; rotate appliance and downstream credentials"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "A flaw patched as low-risk DoS was later weaponized to RCE — SLA prioritization keyed on initial CVSS left fleets unpatched against the real (critical) risk. The 30-day window is far longer than the observed weaponization-to-mass-exploitation interval, and reboot-required firmware breaks the maintenance-window assumption.",
+      "ISO-27001-2022-A.8.8": "'Appropriate timescales' undefined; the standard 30-day interpretation is unsafe for an unauthenticated preauth flaw on an internet-facing appliance/server with public exploitation and confirmed in-wild use.",
+      "NIS2-Art21-network-security": "EU NIS2 treats this class as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA; operators typically learn of the flaw via vendor advisory, not a regulatory channel.",
+      "DORA-Art-9": "ICT incident management presumes vendor-patch cadence; the appliance/server exposure window opened hours after disclosure, far inside the financial-entity remediation SLA.",
+      "UK-CAF-B4": "System security principle is silent on the operational reality that a patched device can still carry attacker persistence seeded before the patch; cleanup/rebuild verification is required, not just patch application.",
+      "AU-ISM-1546": "Essential 8 patch-applications ML3 (48h) is closer to reality than NIST SI-2 but still misses the mass-scanning window for this internet-facing class.",
+      "PCI-DSS-4.0-6.3.3": "30-day critical-patch window is exploitation acceptance for an unauthenticated preauth flaw on a perimeter device/server in or adjacent to the CDE."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1133"
+    ],
+    "rwep_score": 83,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "rwep_notes": "RWEP 83. KEV (+25) + in-wild tradecraft (+20) + confirmed exploitation (+20) + blast_radius 28 (internet-facing Connect Secure fleet; weaponized follow-on to CVE-2025-0282) - patch_available (-15) + reboot_required (+5). Σ factors === rwep_score.",
+    "epss_score": 0.58941,
+    "epss_date": "2026-05-28",
+    "epss_note": "FIRST EPSS 0.58941 (98.25th percentile) as of 2026-05-28.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-22457",
+    "cwe_refs": [
+      "CWE-121",
+      "CWE-787"
+    ],
+    "iocs": {
+      "behavioral": [
+        "TRAILBLAZE / BRUSHFIRE or SPAWN-ecosystem artifacts on a Connect Secure appliance.",
+        "ICT scan failure or file-integrity mismatch on Connect Secure.",
+        "Connect Secure below 22.7R2.6 reachable from the internet (patched-but-still-vulnerable if the version predates the fix)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-22457, CISA KEV, and the Mandiant/Ivanti analyses."
+    },
+    "source_verified": "2026-05-28",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-22457",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability",
+      "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Ivanti",
+        "advisory_id": "CVE-2025-22457",
+        "url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457",
+        "severity": "critical",
+        "published_date": "2025-04-03"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-22457",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22457",
+        "severity": "critical",
+        "published_date": "2025-04-03"
+      }
+    ],
+    "last_updated": "2026-05-28",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2025-22457 (CWE-121/CWE-787, CVSS 9.0) + CISA KEV (added 2025-04-04, ransomware-flagged) + Mandiant/Ivanti analyses. Weaponized follow-on to the Connect Secure CVE-2025-0282 zero-day; same perimeter-appliance patch-SLA class.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Ivanti Connect Secure stack-overflow preauth RCE (CWE-121) initially mis-triaged as DoS then weaponized; patch to 22.7R2.6 and rebuild on compromise indicators."
