@blamejs/exceptd-skills 0.15.10 → 0.15.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/CHANGELOG.md +8 -0
  2. package/data/_indexes/_meta.json +5 -5
  3. package/data/attack-techniques.json +16 -5
  4. package/data/cve-catalog.json +267 -96
  5. package/data/zeroday-lessons.json +613 -210
  6. package/manifest.json +44 -44
  7. package/package.json +1 -1
  8. package/sbom.cdx.json +18 -18
package/data/zeroday-lessons.json CHANGED
@@ -7243,35 +7243,63 @@
7243
7243
  },
7244
7244
  "CVE-2025-48700": {
7245
7245
  "name": "Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability",
7246
- "lesson_date": "2026-05-18",
7246
+ "lesson_date": "2026-05-29",
7247
7247
  "attack_vector": {
7248
- "description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information.",
7249
- "privileges_required": "network attacker (no authentication required)",
7250
- "complexity": "moderate (bulk-import default)",
7251
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
7248
+ "description": "a cross-site scripting flaw (CWE-79) on the ZCS web client, letting an attacker run script in a victim's authenticated session for session/credential theft and mailbox access. CISA KEV-listed 2026-04-20 with confirmed in-the-wild exploitation.",
7249
+ "privileges_required": "none (the flaw is reachable by an unauthenticated attacker; XSS variants execute in a targeted user's session)",
7250
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
7251
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
7252
+ },
7253
+ "defense_chain": {
7254
+ "prevention": {
7255
+ "what_would_have_worked": "Apply the Zimbra ZCS security update from the advisory; restrict the ZCS web/admin surface and, for the SSRF/RFI variants, hunt for web shells and internal-recon activity.",
7256
+ "was_this_required": true,
7257
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
7258
+ "adequacy": "Patch is definitive; ZCS is repeatedly targeted, so the SLA gap and the lack of web-shell-hunt cleanup are the recurring failures."
7259
+ },
7260
+ "detection": {
7261
+ "what_would_have_worked": "Monitoring on ZCS: XSS payloads in mail/requests, server-side outbound requests to internal endpoints (SSRF), inclusion/execution of remote PHP (RFI), and web shells under the ZCS web root.",
7262
+ "was_this_required": false,
7263
+ "framework_requiring_it": null,
7264
+ "adequacy": "Necessary to catch exploitation and resident persistence on a recurring mass-exploited target."
7265
+ },
7266
+ "response": {
7267
+ "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate ZCS credentials and session secrets, and review mailbox access for exfiltration.",
7268
+ "was_this_required": true,
7269
+ "framework_requiring_it": "NIST 800-53 IR-4",
7270
+ "adequacy": "Mandatory; ZCS compromise typically targets mailbox data and persistence, which a bare patch does not remove."
7271
+ }
7252
7272
  },
7253
7273
  "framework_coverage": {
7254
7274
  "NIST-800-53-SI-2": {
7255
7275
  "covered": true,
7256
7276
  "adequate": false,
7257
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
7277
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed flaw on an internet-facing mail server; ZCS is a recurring mass-exploited target."
7258
7278
  },
7259
7279
  "ISO-27001-2022-A.8.8": {
7260
7280
  "covered": true,
7261
7281
  "adequate": false,
7262
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7282
+ "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited flaw on an internet-facing collaboration/mail server."
7283
+ },
7284
+ "NIS2-Art21-network-security": {
7285
+ "covered": true,
7286
+ "adequate": false,
7287
+ "gap": "Treats mail/collaboration servers as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA."
7288
+ },
7289
+ "PCI-DSS-4.0-6.3.3": {
7290
+ "covered": true,
7291
+ "adequate": false,
7292
+ "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing mail server in or adjacent to the CDE."
7263
7293
  }
7264
7294
  },
7265
7295
  "compliance_exposure_score": {
7266
- "percent_audit_passing_orgs_still_exposed": 55,
7267
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
7296
+ "percent_audit_passing_orgs_still_exposed": 72,
7297
+ "basis": "Internet-facing Zimbra is run by audited organizations on a standard patch SLA and is repeatedly mass-exploited within days of disclosure; web-shell hunting is rarely part of the patch procedure.",
7268
7298
  "theater_pattern": "patch_management"
7269
7299
  },
7270
7300
  "ai_discovered_zeroday": false,
7271
- "ai_discovery_source": "unknown",
7272
- "ai_assist_factor": "none",
7273
- "_auto_imported": true,
7274
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
7301
+ "ai_discovery_source": "vendor_research",
7302
+ "ai_assist_factor": "none"
7275
7303
  },
7276
7304
  "CVE-2026-20128": {
7277
7305
  "name": "Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability",
@@ -10801,99 +10829,168 @@
10801
10829
  },
10802
10830
  "CVE-2025-43510": {
10803
10831
  "name": "Apple Multiple Products Improper Locking Vulnerability",
10804
- "lesson_date": "2026-05-18",
10832
+ "lesson_date": "2026-05-29",
10805
10833
  "attack_vector": {
10806
- "description": "Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain an improper locking vulnerability that could allow a malicious application to cause unexpected changes in memory shared between processes.",
10807
- "privileges_required": "network attacker (no authentication required)",
10808
- "complexity": "moderate (bulk-import default)",
10809
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
10834
+ "description": "an improper-locking flaw (CWE-667) exploitable in a memory-corruption chain. CISA KEV-listed 2026-03-20 with confirmed in-the-wild exploitation (Apple zero-days of this class are typically used in targeted-spyware chains).",
10835
+ "privileges_required": "none (the victim device renders/opens attacker-controlled content; the chain often requires no user interaction)",
10836
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
10837
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
10838
+ },
10839
+ "defense_chain": {
10840
+ "prevention": {
10841
+ "what_would_have_worked": "Update to the patched iOS/iPadOS/macOS build (Apple's advisory documents in-the-wild exploitation); enable Lockdown Mode for high-risk users and enforce update SLAs via MDM on managed fleets.",
10842
+ "was_this_required": true,
10843
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
10844
+ "adequacy": "OS auto-update is definitive and fast for consumer devices; the gap is managed fleets that gate updates behind an MDM change window slower than the in-the-wild exploitation."
10845
+ },
10846
+ "detection": {
10847
+ "what_would_have_worked": "Endpoint/mobile-threat-defense monitoring for crash signatures on content render and for spyware-chain indicators; Apple Threat Notifications for targeted users.",
10848
+ "was_this_required": false,
10849
+ "framework_requiring_it": null,
10850
+ "adequacy": "Backstops devices not yet updated; targeted client chains are stealthy and often zero-click."
10851
+ },
10852
+ "response": {
10853
+ "what_would_have_worked": "Force the OS update across the fleet; for a confirmed targeted user, preserve forensic state, rotate credentials, and consider device replacement, as spyware chains can persist across reboots.",
10854
+ "was_this_required": true,
10855
+ "framework_requiring_it": "NIST 800-53 IR-4",
10856
+ "adequacy": "Mandatory for a KEV-listed client OS RCE; the exposure is every device that rendered attacker content pre-patch."
10857
+ }
10810
10858
  },
10811
10859
  "framework_coverage": {
10812
10860
  "NIST-800-53-SI-2": {
10813
10861
  "covered": true,
10814
10862
  "adequate": false,
10815
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
10863
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client memory-corruption flaw delivered by attacker-controlled content."
10816
10864
  },
10817
10865
  "ISO-27001-2022-A.8.8": {
10818
10866
  "covered": true,
10819
10867
  "adequate": false,
10820
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10868
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited mobile/desktop OS flaw, often part of a targeted-spyware chain against high-risk users."
10869
+ },
10870
+ "AU-ISM-1546": {
10871
+ "covered": true,
10872
+ "adequate": false,
10873
+ "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client OS RCE than a 30-day cycle, but still trails same-day OS auto-update for an in-the-wild exploit; MDM-enforced update SLAs are the load-bearing control on managed mobile fleets."
