@blamejs/exceptd-skills 0.15.10 → 0.15.11

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.15.11 — 2026-05-29
+
+Draft-curation pass 9 — Apple client-side zero-days. Nine CISA KEV-listed Apple memory-corruption CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons. They map T1203 (Exploitation for Client Execution) — and T1068 for the sandbox-escape steps that act as privilege links in a multi-stage chain — rather than the network-service T1190: improper locking (CVE-2025-43510), buffer overflows (CVE-2025-43520, CVE-2025-31277, CVE-2026-20700), use-after-frees (CVE-2023-43000, CVE-2023-41974), an integer overflow (CVE-2021-30952), and two code-execution flaws (CVE-2022-48503, CVE-2025-43200). The lessons frame these as targeted-spyware-chain components and stress same-day OS update vs. MDM change windows, with Lockdown Mode for high-risk users.
+
 ## 0.15.10 — 2026-05-29
 
 Draft-curation pass 8 — Microsoft server-side RCE. Six CISA KEV-listed CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Exchange Server deserialization (CVE-2023-21529), Configuration Manager SQL injection (CVE-2024-43468), Windows Server Update Services deserialization (CVE-2025-59287), and the SharePoint Server "ToolShell" chain — improper authentication (CVE-2025-49706), code injection (CVE-2025-49704), and deserialization (CVE-2025-53770). The lessons stress that for these deserialization RCEs patching alone is insufficient: stolen machine keys and dropped web shells survive the patch and require explicit key rotation and web-shell hunting.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-29T19:28:44.044Z",
+  "generated_at": "2026-05-29T19:51:04.683Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "1bd5c8e6489d1a1b7ef67889b6fa5afbfb3d0780d0a5bf2699b1a5ca22164ec9",
+    "manifest.json": "690cb7c701080f97144ae7df49c0fb2b2b017f6699859f6cfe1a2d07c2a1d32c",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "96e21dd277fe24598e8ae74b40009785757a71ed4fc98e456504cd04f441bc90",
-    "data/cve-catalog.json": "365fd70e7f02daff7ca5b2b4eeeeb4579621937b167ad2fc07914d1c36a36bc9",
+    "data/attack-techniques.json": "874c1693aa263ff5161cc96bd28efa6056c0e018847e2b55f575502b47a45fc5",
+    "data/cve-catalog.json": "6787e2aea49819872301629954f5a5d3ce9c27d984ffd45835eb097cab95e98c",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "eecfcd270e8c6063511122374cfc2d5b56bdf5be769ad8e2a1556949ec682f0b",
+    "data/zeroday-lessons.json": "775bcd4734117ccfc4d191f0a3ae337b43da6611a612c1e0074c3bb8e285bbbc",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json

@@ -476,7 +476,10 @@
     "cve_refs": [
       "BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
       "CVE-2020-17103-REREGRESSION-2026",
+      "CVE-2021-30952",
       "CVE-2021-43226",
+      "CVE-2023-41974",
+      "CVE-2023-43000",
       "CVE-2024-0769",
       "CVE-2024-8068",
       "CVE-2025-10725",
@@ -484,6 +487,7 @@
       "CVE-2025-22225",
       "CVE-2025-24201",
       "CVE-2025-24990",
+      "CVE-2025-31277",
       "CVE-2025-32701",
       "CVE-2025-38352",
       "CVE-2025-40602",
@@ -918,7 +922,6 @@
       "CVE-2022-36551",
       "CVE-2022-37055",
       "CVE-2022-40799",
-      "CVE-2022-48503",
       "CVE-2023-0386",
       "CVE-2023-21529",
       "CVE-2023-2533",
@@ -1015,9 +1018,6 @@
       "CVE-2025-40551",
       "CVE-2025-41244",
       "CVE-2025-42999",
-      "CVE-2025-43200",
-      "CVE-2025-43510",
-      "CVE-2025-43520",
       "CVE-2025-4427",
       "CVE-2025-4428",
       "CVE-2025-47812",
@@ -1094,7 +1094,6 @@
       "CVE-2026-20131",
       "CVE-2026-20133",
       "CVE-2026-20182",
-      "CVE-2026-20700",
       "CVE-2026-20963",
       "CVE-2026-21509",
       "CVE-2026-21510",
@@ -1299,6 +1298,7 @@
       "CVE-2020-9715",
       "CVE-2021-22555",
       "CVE-2021-30952",
+      "CVE-2022-48503",
       "CVE-2023-41974",
       "CVE-2023-43000",
       "CVE-2025-10585",
@@ -1309,9 +1309,13 @@
       "CVE-2025-27038",
       "CVE-2025-31277",
       "CVE-2025-32709",
+      "CVE-2025-43200",
       "CVE-2025-43300",
+      "CVE-2025-43510",
+      "CVE-2025-43520",
       "CVE-2025-43529",
       "CVE-2025-4919",
+      "CVE-2026-20700",
       "CVE-2026-21385",
       "CVE-2026-2441",
       "CVE-2026-25592",

package/data/cve-catalog.json

@@ -20766,7 +20766,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -20787,7 +20787,7 @@
     "cwe_refs": [
       "CWE-667"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.apple.com/en-us/125632",
@@ -20823,11 +20823,21 @@
         "published_date": "2026-03-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-20; due date 2026-04-03. Notes reference: https://support.apple.com/en-us/125632 ; https://support.apple.com/en-us/125633 ; https://support.apple.com/en-us/125634 ; https://support.apple.com/en-us/125635 ; https://support.apple.com/en-us/1256",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain an improper locking vulnerability that could allow a malicious application to cause unexpected changes in memory shared between processes."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain an improper locking vulnerability that could allow a malicious application to cause unexpected changes in memory shared between processes.",