+  },
+  "CVE-2025-31324": {
+    "ai_assisted_weaponization": false,
+    "name": "SAP NetWeaver Visual Composer Metadata Uploader unauthenticated file-upload RCE",
+    "type": "unrestricted-file-upload-preauth-rce",
+    "cvss_score": 10,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+    "cisa_kev": true,
+    "cisa_kev_date": "2025-04-29",
+    "poc_available": true,
+    "poc_description": "The Visual Composer Metadata Uploader endpoint (/developmentserver/metadatauploader) lacks an authorization check, letting an unauthenticated attacker upload an executable (JSP webshell) that runs with SAP service privileges. Mass exploitation observed from April 2025; ReliaQuest first reported in-wild use, with JSP webshells (helper.jsp, cache.jsp, randomly-named) dropped under the servlet path and later follow-on by ransomware affiliates.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Identified during active-incident investigation (ReliaQuest) and confirmed by SAP; no AI tooling credited.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Confirmed mass in-the-wild exploitation from April 2025; CISA KEV-listed 2025-04-29 and ransomware-flagged. Frequently chained with the SAP NetWeaver deserialization flaw CVE-2025-42999. Webshell access enabled hands-on-keyboard follow-on including ransomware staging.",
+    "affected": "SAP NetWeaver Visual Composer (VCFRAMEWORK 7.50) — the Metadata Uploader component is not gated by an authorization check. Internet-facing NetWeaver application servers with Visual Composer enabled are in scope.",
+    "affected_versions": [
+      "SAP NetWeaver Visual Composer VCFRAMEWORK 7.50 (Metadata Uploader unauthenticated)"
+    ],
+    "vector": "Unauthenticated POST to /developmentserver/metadatauploader uploads an executable binary / JSP webshell that the application server then serves and executes, yielding RCE as the SAP service account.",
+    "complexity": "low",
+    "complexity_notes": "Single unauthenticated request; public exploitation tooling and webshell IOCs widely documented.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "vendor_update_paths": [
+      "Apply SAP Security Note 3594142 (and the related hardening notes)",
+      "Where patching is delayed, restrict/disable the Visual Composer Metadata Uploader endpoint and block /developmentserver/metadatauploader at the proxy",
+      "Hunt for and remove JSP webshells under the servlet_jsp / irj root; assume credential compromise and rotate"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "CVSS 10.0 unauthenticated file-upload RCE on an internet-facing ERP application server; the 30-day patch SLA is far longer than the observed mass-exploitation window (days from disclosure). Webshell persistence means patch-in-place without webshell hunting leaves the attacker resident.",
+      "ISO-27001-2022-A.8.8": "'Appropriate timescales' undefined; the standard 30-day interpretation is unsafe for an unauthenticated preauth flaw on an internet-facing appliance/server with public exploitation and confirmed in-wild use.",
+      "NIS2-Art21-network-security": "EU NIS2 treats this class as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA; operators typically learn of the flaw via vendor advisory, not a regulatory channel.",
+      "DORA-Art-9": "ICT incident management presumes vendor-patch cadence; the appliance/server exposure window opened hours after disclosure, far inside the financial-entity remediation SLA.",
+      "UK-CAF-B4": "System security principle is silent on the operational reality that a patched device can still carry attacker persistence seeded before the patch; cleanup/rebuild verification is required, not just patch application.",
+      "AU-ISM-1546": "Essential 8 patch-applications ML3 (48h) is closer to reality than NIST SI-2 but still misses the mass-scanning window for this internet-facing class.",
+      "PCI-DSS-4.0-6.3.3": "30-day critical-patch window is exploitation acceptance for an unauthenticated preauth flaw on a perimeter device/server in or adjacent to the CDE."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1505.003"
+    ],
+    "rwep_score": 78,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "RWEP 78. KEV (+25) + PoC/webshell IOCs (+20) + confirmed mass exploitation (+20) + blast_radius 28 (internet-facing SAP NetWeaver ERP install base; webshell-to-ransomware chain) - patch_available (-15). No reboot. Σ factors === rwep_score.",
+    "epss_score": 0.3151,
+    "epss_date": "2026-05-28",
+    "epss_note": "FIRST EPSS 0.31510 (96.87th percentile) as of 2026-05-28.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-31324",
+    "cwe_refs": [
+      "CWE-434"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Unauthenticated POST requests to /developmentserver/metadatauploader on a NetWeaver server.",
+        "JSP files (helper.jsp, cache.jsp, or randomly-named) appearing under the irj/servlet_jsp servlet root.",
+        "SAP service account spawning shell / executing uploaded binaries."
+      ],
+      "indicators": [
+        "Webshell paths under j2ee/cluster/.../servlet_jsp/irj/root/ — common ReShell/Behinder/Godzilla artifacts."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-31324, CISA KEV, SAP Security Note 3594142, and the ReliaQuest analysis."
+    },
+    "source_verified": "2026-05-28",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-31324",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2025.html",
+      "https://www.reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "SAP",
+        "advisory_id": "SAP Security Note 3594142",
+        "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2025.html",
+        "severity": "critical",
+        "published_date": "2025-04-24"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-31324",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31324",
+        "severity": "critical",
+        "published_date": "2025-04-24"
+      }
+    ],
+    "last_updated": "2026-05-28",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2025-31324 (CWE-434, CVSS 10.0) + CISA KEV (added 2025-04-29, ransomware-flagged) + SAP Security Note 3594142 + ReliaQuest analysis. Complements the existing SAP NetWeaver deserialization entry CVE-2025-42999 with which it was frequently chained in 2025.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "SAP NetWeaver Visual Composer Metadata Uploader missing-authorization file upload (CWE-434) → unauthenticated RCE via JSP webshell; apply SAP Note 3594142 and hunt for webshells."