10821
10874
  }
10822
10875
  },
10823
10876
  "compliance_exposure_score": {
10824
- "percent_audit_passing_orgs_still_exposed": 55,
10825
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
10877
+ "percent_audit_passing_orgs_still_exposed": 68,
10878
+ "basis": "Apple (multiple products) is ubiquitous on endpoints; audited organizations that gate OS updates behind a managed MDM change window (rather than same-day auto-update) were exposed for this KEV-listed, actively-exploited flaw.",
10826
10879
  "theater_pattern": "patch_management"
10827
10880
  },
10828
10881
  "ai_discovered_zeroday": false,
10829
- "ai_discovery_source": "unknown",
10830
- "ai_assist_factor": "none",
10831
- "_auto_imported": true,
10832
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
10882
+ "ai_discovery_source": "vendor_research",
10883
+ "ai_assist_factor": "none"
10833
10884
  },
10834
10885
  "CVE-2025-43520": {
10835
10886
  "name": "Apple Multiple Products Classic Buffer Overflow Vulnerability",
10836
- "lesson_date": "2026-05-18",
10887
+ "lesson_date": "2026-05-29",
10837
10888
  "attack_vector": {
10838
- "description": "Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain a classic buffer overflow vulnerability which could allow a malicious application to cause unexpected system termination or write kernel memory.",
10839
- "privileges_required": "network attacker (no authentication required)",
10840
- "complexity": "moderate (bulk-import default)",
10841
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
10889
+ "description": "a classic buffer overflow (CWE-120) reachable via attacker-controlled content. CISA KEV-listed 2026-03-20 with confirmed in-the-wild exploitation (Apple zero-days of this class are typically used in targeted-spyware chains).",
10890
+ "privileges_required": "none (the victim device renders/opens attacker-controlled content; the chain often requires no user interaction)",
10891
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
10892
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
10893
+ },
10894
+ "defense_chain": {
10895
+ "prevention": {
10896
+ "what_would_have_worked": "Update to the patched iOS/iPadOS/macOS build (Apple's advisory documents in-the-wild exploitation); enable Lockdown Mode for high-risk users and enforce update SLAs via MDM on managed fleets.",
10897
+ "was_this_required": true,
10898
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
10899
+ "adequacy": "OS auto-update is definitive and fast for consumer devices; the gap is managed fleets that gate updates behind an MDM change window slower than the in-the-wild exploitation."
10900
+ },
10901
+ "detection": {
10902
+ "what_would_have_worked": "Endpoint/mobile-threat-defense monitoring for crash signatures on content render and for spyware-chain indicators; Apple Threat Notifications for targeted users.",
10903
+ "was_this_required": false,
10904
+ "framework_requiring_it": null,
10905
+ "adequacy": "Backstops devices not yet updated; targeted client chains are stealthy and often zero-click."
10906
+ },
10907
+ "response": {
10908
+ "what_would_have_worked": "Force the OS update across the fleet; for a confirmed targeted user, preserve forensic state, rotate credentials, and consider device replacement, as spyware chains can persist across reboots.",
10909
+ "was_this_required": true,
10910
+ "framework_requiring_it": "NIST 800-53 IR-4",
10911
+ "adequacy": "Mandatory for a KEV-listed client OS RCE; the exposure is every device that rendered attacker content pre-patch."
10912
+ }
10842
10913
  },
10843
10914
  "framework_coverage": {
10844
10915
  "NIST-800-53-SI-2": {
10845
10916
  "covered": true,
10846
10917
  "adequate": false,
10847
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
10918
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client memory-corruption flaw delivered by attacker-controlled content."
10848
10919
  },
10849
10920
  "ISO-27001-2022-A.8.8": {
10850
10921
  "covered": true,
10851
10922
  "adequate": false,
10852
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10923
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited mobile/desktop OS flaw, often part of a targeted-spyware chain against high-risk users."
10924
+ },
10925
+ "AU-ISM-1546": {
10926
+ "covered": true,
10927
+ "adequate": false,
10928
+ "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client OS RCE than a 30-day cycle, but still trails same-day OS auto-update for an in-the-wild exploit; MDM-enforced update SLAs are the load-bearing control on managed mobile fleets."
10853
10929
  }
10854
10930
  },
10855
10931
  "compliance_exposure_score": {
10856
- "percent_audit_passing_orgs_still_exposed": 55,
10857
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
10932
+ "percent_audit_passing_orgs_still_exposed": 68,
10933
+ "basis": "Apple (multiple products) is ubiquitous on endpoints; audited organizations that gate OS updates behind a managed MDM change window (rather than same-day auto-update) were exposed for this KEV-listed, actively-exploited flaw.",
10858
10934
  "theater_pattern": "patch_management"
10859
10935
  },
10860
10936
  "ai_discovered_zeroday": false,
10861
- "ai_discovery_source": "unknown",
10862
- "ai_assist_factor": "none",
10863
- "_auto_imported": true,
10864
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
10937
+ "ai_discovery_source": "vendor_research",
10938
+ "ai_assist_factor": "none"
10865
10939
  },
10866
10940
  "CVE-2025-31277": {
10867
10941
  "name": "Apple Multiple Products Buffer Overflow Vulnerability",
10868
- "lesson_date": "2026-05-18",
10942
+ "lesson_date": "2026-05-29",
10869
10943
  "attack_vector": {
10870
- "description": "Apple Safari, iOS, watchOS, visionOS, iPadOS, macOS, and tvOS contain a buffer overflow vulnerability that could allow the processing of maliciously crafted web content which may lead to memory corruption.",
10871
- "privileges_required": "network attacker (no authentication required)",
10872
- "complexity": "moderate (bulk-import default)",
10873
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
10944
+ "description": "a buffer overflow (CWE-119) used as a sandbox-escape / privilege step in an exploit chain. CISA KEV-listed 2026-03-20 with confirmed in-the-wild exploitation (Apple zero-days of this class are typically used in targeted-spyware chains).",
10945
+ "privileges_required": "low (a prior foothold / sandbox compromise; this is an escalation or sandbox-escape step in a multi-stage exploit chain)",
10946
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
10947
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
10948
+ },
10949
+ "defense_chain": {
10950
+ "prevention": {
10951
+ "what_would_have_worked": "Update to the patched iOS/iPadOS/macOS build (Apple's advisory documents in-the-wild exploitation); enable Lockdown Mode for high-risk users and enforce update SLAs via MDM on managed fleets.",
10952
+ "was_this_required": true,
10953
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
10954
+ "adequacy": "OS auto-update is definitive and fast for consumer devices; the gap is managed fleets that gate updates behind an MDM change window slower than the in-the-wild exploitation."
10955
+ },
10956
+ "detection": {
10957
+ "what_would_have_worked": "Endpoint/mobile-threat-defense monitoring for crash signatures on content render and for spyware-chain indicators; Apple Threat Notifications for targeted users.",
10958
+ "was_this_required": false,
10959
+ "framework_requiring_it": null,
10960
+ "adequacy": "Backstops devices not yet updated; targeted client chains are stealthy and often zero-click."
10961
+ },
10962
+ "response": {
10963
+ "what_would_have_worked": "Force the OS update across the fleet; for a confirmed targeted user, preserve forensic state, rotate credentials, and consider device replacement, as spyware chains can persist across reboots.",
10964
+ "was_this_required": true,
10965
+ "framework_requiring_it": "NIST 800-53 IR-4",
10966
+ "adequacy": "Mandatory for a KEV-listed client OS RCE; the exposure is every device that rendered attacker content pre-patch."
10967
+ }
10874
10968
  },
10875
10969
  "framework_coverage": {
10876
10970
  "NIST-800-53-SI-2": {
10877
10971
  "covered": true,
10878
10972
  "adequate": false,
10879
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
10973
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client memory-corruption flaw delivered by attacker-controlled content."
10880
10974
  },
10881
10975
  "ISO-27001-2022-A.8.8": {
10882
10976
  "covered": true,
10883
10977
  "adequate": false,
10884
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10978
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited mobile/desktop OS flaw, often part of a targeted-spyware chain against high-risk users."
10979
+ },
10980
+ "AU-ISM-1546": {
10981
+ "covered": true,
10982
+ "adequate": false,
10983
+ "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client OS RCE than a 30-day cycle, but still trails same-day OS auto-update for an in-the-wild exploit; MDM-enforced update SLAs are the load-bearing control on managed mobile fleets."