+    "iocs": {
+      "behavioral": [
+        "Apple (multiple products) below the patched OS build named in the Apple advisory on a device exposed to attacker-controlled content.",
+        "Process crashes or memory-corruption signatures consistent with an improper-locking flaw (CWE-667) exploitable in a memory-corruption chain on an affected device.",
+        "Indicators of a targeted-spyware / multi-stage exploit chain on a high-risk-user device following inbound content (KEV-confirmed in-the-wild exploitation; Lockdown Mode is relevant)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-43510, CISA KEV (added 2026-03-20), and the Apple security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-43520": {
     "name": "Apple Multiple Products Classic Buffer Overflow Vulnerability",
@@ -20869,7 +20879,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -20890,7 +20900,7 @@
     "cwe_refs": [
       "CWE-120"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.apple.com/en-us/125632",
@@ -20926,11 +20936,21 @@
         "published_date": "2026-03-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-20; due date 2026-04-03. Notes reference: https://support.apple.com/en-us/125632 ; https://support.apple.com/en-us/125633 ; https://support.apple.com/en-us/125634 ; https://support.apple.com/en-us/125635 ; https://support.apple.com/en-us/1256",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain a classic buffer overflow vulnerability which could allow a malicious application to cause unexpected system termination or write kernel memory."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain a classic buffer overflow vulnerability which could allow a malicious application to cause unexpected system termination or write kernel memory.",
+    "iocs": {
+      "behavioral": [
+        "Apple (multiple products) below the patched OS build named in the Apple advisory on a device exposed to attacker-controlled content.",
+        "Process crashes or memory-corruption signatures consistent with a classic buffer overflow (CWE-120) on an affected device.",
+        "Indicators of a targeted-spyware / multi-stage exploit chain on a high-risk-user device following inbound content (KEV-confirmed in-the-wild exploitation; Lockdown Mode is relevant)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-43520, CISA KEV (added 2026-03-20), and the Apple security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-31277": {
     "name": "Apple Multiple Products Buffer Overflow Vulnerability",
@@ -20971,7 +20991,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1203",
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -20992,7 +21013,7 @@
     "cwe_refs": [
       "CWE-119"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.apple.com/en-us/124147",
@@ -21025,11 +21046,21 @@
         "published_date": "2026-03-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-20; due date 2026-04-03. Notes reference: https://support.apple.com/en-us/124147 ; https://support.apple.com/en-us/124149 ; https://support.apple.com/en-us/124152 ; https://support.apple.com/en-us/124153 ; https://support.apple.com/en-us/1241",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Apple Safari, iOS, watchOS, visionOS, iPadOS, macOS, and tvOS contain a buffer overflow vulnerability that could allow the processing of maliciously crafted web content which may lead to memory corruption."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Apple Safari, iOS, watchOS, visionOS, iPadOS, macOS, and tvOS contain a buffer overflow vulnerability that could allow the processing of maliciously crafted web content which may lead to memory corruption.",
+    "iocs": {
+      "behavioral": [
+        "Apple (multiple products) below the patched OS build named in the Apple advisory on a device exposed to attacker-controlled content.",
+        "Process crashes or memory-corruption signatures consistent with a buffer overflow (CWE-119) on an affected device.",
+        "Indicators of a targeted-spyware / multi-stage exploit chain on a high-risk-user device following inbound content (KEV-confirmed in-the-wild exploitation; Lockdown Mode is relevant)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-31277, CISA KEV (added 2026-03-20), and the Apple security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution + T1068 escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-20131": {
     "name": "Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data Vulnerability",
@@ -22274,7 +22305,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1203",
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -22295,7 +22327,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.apple.com/en-us/120324",
@@ -22326,11 +22358,21 @@