+  },
+  "CVE-2025-31161": {
+    "ai_assisted_weaponization": false,
+    "name": "CrushFTP HTTP authorization-header authentication bypass (crushadmin takeover)",
+    "type": "authentication-bypass-account-takeover",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS 3.1 base 9.8. Subject of a disclosure-coordination dispute that produced a duplicate identifier (CVE-2025-2825); CVE-2025-31161 is the CNA-recognized id.",
+    "cisa_kev": true,
+    "cisa_kev_date": "2025-04-07",
+    "poc_available": true,
+    "poc_description": "An authentication-bypass in the HTTP authorization-header handling lets an unauthenticated attacker authenticate as any known/guessable account, including crushadmin, taking over the instance (unless a DMZ proxy instance fronts it). Exploited in the wild in March-April 2025; technical details and detection content published by Outpost24, VulnCheck, and Rapid7.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Reported to CrushFTP by Outpost24; no AI tooling credited.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Confirmed in-the-wild exploitation March-April 2025; CISA KEV-listed 2025-04-07 with known ransomware-campaign use. crushadmin takeover yields full file-server control and downstream data access; observed follow-on tooling includes remote-management agents.",
+    "affected": "CrushFTP 10 before 10.8.4 and CrushFTP 11 before 11.3.1 (instances not fronted by a DMZ proxy instance).",
+    "affected_versions": [
+      "CrushFTP 10 < 10.8.4",
+      "CrushFTP 11 < 11.3.1"
+    ],
+    "vector": "Crafted HTTP Authorization header exploits a flaw in the authentication path to bypass authentication and assume the crushadmin (or other known) account, granting administrative control of the file-transfer server.",
+    "complexity": "low",
+    "complexity_notes": "Single crafted request; public exploitation details. The DMZ-proxy deployment mode mitigates, narrowing but not eliminating the exposed population.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "vendor_update_paths": [
+      "Upgrade to CrushFTP 10.8.4+ or 11.3.1+",
+      "Where patching is delayed, deploy the DMZ proxy instance as an interim mitigation",
+      "Audit for unauthorized crushadmin sessions/created accounts and rotate credentials"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Unauthenticated admin takeover on an internet-facing managed-file-transfer server — the MFT class is a proven ransomware/data-extortion initial-access vector (MOVEit lineage). The 30-day patch SLA is exploitation acceptance; the exposure window opened within days of disclosure with public details.",
+      "ISO-27001-2022-A.8.8": "'Appropriate timescales' undefined; the standard 30-day interpretation is unsafe for an unauthenticated preauth flaw on an internet-facing appliance/server with public exploitation and confirmed in-wild use.",
+      "NIS2-Art21-network-security": "EU NIS2 treats this class as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA; operators typically learn of the flaw via vendor advisory, not a regulatory channel.",
+      "DORA-Art-9": "ICT incident management presumes vendor-patch cadence; the appliance/server exposure window opened hours after disclosure, far inside the financial-entity remediation SLA.",
+      "UK-CAF-B4": "System security principle is silent on the operational reality that a patched device can still carry attacker persistence seeded before the patch; cleanup/rebuild verification is required, not just patch application.",
+      "AU-ISM-1546": "Essential 8 patch-applications ML3 (48h) is closer to reality than NIST SI-2 but still misses the mass-scanning window for this internet-facing class.",
+      "PCI-DSS-4.0-6.3.3": "30-day critical-patch window is exploitation acceptance for an unauthenticated preauth flaw on a perimeter device/server in or adjacent to the CDE."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1078"
+    ],
+    "rwep_score": 76,
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "RWEP 76. KEV (+25) + public exploitation details (+20) + confirmed exploitation, ransomware-flagged (+20) + blast_radius 26 (internet-facing MFT servers; admin takeover, data-extortion class) - patch_available (-15). No reboot. Σ factors === rwep_score.",
+    "epss_score": 0.88937,
+    "epss_date": "2026-05-28",
+    "epss_note": "FIRST EPSS 0.88937 (99.54th percentile) as of 2026-05-28.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-31161",
+    "cwe_refs": [
+      "CWE-305"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Unexpected crushadmin (or other privileged) logins, or newly-created admin accounts, on a CrushFTP instance.",
+        "HTTP requests with anomalous Authorization headers preceding admin access.",
+        "CrushFTP 10 < 10.8.4 or 11 < 11.3.1 reachable from the internet without a DMZ proxy instance."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-31161, CISA KEV, and the Outpost24 / VulnCheck / Rapid7 analyses."