10885
10984
  }
10886
10985
  },
10887
10986
  "compliance_exposure_score": {
10888
- "percent_audit_passing_orgs_still_exposed": 55,
10889
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
10987
+ "percent_audit_passing_orgs_still_exposed": 68,
10988
+ "basis": "Apple (multiple products) is ubiquitous on endpoints; audited organizations that gate OS updates behind a managed MDM change window (rather than same-day auto-update) were exposed for this KEV-listed, actively-exploited flaw.",
10890
10989
  "theater_pattern": "patch_management"
10891
10990
  },
10892
10991
  "ai_discovered_zeroday": false,
10893
- "ai_discovery_source": "unknown",
10894
- "ai_assist_factor": "none",
10895
- "_auto_imported": true,
10896
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
10992
+ "ai_discovery_source": "vendor_research",
10993
+ "ai_assist_factor": "none"
10897
10994
  },
10898
10995
  "CVE-2026-20131": {
10899
10996
  "name": "Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data Vulnerability",
@@ -10957,35 +11054,63 @@
10957
11054
  },
10958
11055
  "CVE-2025-66376": {
10959
11056
  "name": "Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability",
10960
- "lesson_date": "2026-05-18",
11057
+ "lesson_date": "2026-05-29",
10961
11058
  "attack_vector": {
10962
- "description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) @import directives in email HTML.",
10963
- "privileges_required": "network attacker (no authentication required)",
10964
- "complexity": "moderate (bulk-import default)",
10965
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
11059
+ "description": "a cross-site scripting flaw (CWE-79) on the ZCS web client, letting an attacker run script in a victim's authenticated session. CISA KEV-listed 2026-03-18 with confirmed in-the-wild exploitation.",
11060
+ "privileges_required": "none (the flaw is reachable by an unauthenticated attacker; XSS variants execute in a targeted user's session)",
11061
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
11062
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
11063
+ },
11064
+ "defense_chain": {
11065
+ "prevention": {
11066
+ "what_would_have_worked": "Apply the Zimbra ZCS security update from the advisory; restrict the ZCS web/admin surface and, for the SSRF/RFI variants, hunt for web shells and internal-recon activity.",
11067
+ "was_this_required": true,
11068
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
11069
+ "adequacy": "Patch is definitive; ZCS is repeatedly targeted, so the SLA gap and the lack of web-shell-hunt cleanup are the recurring failures."
11070
+ },
11071
+ "detection": {
11072
+ "what_would_have_worked": "Monitoring on ZCS: XSS payloads in mail/requests, server-side outbound requests to internal endpoints (SSRF), inclusion/execution of remote PHP (RFI), and web shells under the ZCS web root.",
11073
+ "was_this_required": false,
11074
+ "framework_requiring_it": null,
11075
+ "adequacy": "Necessary to catch exploitation and resident persistence on a recurring mass-exploited target."
11076
+ },
11077
+ "response": {
11078
+ "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate ZCS credentials and session secrets, and review mailbox access for exfiltration.",
11079
+ "was_this_required": true,
11080
+ "framework_requiring_it": "NIST 800-53 IR-4",
11081
+ "adequacy": "Mandatory; ZCS compromise typically targets mailbox data and persistence, which a bare patch does not remove."
11082
+ }
10966
11083
  },
10967
11084
  "framework_coverage": {
10968
11085
  "NIST-800-53-SI-2": {
10969
11086
  "covered": true,
10970
11087
  "adequate": false,
10971
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
11088
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed flaw on an internet-facing mail server; ZCS is a recurring mass-exploited target."
10972
11089
  },
10973
11090
  "ISO-27001-2022-A.8.8": {
10974
11091
  "covered": true,
10975
11092
  "adequate": false,
10976
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11093
+ "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited flaw on an internet-facing collaboration/mail server."
11094
+ },
11095
+ "NIS2-Art21-network-security": {
11096
+ "covered": true,
11097
+ "adequate": false,
11098
+ "gap": "Treats mail/collaboration servers as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA."
11099
+ },
11100
+ "PCI-DSS-4.0-6.3.3": {
11101
+ "covered": true,
11102
+ "adequate": false,
11103
+ "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing mail server in or adjacent to the CDE."
10977
11104
  }
10978
11105
  },
10979
11106
  "compliance_exposure_score": {
10980
- "percent_audit_passing_orgs_still_exposed": 55,
10981
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
11107
+ "percent_audit_passing_orgs_still_exposed": 72,
11108
+ "basis": "Internet-facing Zimbra is run by audited organizations on a standard patch SLA and is repeatedly mass-exploited within days of disclosure; web-shell hunting is rarely part of the patch procedure.",
10982
11109
  "theater_pattern": "patch_management"
10983
11110
  },
10984
11111
  "ai_discovered_zeroday": false,
10985
- "ai_discovery_source": "unknown",
10986
- "ai_assist_factor": "none",
10987
- "_auto_imported": true,
10988
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
11112
+ "ai_discovery_source": "vendor_research",
11113
+ "ai_assist_factor": "none"
10989
11114
  },
10990
11115
  "CVE-2026-20963": {
10991
11116
  "name": "Microsoft SharePoint Deserialization of Untrusted Data Vulnerability",
@@ -11411,99 +11536,168 @@
11411
11536
  },
11412
11537
  "CVE-2023-43000": {
11413
11538
  "name": "Apple Multiple products Use-After-Free Vulnerability",
11414
- "lesson_date": "2026-05-18",
11539
+ "lesson_date": "2026-05-29",
11415
11540
  "attack_vector": {
11416
- "description": "Apple macOS, iOS, iPadOS, and Safari 16.6 contain a use-after-free vulnerability due to the processing of maliciously crafted web content that may lead to memory corruption.",
11417
- "privileges_required": "network attacker (no authentication required)",
11418
- "complexity": "moderate (bulk-import default)",
11419
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
11541
+ "description": "a use-after-free (CWE-416) used as a sandbox-escape step in an exploit chain. CISA KEV-listed 2026-03-05 with confirmed in-the-wild exploitation (Apple zero-days of this class are typically used in targeted-spyware chains).",
11542
+ "privileges_required": "low (a prior foothold / sandbox compromise; this is an escalation or sandbox-escape step in a multi-stage exploit chain)",
11543
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
11544
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
11545
+ },
11546
+ "defense_chain": {
11547
+ "prevention": {
11548
+ "what_would_have_worked": "Update to the patched iOS/iPadOS/macOS build (Apple's advisory documents in-the-wild exploitation); enable Lockdown Mode for high-risk users and enforce update SLAs via MDM on managed fleets.",
11549
+ "was_this_required": true,
11550
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
11551
+ "adequacy": "OS auto-update is definitive and fast for consumer devices; the gap is managed fleets that gate updates behind an MDM change window slower than the in-the-wild exploitation."
11552
+ },
11553
+ "detection": {
11554
+ "what_would_have_worked": "Endpoint/mobile-threat-defense monitoring for crash signatures on content render and for spyware-chain indicators; Apple Threat Notifications for targeted users.",
11555
+ "was_this_required": false,
11556
+ "framework_requiring_it": null,
11557
+ "adequacy": "Backstops devices not yet updated; targeted client chains are stealthy and often zero-click."
11558
+ },
11559
+ "response": {
11560
+ "what_would_have_worked": "Force the OS update across the fleet; for a confirmed targeted user, preserve forensic state, rotate credentials, and consider device replacement, as spyware chains can persist across reboots.",
11561
+ "was_this_required": true,
11562
+ "framework_requiring_it": "NIST 800-53 IR-4",
11563
+ "adequacy": "Mandatory for a KEV-listed client OS RCE; the exposure is every device that rendered attacker content pre-patch."
11564
+ }
11420
11565
  },
11421
11566
  "framework_coverage": {
11422
11567
  "NIST-800-53-SI-2": {
11423
11568
  "covered": true,
11424
11569
  "adequate": false,
11425
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
11570
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client memory-corruption flaw delivered by attacker-controlled content."
11426
11571
  },
11427
11572
  "ISO-27001-2022-A.8.8": {
11428
11573
  "covered": true,
11429
11574
  "adequate": false,
11430
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11575
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited mobile/desktop OS flaw, often part of a targeted-spyware chain against high-risk users."
11576
+ },
11577
+ "AU-ISM-1546": {
11578
+ "covered": true,
11579
+ "adequate": false,
11580
+ "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client OS RCE than a 30-day cycle, but still trails same-day OS auto-update for an in-the-wild exploit; MDM-enforced update SLAs are the load-bearing control on managed mobile fleets."