         "published_date": "2026-03-05"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-05; due date 2026-03-26. Notes reference: https://support.apple.com/en-us/120324 ; https://support.apple.com/en-us/120331 ; https://support.apple.com/en-us/120338 ; https://nvd.nist.gov/vuln/detail/CVE-2023-43000",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Apple macOS, iOS, iPadOS, and Safari 16.6 contain a use-after-free vulnerability due to the processing of maliciously crafted web content that may lead to memory corruption."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Apple macOS, iOS, iPadOS, and Safari 16.6 contain a use-after-free vulnerability due to the processing of maliciously crafted web content that may lead to memory corruption.",
+    "iocs": {
+      "behavioral": [
+        "Apple (multiple products) below the patched OS build named in the Apple advisory on a device exposed to attacker-controlled content.",
+        "Process crashes or memory-corruption signatures consistent with a use-after-free (CWE-416) on an affected device.",
+        "Indicators of a targeted-spyware / multi-stage exploit chain on a high-risk-user device following inbound content (KEV-confirmed in-the-wild exploitation; Lockdown Mode is relevant)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2023-43000, CISA KEV (added 2026-03-05), and the Apple security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution + T1068 escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-30952": {
     "name": "Apple Multiple Products Integer Overflow or Wraparound Vulnerability",
@@ -22371,7 +22413,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1203",
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -22392,7 +22435,7 @@
     "cwe_refs": [
       "CWE-190"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.apple.com/en-us/HT212975",
@@ -22425,11 +22468,21 @@
         "published_date": "2026-03-05"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-05; due date 2026-03-26. Notes reference: https://support.apple.com/en-us/HT212975 ; https://support.apple.com/en-us/HT212976 ; https://support.apple.com/en-us/HT212978 ; https://support.apple.com/en-us/HT212980 ; https://support.apple.com/en",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Apple tvOS, macOS, Safari, iPadOS and watchOS contain an integer overflow or wraparound vulnerability due to the processing of maliciously crafted web content that may lead to arbitrary code execution."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Apple tvOS, macOS, Safari, iPadOS and watchOS contain an integer overflow or wraparound vulnerability due to the processing of maliciously crafted web content that may lead to arbitrary code execution.",
+    "iocs": {
+      "behavioral": [
+        "Apple (multiple products) below the patched OS build named in the Apple advisory on a device exposed to attacker-controlled content.",
+        "Process crashes or memory-corruption signatures consistent with an integer overflow / wraparound (CWE-190) on an affected device.",
+        "Indicators of a targeted-spyware / multi-stage exploit chain on a high-risk-user device following inbound content (KEV-confirmed in-the-wild exploitation; Lockdown Mode is relevant)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2021-30952, CISA KEV (added 2026-03-05), and the Apple security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution + T1068 escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2023-41974": {
     "name": "Apple iOS and iPadOS Use-After-Free Vulnerability",
@@ -22470,7 +22523,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1203",
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -22491,7 +22545,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.apple.com/en-us/HT213938",
@@ -22521,11 +22575,21 @@
         "published_date": "2026-03-05"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-05; due date 2026-03-26. Notes reference: https://support.apple.com/en-us/HT213938 ; https://support.apple.com/kb/HT213938 ; https://nvd.nist.gov/vuln/detail/CVE-2023-41974",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Apple iOS and iPadOS contain a use-after-free vulnerability. An app may be able to execute arbitrary code with kernel privileges."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Apple iOS and iPadOS contain a use-after-free vulnerability. An app may be able to execute arbitrary code with kernel privileges.",
+    "iocs": {
+      "behavioral": [
+        "Apple iOS and iPadOS below the patched OS build named in the Apple advisory on a device exposed to attacker-controlled content.",
+        "Process crashes or memory-corruption signatures consistent with a use-after-free (CWE-416) on iOS/iPadOS on an affected device.",
+        "Indicators of a targeted-spyware / multi-stage exploit chain on a high-risk-user device following inbound content (KEV-confirmed in-the-wild exploitation; Lockdown Mode is relevant)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2023-41974, CISA KEV (added 2026-03-05), and the Apple security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution + T1068 escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-22719": {
     "name": "Broadcom VMware Aria Operations Command Injection Vulnerability",
@@ -23985,7 +24049,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -24006,7 +24070,7 @@
     "cwe_refs": [