+    },
+    "source_verified": "2026-05-28",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-31161",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://outpost24.com/blog/crushftp-cve-2025-31161-auth-bypass/",
+      "https://www.rapid7.com/blog/post/2025/04/07/etr-active-exploitation-of-crushftp-cve-2025-31161/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-31161",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31161",
+        "severity": "critical",
+        "published_date": "2025-04-03"
+      },
+      {
+        "vendor": "CISA KEV",
+        "advisory_id": "CVE-2025-31161",
+        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+        "severity": "critical",
+        "published_date": "2025-04-07"
+      }
+    ],
+    "last_updated": "2026-05-28",
+    "discovery_attribution_note": "Manually curated from NVD CVE-2025-31161 (CWE-305, CVSS 9.8) + CISA KEV (added 2025-04-07, ransomware-flagged) + Outpost24/VulnCheck/Rapid7 analyses. Distinct from the existing CrushFTP entry CVE-2025-54309 (alternate-channel); CVE-2025-31161 is the March-April 2025 authorization-header auth bypass (duplicate id CVE-2025-2825 noted).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "CrushFTP HTTP authorization-header authentication bypass (CWE-305) → crushadmin takeover; upgrade to 10.8.4/11.3.1 or front with a DMZ proxy."
+  },
   "CVE-2025-30066": {
     "name": "tj-actions/changed-files GitHub Action Supply-Chain Compromise (secret exfiltration to workflow logs)",
     "type": "supply-chain-compromise",

package/data/cwe-catalog.json

@@ -1283,6 +1283,7 @@
       "CVE-2024-7399",
       "CVE-2024-7694",
       "CVE-2025-2749",
+      "CVE-2025-31324",
       "CVE-2025-52691",
       "CVE-2026-21877"
     ],
@@ -1657,10 +1658,12 @@
       "CVE-2024-21762",
       "CVE-2024-37079",
       "CVE-2024-42479",
+      "CVE-2025-0282",
       "CVE-2025-14174",
       "CVE-2025-14733",
       "CVE-2025-21042",
       "CVE-2025-21043",
+      "CVE-2025-22457",
       "CVE-2025-5419",
       "CVE-2025-6965",
       "CVE-2025-9242",
@@ -2376,7 +2379,9 @@
     ],
     "related_weaknesses": [],
     "evidence_cves": [
+      "CVE-2025-0282",
       "CVE-2025-20352",
+      "CVE-2025-22457",
       "CVE-2025-53521"
     ],
     "last_verified": "2026-05-18",
@@ -4436,5 +4441,31 @@
     "playbooks_referencing": [
       "identity-sso-compromise"
     ]
+  },
+  "CWE-305": {
+    "id": "CWE-305",
+    "name": "Authentication Bypass by Primary Weakness",
+    "abstraction": "Base",
+    "category": "Authentication",
+    "description": "The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.",
+    "top_25_rank_2024": null,
+    "top_25_rank_2025": null,
+    "view_memberships": [
+      "CWE-1000"
+    ],
+    "related_attack_patterns_capec": [
+      "CAPEC-115"
+    ],
+    "skills_referencing": [],
+    "evidence_cves": [
+      "CVE-2025-31161"
+    ],
+    "framework_controls_partially_addressing": [
+      "NIST-800-53-IA-2",
+      "ISO-27001-2022-A.5.17"
+    ],
+    "real_requirement": "Authentication paths must be evaluated against bypass via separate primary weaknesses (e.g. header-parsing flaws, race conditions in the auth handler); fuzz and audit the auth mechanism as an integrated whole, not the algorithm in isolation.",
+    "lag_notes": "Authentication-bypass CVEs frequently stem from a primary weakness in request parsing or state handling rather than the auth algorithm itself; controls that audit only the credential-checking logic miss this class.",
+    "last_verified": "2026-05-28"
   }
 }