11431
11581
  }
11432
11582
  },
11433
11583
  "compliance_exposure_score": {
11434
- "percent_audit_passing_orgs_still_exposed": 55,
11435
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
11584
+ "percent_audit_passing_orgs_still_exposed": 68,
11585
+ "basis": "Apple (multiple products) is ubiquitous on endpoints; audited organizations that gate OS updates behind a managed MDM change window (rather than same-day auto-update) were exposed for this KEV-listed, actively-exploited flaw.",
11436
11586
  "theater_pattern": "patch_management"
11437
11587
  },
11438
11588
  "ai_discovered_zeroday": false,
11439
- "ai_discovery_source": "unknown",
11440
- "ai_assist_factor": "none",
11441
- "_auto_imported": true,
11442
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
11589
+ "ai_discovery_source": "vendor_research",
11590
+ "ai_assist_factor": "none"
11443
11591
  },
11444
11592
  "CVE-2021-30952": {
11445
11593
  "name": "Apple Multiple Products Integer Overflow or Wraparound Vulnerability",
11446
- "lesson_date": "2026-05-18",
11594
+ "lesson_date": "2026-05-29",
11447
11595
  "attack_vector": {
11448
- "description": "Apple tvOS, macOS, Safari, iPadOS and watchOS contain an integer overflow or wraparound vulnerability due to the processing of maliciously crafted web content that may lead to arbitrary code execution.",
11449
- "privileges_required": "network attacker (no authentication required)",
11450
- "complexity": "moderate (bulk-import default)",
11451
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
11596
+ "description": "an integer overflow / wraparound (CWE-190) used as a memory-corruption step in an exploit chain. CISA KEV-listed 2026-03-05 with confirmed in-the-wild exploitation (Apple zero-days of this class are typically used in targeted-spyware chains).",
11597
+ "privileges_required": "low (a prior foothold / sandbox compromise; this is an escalation or sandbox-escape step in a multi-stage exploit chain)",
11598
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
11599
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
11600
+ },
11601
+ "defense_chain": {
11602
+ "prevention": {
11603
+ "what_would_have_worked": "Update to the patched iOS/iPadOS/macOS build (Apple's advisory documents in-the-wild exploitation); enable Lockdown Mode for high-risk users and enforce update SLAs via MDM on managed fleets.",
11604
+ "was_this_required": true,
11605
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
11606
+ "adequacy": "OS auto-update is definitive and fast for consumer devices; the gap is managed fleets that gate updates behind an MDM change window slower than the in-the-wild exploitation."
11607
+ },
11608
+ "detection": {
11609
+ "what_would_have_worked": "Endpoint/mobile-threat-defense monitoring for crash signatures on content render and for spyware-chain indicators; Apple Threat Notifications for targeted users.",
11610
+ "was_this_required": false,
11611
+ "framework_requiring_it": null,
11612
+ "adequacy": "Backstops devices not yet updated; targeted client chains are stealthy and often zero-click."
11613
+ },
11614
+ "response": {
11615
+ "what_would_have_worked": "Force the OS update across the fleet; for a confirmed targeted user, preserve forensic state, rotate credentials, and consider device replacement, as spyware chains can persist across reboots.",
11616
+ "was_this_required": true,
11617
+ "framework_requiring_it": "NIST 800-53 IR-4",
11618
+ "adequacy": "Mandatory for a KEV-listed client OS RCE; the exposure is every device that rendered attacker content pre-patch."
11619
+ }
11452
11620
  },
11453
11621
  "framework_coverage": {
11454
11622
  "NIST-800-53-SI-2": {
11455
11623
  "covered": true,
11456
11624
  "adequate": false,
11457
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
11625
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client memory-corruption flaw delivered by attacker-controlled content."
11458
11626
  },
11459
11627
  "ISO-27001-2022-A.8.8": {
11460
11628
  "covered": true,
11461
11629
  "adequate": false,
11462
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11630
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited mobile/desktop OS flaw, often part of a targeted-spyware chain against high-risk users."
11631
+ },
11632
+ "AU-ISM-1546": {
11633
+ "covered": true,
11634
+ "adequate": false,
11635
+ "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client OS RCE than a 30-day cycle, but still trails same-day OS auto-update for an in-the-wild exploit; MDM-enforced update SLAs are the load-bearing control on managed mobile fleets."
11463
11636
  }
11464
11637
  },
11465
11638
  "compliance_exposure_score": {
11466
- "percent_audit_passing_orgs_still_exposed": 55,
11467
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
11639
+ "percent_audit_passing_orgs_still_exposed": 68,
11640
+ "basis": "Apple (multiple products) is ubiquitous on endpoints; audited organizations that gate OS updates behind a managed MDM change window (rather than same-day auto-update) were exposed for this KEV-listed, actively-exploited flaw.",
11468
11641
  "theater_pattern": "patch_management"
11469
11642
  },
11470
11643
  "ai_discovered_zeroday": false,
11471
- "ai_discovery_source": "unknown",
11472
- "ai_assist_factor": "none",
11473
- "_auto_imported": true,
11474
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
11644
+ "ai_discovery_source": "vendor_research",
11645
+ "ai_assist_factor": "none"
11475
11646
  },
11476
11647
  "CVE-2023-41974": {
11477
11648
  "name": "Apple iOS and iPadOS Use-After-Free Vulnerability",
11478
- "lesson_date": "2026-05-18",
11649
+ "lesson_date": "2026-05-29",
11479
11650
  "attack_vector": {
11480
- "description": "Apple iOS and iPadOS contain a use-after-free vulnerability. An app may be able to execute arbitrary code with kernel privileges.",
11481
- "privileges_required": "network attacker (no authentication required)",
11482
- "complexity": "moderate (bulk-import default)",
11483
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
11651
+ "description": "a use-after-free (CWE-416) on iOS/iPadOS used as a sandbox-escape step in an exploit chain. CISA KEV-listed 2026-03-05 with confirmed in-the-wild exploitation (Apple zero-days of this class are typically used in targeted-spyware chains).",
11652
+ "privileges_required": "low (a prior foothold / sandbox compromise; this is an escalation or sandbox-escape step in a multi-stage exploit chain)",
11653
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
11654
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
11655
+ },
11656
+ "defense_chain": {
11657
+ "prevention": {
11658
+ "what_would_have_worked": "Update to the patched iOS/iPadOS/macOS build (Apple's advisory documents in-the-wild exploitation); enable Lockdown Mode for high-risk users and enforce update SLAs via MDM on managed fleets.",
11659
+ "was_this_required": true,
11660
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
11661
+ "adequacy": "OS auto-update is definitive and fast for consumer devices; the gap is managed fleets that gate updates behind an MDM change window slower than the in-the-wild exploitation."
11662
+ },
11663
+ "detection": {
11664
+ "what_would_have_worked": "Endpoint/mobile-threat-defense monitoring for crash signatures on content render and for spyware-chain indicators; Apple Threat Notifications for targeted users.",
11665
+ "was_this_required": false,
11666
+ "framework_requiring_it": null,
11667
+ "adequacy": "Backstops devices not yet updated; targeted client chains are stealthy and often zero-click."
11668
+ },
11669
+ "response": {
11670
+ "what_would_have_worked": "Force the OS update across the fleet; for a confirmed targeted user, preserve forensic state, rotate credentials, and consider device replacement, as spyware chains can persist across reboots.",
11671
+ "was_this_required": true,
11672
+ "framework_requiring_it": "NIST 800-53 IR-4",
11673
+ "adequacy": "Mandatory for a KEV-listed client OS RCE; the exposure is every device that rendered attacker content pre-patch."
11674
+ }
11484
11675
  },
11485
11676
  "framework_coverage": {
11486
11677
  "NIST-800-53-SI-2": {
11487
11678
  "covered": true,
11488
11679
  "adequate": false,
11489
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
11680
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client memory-corruption flaw delivered by attacker-controlled content."
11490
11681
  },
11491
11682
  "ISO-27001-2022-A.8.8": {
11492
11683
  "covered": true,
11493
11684
  "adequate": false,
11494
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11685
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited mobile/desktop OS flaw, often part of a targeted-spyware chain against high-risk users."
11686
+ },
11687
+ "AU-ISM-1546": {
11688
+ "covered": true,
11689
+ "adequate": false,
11690
+ "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client OS RCE than a 30-day cycle, but still trails same-day OS auto-update for an in-the-wild exploit; MDM-enforced update SLAs are the load-bearing control on managed mobile fleets."