       "CWE-119"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.apple.com/en-us/126346",
@@ -24039,11 +24103,21 @@
         "published_date": "2026-02-12"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-12; due date 2026-03-05. Notes reference: https://support.apple.com/en-us/126346 ; https://support.apple.com/en-us/126348 ; https://support.apple.com/en-us/126351 ; https://support.apple.com/en-us/126352 ; https://support.apple.com/en-us/1263",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Apple iOS, macOS, tvOS, watchOS, and visionOS contain an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow an attacker with memory write the capability to execute arbitrary code."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Apple iOS, macOS, tvOS, watchOS, and visionOS contain an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow an attacker with memory write the capability to execute arbitrary code.",
+    "iocs": {
+      "behavioral": [
+        "Apple (multiple products) below the patched OS build named in the Apple advisory on a device exposed to attacker-controlled content.",
+        "Process crashes or memory-corruption signatures consistent with a buffer overflow (CWE-119) on an affected device.",
+        "Indicators of a targeted-spyware / multi-stage exploit chain on a high-risk-user device following inbound content (KEV-confirmed in-the-wild exploitation; Lockdown Mode is relevant)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-20700, CISA KEV (added 2026-02-12), and the Apple security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-43468": {
     "name": "Microsoft Configuration Manager SQL Injection Vulnerability",
@@ -30665,7 +30739,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -30686,7 +30760,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.apple.com/en-us/HT213340",
@@ -30719,11 +30793,21 @@
         "published_date": "2025-10-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-20; due date 2025-11-10. Notes reference: https://support.apple.com/en-us/HT213340 ; https://support.apple.com/en-us/HT213341 ; https://support.apple.com/en-us/HT213342 ; https://support.apple.com/en-us/HT213345 ; https://support.apple.com/en",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Apple macOS, iOS, tvOS, Safari, and watchOS contain an unspecified vulnerability in JavaScriptCore that when processing web content may lead to arbitrary code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Apple macOS, iOS, tvOS, Safari, and watchOS contain an unspecified vulnerability in JavaScriptCore that when processing web content may lead to arbitrary code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "Apple (multiple products) below the patched OS build named in the Apple advisory on a device exposed to attacker-controlled content.",
+        "Process crashes or memory-corruption signatures consistent with a code-execution flaw (CWE-94) on an affected device.",
+        "Indicators of a targeted-spyware / multi-stage exploit chain on a high-risk-user device following inbound content (KEV-confirmed in-the-wild exploitation; Lockdown Mode is relevant)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2022-48503, CISA KEV (added 2025-10-20), and the Apple security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-2746": {
     "name": "Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability",
@@ -38322,7 +38406,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -38343,7 +38427,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.apple.com/en-us/122174",
@@ -38378,11 +38462,21 @@
         "published_date": "2025-06-16"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-16; due date 2025-07-07. Notes reference: https://support.apple.com/en-us/122174 ; https://support.apple.com/en-us/122173 ; https://support.apple.com/en-us/122900 ; https://support.apple.com/en-us/122901 ; https://support.apple.com/en-us/1229",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Apple iOS, iPadOS, macOS, watchOS, and visionOS, contain an unspecified vulnerability when processing a maliciously crafted photo or video shared via an iCloud Link."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Apple iOS, iPadOS, macOS, watchOS, and visionOS, contain an unspecified vulnerability when processing a maliciously crafted photo or video shared via an iCloud Link.",
+    "iocs": {
+      "behavioral": [
+        "Apple (multiple products) below the patched OS build named in the Apple advisory on a device exposed to attacker-controlled content.",
+        "Process crashes or memory-corruption signatures consistent with a code-execution flaw (CWE-94, variant) on an affected device.",
+        "Indicators of a targeted-spyware / multi-stage exploit chain on a high-risk-user device following inbound content (KEV-confirmed in-the-wild exploitation; Lockdown Mode is relevant)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-43200, CISA KEV (added 2025-06-16), and the Apple security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-33053": {
     "name": " Microsoft Windows External Control of File Name or Path Vulnerability",