11495
11691
  }
11496
11692
  },
11497
11693
  "compliance_exposure_score": {
11498
- "percent_audit_passing_orgs_still_exposed": 55,
11499
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
11694
+ "percent_audit_passing_orgs_still_exposed": 68,
11695
+ "basis": "Apple iOS and iPadOS is ubiquitous on endpoints; audited organizations that gate OS updates behind a managed MDM change window (rather than same-day auto-update) were exposed for this KEV-listed, actively-exploited flaw.",
11500
11696
  "theater_pattern": "patch_management"
11501
11697
  },
11502
11698
  "ai_discovered_zeroday": false,
11503
- "ai_discovery_source": "unknown",
11504
- "ai_assist_factor": "none",
11505
- "_auto_imported": true,
11506
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
11699
+ "ai_discovery_source": "vendor_research",
11700
+ "ai_assist_factor": "none"
11507
11701
  },
11508
11702
  "CVE-2026-22719": {
11509
11703
  "name": "Broadcom VMware Aria Operations Command Injection Vulnerability",
@@ -11935,35 +12129,63 @@
11935
12129
  },
11936
12130
  "CVE-2020-7796": {
11937
12131
  "name": "Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability",
11938
- "lesson_date": "2026-05-18",
12132
+ "lesson_date": "2026-05-29",
11939
12133
  "attack_vector": {
11940
- "description": "Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery vulnerability if WebEx zimlet installed and zimlet JSP is enabled.",
11941
- "privileges_required": "network attacker (no authentication required)",
11942
- "complexity": "moderate (bulk-import default)",
11943
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
12134
+ "description": "a server-side request forgery flaw (CWE-918) on ZCS, letting an unauthenticated attacker coerce the server into making requests to internal resources. CISA KEV-listed 2026-02-17 with confirmed in-the-wild exploitation.",
12135
+ "privileges_required": "none (the flaw is reachable by an unauthenticated attacker; XSS variants execute in a targeted user's session)",
12136
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
12137
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
12138
+ },
12139
+ "defense_chain": {
12140
+ "prevention": {
12141
+ "what_would_have_worked": "Apply the Zimbra ZCS security update from the advisory; restrict the ZCS web/admin surface and, for the SSRF/RFI variants, hunt for web shells and internal-recon activity.",
12142
+ "was_this_required": true,
12143
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
12144
+ "adequacy": "Patch is definitive; ZCS is repeatedly targeted, so the SLA gap and the lack of web-shell-hunt cleanup are the recurring failures."
12145
+ },
12146
+ "detection": {
12147
+ "what_would_have_worked": "Monitoring on ZCS: XSS payloads in mail/requests, server-side outbound requests to internal endpoints (SSRF), inclusion/execution of remote PHP (RFI), and web shells under the ZCS web root.",
12148
+ "was_this_required": false,
12149
+ "framework_requiring_it": null,
12150
+ "adequacy": "Necessary to catch exploitation and resident persistence on a recurring mass-exploited target."
12151
+ },
12152
+ "response": {
12153
+ "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate ZCS credentials and session secrets, and review mailbox access for exfiltration.",
12154
+ "was_this_required": true,
12155
+ "framework_requiring_it": "NIST 800-53 IR-4",
12156
+ "adequacy": "Mandatory; ZCS compromise typically targets mailbox data and persistence, which a bare patch does not remove."
12157
+ }
11944
12158
  },
11945
12159
  "framework_coverage": {
11946
12160
  "NIST-800-53-SI-2": {
11947
12161
  "covered": true,
11948
12162
  "adequate": false,
11949
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
12163
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed flaw on an internet-facing mail server; ZCS is a recurring mass-exploited target."
11950
12164
  },
11951
12165
  "ISO-27001-2022-A.8.8": {
11952
12166
  "covered": true,
11953
12167
  "adequate": false,
11954
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12168
+ "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited flaw on an internet-facing collaboration/mail server."
12169
+ },
12170
+ "NIS2-Art21-network-security": {
12171
+ "covered": true,
12172
+ "adequate": false,
12173
+ "gap": "Treats mail/collaboration servers as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA."
12174
+ },
12175
+ "PCI-DSS-4.0-6.3.3": {
12176
+ "covered": true,
12177
+ "adequate": false,
12178
+ "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing mail server in or adjacent to the CDE."
11955
12179
  }
11956
12180
  },
11957
12181
  "compliance_exposure_score": {
11958
- "percent_audit_passing_orgs_still_exposed": 55,
11959
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
12182
+ "percent_audit_passing_orgs_still_exposed": 72,
12183
+ "basis": "Internet-facing Zimbra is run by audited organizations on a standard patch SLA and is repeatedly mass-exploited within days of disclosure; web-shell hunting is rarely part of the patch procedure.",
11960
12184
  "theater_pattern": "patch_management"
11961
12185
  },
11962
12186
  "ai_discovered_zeroday": false,
11963
- "ai_discovery_source": "unknown",
11964
- "ai_assist_factor": "none",
11965
- "_auto_imported": true,
11966
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
12187
+ "ai_discovery_source": "vendor_research",
12188
+ "ai_assist_factor": "none"
11967
12189
  },
11968
12190
  "CVE-2024-7694": {
11969
12191
  "name": "TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability",
@@ -12123,35 +12345,58 @@
12123
12345
  },
12124
12346
  "CVE-2026-20700": {
12125
12347
  "name": "Apple Multiple Buffer Overflow Vulnerability",
12126
- "lesson_date": "2026-05-18",
12348
+ "lesson_date": "2026-05-29",
12127
12349
  "attack_vector": {
12128
- "description": "Apple iOS, macOS, tvOS, watchOS, and visionOS contain an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow an attacker with memory write the capability to execute arbitrary code.",
12129
- "privileges_required": "network attacker (no authentication required)",
12130
- "complexity": "moderate (bulk-import default)",
12131
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
12350
+ "description": "a buffer overflow (CWE-119) reachable via attacker-controlled content. CISA KEV-listed 2026-02-12 with confirmed in-the-wild exploitation (Apple zero-days of this class are typically used in targeted-spyware chains).",
12351
+ "privileges_required": "none (the victim device renders/opens attacker-controlled content; the chain often requires no user interaction)",
12352
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
12353
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
12354
+ },
12355
+ "defense_chain": {
12356
+ "prevention": {
12357
+ "what_would_have_worked": "Update to the patched iOS/iPadOS/macOS build (Apple's advisory documents in-the-wild exploitation); enable Lockdown Mode for high-risk users and enforce update SLAs via MDM on managed fleets.",
12358
+ "was_this_required": true,
12359
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
12360
+ "adequacy": "OS auto-update is definitive and fast for consumer devices; the gap is managed fleets that gate updates behind an MDM change window slower than the in-the-wild exploitation."
12361
+ },
12362
+ "detection": {
12363
+ "what_would_have_worked": "Endpoint/mobile-threat-defense monitoring for crash signatures on content render and for spyware-chain indicators; Apple Threat Notifications for targeted users.",
12364
+ "was_this_required": false,
12365
+ "framework_requiring_it": null,
12366
+ "adequacy": "Backstops devices not yet updated; targeted client chains are stealthy and often zero-click."
12367
+ },
12368
+ "response": {
12369
+ "what_would_have_worked": "Force the OS update across the fleet; for a confirmed targeted user, preserve forensic state, rotate credentials, and consider device replacement, as spyware chains can persist across reboots.",
12370
+ "was_this_required": true,
12371
+ "framework_requiring_it": "NIST 800-53 IR-4",
12372
+ "adequacy": "Mandatory for a KEV-listed client OS RCE; the exposure is every device that rendered attacker content pre-patch."
12373
+ }
12132
12374
  },
12133
12375
  "framework_coverage": {
12134
12376
  "NIST-800-53-SI-2": {
12135
12377
  "covered": true,
12136
12378
  "adequate": false,
12137
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
12379
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client memory-corruption flaw delivered by attacker-controlled content."
12138
12380
  },
12139
12381
  "ISO-27001-2022-A.8.8": {
12140
12382
  "covered": true,
12141
12383
  "adequate": false,
12142
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12384
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited mobile/desktop OS flaw, often part of a targeted-spyware chain against high-risk users."
12385
+ },
12386
+ "AU-ISM-1546": {
12387
+ "covered": true,
12388
+ "adequate": false,
12389
+ "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client OS RCE than a 30-day cycle, but still trails same-day OS auto-update for an in-the-wild exploit; MDM-enforced update SLAs are the load-bearing control on managed mobile fleets."
12143
12390
  }
12144
12391
  },
12145
12392
  "compliance_exposure_score": {
12146
- "percent_audit_passing_orgs_still_exposed": 55,
12147
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
12393
+ "percent_audit_passing_orgs_still_exposed": 68,
12394
+ "basis": "Apple (multiple products) is ubiquitous on endpoints; audited organizations that gate OS updates behind a managed MDM change window (rather than same-day auto-update) were exposed for this KEV-listed, actively-exploited flaw.",
12148
12395
  "theater_pattern": "patch_management"
12149
12396
  },
12150
12397
  "ai_discovered_zeroday": false,
12151
- "ai_discovery_source": "unknown",
12152
- "ai_assist_factor": "none",
12153
- "_auto_imported": true,
12154
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
12398
+ "ai_discovery_source": "vendor_research",
12399
+ "ai_assist_factor": "none"
12155
12400
  },
12156
12401
  "CVE-2024-43468": {
12157
12402
  "name": "Microsoft Configuration Manager SQL Injection Vulnerability",
@@ -13031,35 +13276,63 @@
13031
13276
  },
13032
13277
  "CVE-2025-68645": {
13033
13278
  "name": "Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability",
13034
- "lesson_date": "2026-05-18",
13279
+ "lesson_date": "2026-05-29",
13035
13280
  "attack_vector": {
13036
- "description": "Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.",
13037
- "privileges_required": "network attacker (no authentication required)",
13038
- "complexity": "moderate (bulk-import default)",
13039
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
13281
+ "description": "a PHP remote file inclusion flaw (CWE-98) on ZCS, enabling remote code execution on the mail server. CISA KEV-listed 2026-01-22 with confirmed in-the-wild exploitation.",
13282
+ "privileges_required": "none (the flaw is reachable by an unauthenticated attacker; XSS variants execute in a targeted user's session)",
13283
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
13284
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
13285
+ },
13286
+ "defense_chain": {
13287
+ "prevention": {
13288
+ "what_would_have_worked": "Apply the Zimbra ZCS security update from the advisory; restrict the ZCS web/admin surface and, for the SSRF/RFI variants, hunt for web shells and internal-recon activity.",
13289
+ "was_this_required": true,
13290
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
13291
+ "adequacy": "Patch is definitive; ZCS is repeatedly targeted, so the SLA gap and the lack of web-shell-hunt cleanup are the recurring failures."
13292
+ },
13293
+ "detection": {
13294
+ "what_would_have_worked": "Monitoring on ZCS: XSS payloads in mail/requests, server-side outbound requests to internal endpoints (SSRF), inclusion/execution of remote PHP (RFI), and web shells under the ZCS web root.",
13295
+ "was_this_required": false,
13296
+ "framework_requiring_it": null,
13297
+ "adequacy": "Necessary to catch exploitation and resident persistence on a recurring mass-exploited target."
13298
+ },
13299
+ "response": {
13300
+ "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate ZCS credentials and session secrets, and review mailbox access for exfiltration.",
13301
+ "was_this_required": true,
13302
+ "framework_requiring_it": "NIST 800-53 IR-4",
13303
+ "adequacy": "Mandatory; ZCS compromise typically targets mailbox data and persistence, which a bare patch does not remove."
13304
+ }
13040
13305
  },
13041
13306
  "framework_coverage": {
13042
13307
  "NIST-800-53-SI-2": {
13043
13308
  "covered": true,
13044
13309
  "adequate": false,
13045
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
13310
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed flaw on an internet-facing mail server; ZCS is a recurring mass-exploited target."
13046
13311
  },
13047
13312
  "ISO-27001-2022-A.8.8": {
13048
13313
  "covered": true,
13049
13314
  "adequate": false,
13050
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13315
+ "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited flaw on an internet-facing collaboration/mail server."
13316
+ },
13317
+ "NIS2-Art21-network-security": {
13318
+ "covered": true,
13319
+ "adequate": false,
13320
+ "gap": "Treats mail/collaboration servers as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA."
13321
+ },
13322
+ "PCI-DSS-4.0-6.3.3": {
13323
+ "covered": true,
13324
+ "adequate": false,
13325
+ "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing mail server in or adjacent to the CDE."
13051
13326
  }
13052
13327
  },
13053
13328
  "compliance_exposure_score": {
13054
- "percent_audit_passing_orgs_still_exposed": 55,
13055
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
13329
+ "percent_audit_passing_orgs_still_exposed": 72,
13330
+ "basis": "Internet-facing Zimbra is run by audited organizations on a standard patch SLA and is repeatedly mass-exploited within days of disclosure; web-shell hunting is rarely part of the patch procedure.",
13056
13331
  "theater_pattern": "patch_management"
13057
13332
  },
13058
13333
  "ai_discovered_zeroday": false,
13059
- "ai_discovery_source": "unknown",
13060
- "ai_assist_factor": "none",
13061
- "_auto_imported": true,
13062
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
13334
+ "ai_discovery_source": "vendor_research",
13335
+ "ai_assist_factor": "none"
13063
13336
  },
13064
13337
  "CVE-2025-34026": {
13065
13338
  "name": "Versa Concerto Improper Authentication Vulnerability",
@@ -14635,35 +14908,58 @@
14635
14908
  },
14636
14909
  "CVE-2022-48503": {
14637
14910
  "name": "Apple Multiple Products Unspecified Vulnerability",
14638
- "lesson_date": "2026-05-18",
14911
+ "lesson_date": "2026-05-29",
14639
14912
  "attack_vector": {
14640
- "description": "Apple macOS, iOS, tvOS, Safari, and watchOS contain an unspecified vulnerability in JavaScriptCore that when processing web content may lead to arbitrary code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
14641
- "privileges_required": "network attacker (no authentication required)",
14642
- "complexity": "moderate (bulk-import default)",
14643
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
14913
+ "description": "a code-execution flaw (CWE-94) reachable via attacker-controlled web/media content. CISA KEV-listed 2025-10-20 with confirmed in-the-wild exploitation (Apple zero-days of this class are typically used in targeted-spyware chains).",
14914
+ "privileges_required": "none (the victim device renders/opens attacker-controlled content; the chain often requires no user interaction)",
14915
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
14916
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
14917
+ },
14918
+ "defense_chain": {
14919
+ "prevention": {
14920
+ "what_would_have_worked": "Update to the patched iOS/iPadOS/macOS build (Apple's advisory documents in-the-wild exploitation); enable Lockdown Mode for high-risk users and enforce update SLAs via MDM on managed fleets.",
14921
+ "was_this_required": true,
14922
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
14923
+ "adequacy": "OS auto-update is definitive and fast for consumer devices; the gap is managed fleets that gate updates behind an MDM change window slower than the in-the-wild exploitation."
14924
+ },
14925
+ "detection": {
14926
+ "what_would_have_worked": "Endpoint/mobile-threat-defense monitoring for crash signatures on content render and for spyware-chain indicators; Apple Threat Notifications for targeted users.",
14927
+ "was_this_required": false,
14928
+ "framework_requiring_it": null,
14929
+ "adequacy": "Backstops devices not yet updated; targeted client chains are stealthy and often zero-click."
14930
+ },
14931
+ "response": {
14932
+ "what_would_have_worked": "Force the OS update across the fleet; for a confirmed targeted user, preserve forensic state, rotate credentials, and consider device replacement, as spyware chains can persist across reboots.",
14933
+ "was_this_required": true,
14934
+ "framework_requiring_it": "NIST 800-53 IR-4",
14935
+ "adequacy": "Mandatory for a KEV-listed client OS RCE; the exposure is every device that rendered attacker content pre-patch."
14936
+ }
14644
14937
  },
14645
14938
  "framework_coverage": {
14646
14939
  "NIST-800-53-SI-2": {
14647
14940
  "covered": true,
14648
14941
  "adequate": false,
14649
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
14942
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client memory-corruption flaw delivered by attacker-controlled content."
14650
14943
  },
14651
14944
  "ISO-27001-2022-A.8.8": {
14652
14945
  "covered": true,
14653
14946
  "adequate": false,
14654
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14947
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited mobile/desktop OS flaw, often part of a targeted-spyware chain against high-risk users."
14948
+ },
14949
+ "AU-ISM-1546": {
14950
+ "covered": true,
14951
+ "adequate": false,
14952
+ "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client OS RCE than a 30-day cycle, but still trails same-day OS auto-update for an in-the-wild exploit; MDM-enforced update SLAs are the load-bearing control on managed mobile fleets."
14655
14953
  }
14656
14954
  },
14657
14955
  "compliance_exposure_score": {
14658
- "percent_audit_passing_orgs_still_exposed": 55,
14659
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
14956
+ "percent_audit_passing_orgs_still_exposed": 68,
14957
+ "basis": "Apple (multiple products) is ubiquitous on endpoints; audited organizations that gate OS updates behind a managed MDM change window (rather than same-day auto-update) were exposed for this KEV-listed, actively-exploited flaw.",
14660
14958
  "theater_pattern": "patch_management"
14661
14959
  },
14662
14960
  "ai_discovered_zeroday": false,
14663
- "ai_discovery_source": "unknown",
14664
- "ai_assist_factor": "none",
14665
- "_auto_imported": true,
14666
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
14961
+ "ai_discovery_source": "vendor_research",
14962
+ "ai_assist_factor": "none"
14667
14963
  },
14668
14964
  "CVE-2025-2746": {
14669
14965
  "name": "Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability",
@@ -14986,36 +15282,64 @@
14986
15282
  "_intake_method": "v0.13.17-bulk-cisa-kev-import"
14987
15283
  },
14988
15284
  "CVE-2025-27915": {
14989
- "name": "Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability",
14990
- "lesson_date": "2026-05-18",
15285
+ "name": "Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability (variant: CVE-2025-27915)",
15286
+ "lesson_date": "2026-05-29",
14991
15287
  "attack_vector": {
14992
- "description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.",
14993
- "privileges_required": "network attacker (no authentication required)",
14994
- "complexity": "moderate (bulk-import default)",
14995
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
15288
+ "description": "a cross-site scripting flaw (CWE-79) on the ZCS web client, letting an attacker run script in a victim's authenticated session. CISA KEV-listed 2025-10-07 with confirmed in-the-wild exploitation.",
15289
+ "privileges_required": "none (the flaw is reachable by an unauthenticated attacker; XSS variants execute in a targeted user's session)",
15290
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
15291
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
15292
+ },
15293
+ "defense_chain": {
15294
+ "prevention": {
15295
+ "what_would_have_worked": "Apply the Zimbra ZCS security update from the advisory; restrict the ZCS web/admin surface and, for the SSRF/RFI variants, hunt for web shells and internal-recon activity.",
15296
+ "was_this_required": true,
15297
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
15298
+ "adequacy": "Patch is definitive; ZCS is repeatedly targeted, so the SLA gap and the lack of web-shell-hunt cleanup are the recurring failures."
15299
+ },
15300
+ "detection": {
15301
+ "what_would_have_worked": "Monitoring on ZCS: XSS payloads in mail/requests, server-side outbound requests to internal endpoints (SSRF), inclusion/execution of remote PHP (RFI), and web shells under the ZCS web root.",
15302
+ "was_this_required": false,
15303
+ "framework_requiring_it": null,
15304
+ "adequacy": "Necessary to catch exploitation and resident persistence on a recurring mass-exploited target."
15305
+ },
15306
+ "response": {
15307
+ "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate ZCS credentials and session secrets, and review mailbox access for exfiltration.",
15308
+ "was_this_required": true,
15309
+ "framework_requiring_it": "NIST 800-53 IR-4",
15310
+ "adequacy": "Mandatory; ZCS compromise typically targets mailbox data and persistence, which a bare patch does not remove."
15311
+ }
14996
15312
  },
14997
15313
  "framework_coverage": {
14998
15314
  "NIST-800-53-SI-2": {
14999
15315
  "covered": true,
15000
15316
  "adequate": false,
15001
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
15317
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed flaw on an internet-facing mail server; ZCS is a recurring mass-exploited target."
15002
15318
  },
15003
15319
  "ISO-27001-2022-A.8.8": {
15004
15320
  "covered": true,
15005
15321
  "adequate": false,
15006
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15322
+ "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited flaw on an internet-facing collaboration/mail server."
15323
+ },
15324
+ "NIS2-Art21-network-security": {
15325
+ "covered": true,
15326
+ "adequate": false,
15327
+ "gap": "Treats mail/collaboration servers as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA."
15328
+ },
15329
+ "PCI-DSS-4.0-6.3.3": {
15330
+ "covered": true,
15331
+ "adequate": false,
15332
+ "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing mail server in or adjacent to the CDE."
15007
15333
  }
15008
15334
  },
15009
15335
  "compliance_exposure_score": {
15010
- "percent_audit_passing_orgs_still_exposed": 55,
15011
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
15336
+ "percent_audit_passing_orgs_still_exposed": 72,
15337
+ "basis": "Internet-facing Zimbra is run by audited organizations on a standard patch SLA and is repeatedly mass-exploited within days of disclosure; web-shell hunting is rarely part of the patch procedure.",
15012
15338
  "theater_pattern": "patch_management"
15013
15339
  },
15014
15340
  "ai_discovered_zeroday": false,
15015
- "ai_discovery_source": "unknown",
15016
- "ai_assist_factor": "none",
15017
- "_auto_imported": true,
15018
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
15341
+ "ai_discovery_source": "vendor_research",
15342
+ "ai_assist_factor": "none"
15019
15343
  },
15020
15344
  "CVE-2021-22555": {
15021
15345
  "name": "Linux Kernel Heap Out-of-Bounds Write Vulnerability",
@@ -17051,35 +17375,63 @@
17051
17375
  },
17052
17376
  "CVE-2019-9621": {
17053
17377
  "name": "Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability",
17054
- "lesson_date": "2026-05-18",
17378
+ "lesson_date": "2026-05-29",
17055
17379
  "attack_vector": {
17056
- "description": "Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery (SSRF) vulnerability via the ProxyServlet component.",
17057
- "privileges_required": "network attacker (no authentication required)",
17058
- "complexity": "moderate (bulk-import default)",
17059
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
17380
+ "description": "a server-side request forgery flaw (CWE-918/CWE-807) on ZCS, letting an unauthenticated attacker coerce server-side requests (a known chain toward RCE on ZCS). CISA KEV-listed 2025-07-07 with confirmed in-the-wild exploitation.",
17381
+ "privileges_required": "none (the flaw is reachable by an unauthenticated attacker; XSS variants execute in a targeted user's session)",
17382
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
17383
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
17384
+ },
17385
+ "defense_chain": {
17386
+ "prevention": {
17387
+ "what_would_have_worked": "Apply the Zimbra ZCS security update from the advisory; restrict the ZCS web/admin surface and, for the SSRF/RFI variants, hunt for web shells and internal-recon activity.",
17388
+ "was_this_required": true,
17389
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
17390
+ "adequacy": "Patch is definitive; ZCS is repeatedly targeted, so the SLA gap and the lack of web-shell-hunt cleanup are the recurring failures."
17391
+ },
17392
+ "detection": {
17393
+ "what_would_have_worked": "Monitoring on ZCS: XSS payloads in mail/requests, server-side outbound requests to internal endpoints (SSRF), inclusion/execution of remote PHP (RFI), and web shells under the ZCS web root.",
17394
+ "was_this_required": false,
17395
+ "framework_requiring_it": null,
17396
+ "adequacy": "Necessary to catch exploitation and resident persistence on a recurring mass-exploited target."
17397
+ },
17398
+ "response": {
17399
+ "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate ZCS credentials and session secrets, and review mailbox access for exfiltration.",
17400
+ "was_this_required": true,
17401
+ "framework_requiring_it": "NIST 800-53 IR-4",
17402
+ "adequacy": "Mandatory; ZCS compromise typically targets mailbox data and persistence, which a bare patch does not remove."
17403
+ }
17060
17404
  },
17061
17405
  "framework_coverage": {
17062
17406
  "NIST-800-53-SI-2": {
17063
17407
  "covered": true,
17064
17408
  "adequate": false,
17065
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
17409
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed flaw on an internet-facing mail server; ZCS is a recurring mass-exploited target."
17066
17410
  },
17067
17411
  "ISO-27001-2022-A.8.8": {
17068
17412
  "covered": true,
17069
17413
  "adequate": false,
17070
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
17414
+ "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited flaw on an internet-facing collaboration/mail server."
17415
+ },
17416
+ "NIS2-Art21-network-security": {
17417
+ "covered": true,
17418
+ "adequate": false,
17419
+ "gap": "Treats mail/collaboration servers as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA."
17420
+ },
17421
+ "PCI-DSS-4.0-6.3.3": {
17422
+ "covered": true,
17423
+ "adequate": false,
17424
+ "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing mail server in or adjacent to the CDE."
17071
17425
  }
17072
17426
  },
17073
17427
  "compliance_exposure_score": {
17074
- "percent_audit_passing_orgs_still_exposed": 55,
17075
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
17428
+ "percent_audit_passing_orgs_still_exposed": 72,
17429
+ "basis": "Internet-facing Zimbra is run by audited organizations on a standard patch SLA and is repeatedly mass-exploited within days of disclosure; web-shell hunting is rarely part of the patch procedure.",
17076
17430
  "theater_pattern": "patch_management"
17077
17431
  },
17078
17432
  "ai_discovered_zeroday": false,
17079
- "ai_discovery_source": "unknown",
17080
- "ai_assist_factor": "none",
17081
- "_auto_imported": true,
17082
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
17433
+ "ai_discovery_source": "vendor_research",
17434
+ "ai_assist_factor": "none"
17083
17435
  },
17084
17436
  "CVE-2019-5418": {
17085
17437
  "name": "Rails Ruby on Rails Path Traversal Vulnerability",
@@ -17494,36 +17846,59 @@
17494
17846
  "_intake_method": "v0.13.17-bulk-cisa-kev-import"
17495
17847
  },
17496
17848
  "CVE-2025-43200": {
17497
- "name": "Apple Multiple Products Unspecified Vulnerability",
17498
- "lesson_date": "2026-05-18",
17849
+ "name": "Apple Multiple Products Unspecified Vulnerability (variant: CVE-2025-43200)",
17850
+ "lesson_date": "2026-05-29",
17499
17851
  "attack_vector": {
17500
- "description": "Apple iOS, iPadOS, macOS, watchOS, and visionOS, contain an unspecified vulnerability when processing a maliciously crafted photo or video shared via an iCloud Link.",
17501
- "privileges_required": "network attacker (no authentication required)",
17502
- "complexity": "moderate (bulk-import default)",
17503
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
17852
+ "description": "a code-execution flaw (CWE-94, variant) reachable via attacker-controlled content (a zero-click delivery path in the documented in-the-wild use). CISA KEV-listed 2025-06-16 with confirmed in-the-wild exploitation (Apple zero-days of this class are typically used in targeted-spyware chains).",
17853
+ "privileges_required": "none (the victim device renders/opens attacker-controlled content; the chain often requires no user interaction)",
17854
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
17855
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
17856
+ },
17857
+ "defense_chain": {
17858
+ "prevention": {
17859
+ "what_would_have_worked": "Update to the patched iOS/iPadOS/macOS build (Apple's advisory documents in-the-wild exploitation); enable Lockdown Mode for high-risk users and enforce update SLAs via MDM on managed fleets.",
17860
+ "was_this_required": true,
17861
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
17862
+ "adequacy": "OS auto-update is definitive and fast for consumer devices; the gap is managed fleets that gate updates behind an MDM change window slower than the in-the-wild exploitation."
17863
+ },
17864
+ "detection": {
17865
+ "what_would_have_worked": "Endpoint/mobile-threat-defense monitoring for crash signatures on content render and for spyware-chain indicators; Apple Threat Notifications for targeted users.",
17866
+ "was_this_required": false,
17867
+ "framework_requiring_it": null,
17868
+ "adequacy": "Backstops devices not yet updated; targeted client chains are stealthy and often zero-click."
17869
+ },
17870
+ "response": {
17871
+ "what_would_have_worked": "Force the OS update across the fleet; for a confirmed targeted user, preserve forensic state, rotate credentials, and consider device replacement, as spyware chains can persist across reboots.",
17872
+ "was_this_required": true,
17873
+ "framework_requiring_it": "NIST 800-53 IR-4",
17874
+ "adequacy": "Mandatory for a KEV-listed client OS RCE; the exposure is every device that rendered attacker content pre-patch."
17875
+ }
17504
17876
  },
17505
17877
  "framework_coverage": {
17506
17878
  "NIST-800-53-SI-2": {
17507
17879
  "covered": true,
17508
17880
  "adequate": false,
17509
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
17881
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client memory-corruption flaw delivered by attacker-controlled content."
17510
17882
  },
17511
17883
  "ISO-27001-2022-A.8.8": {
17512
17884
  "covered": true,
17513
17885
  "adequate": false,
17514
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
17886
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited mobile/desktop OS flaw, often part of a targeted-spyware chain against high-risk users."
17887
+ },
17888
+ "AU-ISM-1546": {
17889
+ "covered": true,
17890
+ "adequate": false,
17891
+ "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client OS RCE than a 30-day cycle, but still trails same-day OS auto-update for an in-the-wild exploit; MDM-enforced update SLAs are the load-bearing control on managed mobile fleets."
17515
17892
  }
17516
17893
  },
17517
17894
  "compliance_exposure_score": {
17518
- "percent_audit_passing_orgs_still_exposed": 55,
17519
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
17895
+ "percent_audit_passing_orgs_still_exposed": 68,
17896
+ "basis": "Apple (multiple products) is ubiquitous on endpoints; audited organizations that gate OS updates behind a managed MDM change window (rather than same-day auto-update) were exposed for this KEV-listed, actively-exploited flaw.",
17520
17897
  "theater_pattern": "patch_management"
17521
17898
  },
17522
17899
  "ai_discovered_zeroday": false,
17523
- "ai_discovery_source": "unknown",
17524
- "ai_assist_factor": "none",
17525
- "_auto_imported": true,
17526
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
17900
+ "ai_discovery_source": "vendor_research",
17901
+ "ai_assist_factor": "none"
17527
17902
  },
17528
17903
  "CVE-2025-33053": {
17529
17904
  "name": " Microsoft Windows External Control of File Name or Path Vulnerability",
@@ -18007,35 +18382,63 @@
18007
18382
  },
18008
18383
  "CVE-2024-27443": {
18009
18384
  "name": "Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability",
18010
- "lesson_date": "2026-05-18",
18385
+ "lesson_date": "2026-05-29",
18011
18386
  "attack_vector": {
18012
- "description": "Zimbra Collaboration contains a cross-site scripting (XSS) vulnerability in the CalendarInvite feature of the Zimbra webmail classic user interface. An attacker can exploit this vulnerability via an email message containing a crafted calendar header, leading to the execution of arbitrary JavaScript code.",
18013
- "privileges_required": "network attacker (no authentication required)",
18014
- "complexity": "moderate (bulk-import default)",
18015
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
18387
+ "description": "a cross-site scripting flaw (CWE-79) on the ZCS web client, letting an attacker run script in a victim's authenticated session. CISA KEV-listed 2025-05-19 with confirmed in-the-wild exploitation.",
18388
+ "privileges_required": "none (the flaw is reachable by an unauthenticated attacker; XSS variants execute in a targeted user's session)",
18389
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
18390
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
18391
+ },
18392
+ "defense_chain": {
18393
+ "prevention": {
18394
+ "what_would_have_worked": "Apply the Zimbra ZCS security update from the advisory; restrict the ZCS web/admin surface and, for the SSRF/RFI variants, hunt for web shells and internal-recon activity.",
18395
+ "was_this_required": true,
18396
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
18397
+ "adequacy": "Patch is definitive; ZCS is repeatedly targeted, so the SLA gap and the lack of web-shell-hunt cleanup are the recurring failures."
18398
+ },
18399
+ "detection": {
18400
+ "what_would_have_worked": "Monitoring on ZCS: XSS payloads in mail/requests, server-side outbound requests to internal endpoints (SSRF), inclusion/execution of remote PHP (RFI), and web shells under the ZCS web root.",
18401
+ "was_this_required": false,
18402
+ "framework_requiring_it": null,
18403
+ "adequacy": "Necessary to catch exploitation and resident persistence on a recurring mass-exploited target."
18404
+ },
18405
+ "response": {
18406
+ "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate ZCS credentials and session secrets, and review mailbox access for exfiltration.",
18407
+ "was_this_required": true,
18408
+ "framework_requiring_it": "NIST 800-53 IR-4",
18409
+ "adequacy": "Mandatory; ZCS compromise typically targets mailbox data and persistence, which a bare patch does not remove."
18410
+ }
18016
18411
  },
18017
18412
  "framework_coverage": {
18018
18413
  "NIST-800-53-SI-2": {
18019
18414
  "covered": true,
18020
18415
  "adequate": false,
18021
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
18416
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed flaw on an internet-facing mail server; ZCS is a recurring mass-exploited target."
18022
18417
  },
18023
18418
  "ISO-27001-2022-A.8.8": {
18024
18419
  "covered": true,
18025
18420
  "adequate": false,
18026
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
18421
+ "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited flaw on an internet-facing collaboration/mail server."
18422
+ },
18423
+ "NIS2-Art21-network-security": {
18424
+ "covered": true,
18425
+ "adequate": false,
18426
+ "gap": "Treats mail/collaboration servers as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA."
18427
+ },
18428
+ "PCI-DSS-4.0-6.3.3": {
18429
+ "covered": true,
18430
+ "adequate": false,
18431
+ "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing mail server in or adjacent to the CDE."
18027
18432
  }
18028
18433
  },
18029
18434
  "compliance_exposure_score": {
18030
- "percent_audit_passing_orgs_still_exposed": 55,
18031
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
18435
+ "percent_audit_passing_orgs_still_exposed": 72,
18436
+ "basis": "Internet-facing Zimbra is run by audited organizations on a standard patch SLA and is repeatedly mass-exploited within days of disclosure; web-shell hunting is rarely part of the patch procedure.",
18032
18437
  "theater_pattern": "patch_management"
18033
18438
  },
18034
18439
  "ai_discovered_zeroday": false,
18035
- "ai_discovery_source": "unknown",
18036
- "ai_assist_factor": "none",
18037
- "_auto_imported": true,
18038
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
18440
+ "ai_discovery_source": "vendor_research",
18441
+ "ai_assist_factor": "none"
18039
18442
  },
18040
18443
  "CVE-2025-27920": {
18041
18444
  "name": "Srimax Output Messenger Directory Traversal Vulnerability",