@blamejs/exceptd-skills 0.15.11 → 0.15.12

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.15.12 — 2026-05-29
+
+Draft-curation pass 10 — Zimbra mail server. Seven CISA KEV-listed Synacor Zimbra Collaboration Suite (ZCS) CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the cross-site scripting cluster (CVE-2025-48700, CVE-2025-66376, CVE-2025-27915, CVE-2024-27443), the server-side request forgery pair (CVE-2020-7796, CVE-2019-9621), and the PHP remote-file-inclusion RCE (CVE-2025-68645). The lessons note ZCS is a recurring mass-exploited mail-server target where web-shell hunting and session-secret rotation are needed beyond the patch.
+
 ## 0.15.11 — 2026-05-29
 
 Draft-curation pass 9 — Apple client-side zero-days. Nine CISA KEV-listed Apple memory-corruption CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons. They map T1203 (Exploitation for Client Execution) — and T1068 for the sandbox-escape steps that act as privilege links in a multi-stage chain — rather than the network-service T1190: improper locking (CVE-2025-43510), buffer overflows (CVE-2025-43520, CVE-2025-31277, CVE-2026-20700), use-after-frees (CVE-2023-43000, CVE-2023-41974), an integer overflow (CVE-2021-30952), and two code-execution flaws (CVE-2022-48503, CVE-2025-43200). The lessons frame these as targeted-spyware-chain components and stress same-day OS update vs. MDM change windows, with Lockdown Mode for high-risk users.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-29T19:51:04.683Z",
+  "generated_at": "2026-05-29T20:13:44.758Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "690cb7c701080f97144ae7df49c0fb2b2b017f6699859f6cfe1a2d07c2a1d32c",
+    "manifest.json": "3bacb8aa107312617e0a571f7120ca76409f003a0ad1f48841aa5963e0d31e71",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "874c1693aa263ff5161cc96bd28efa6056c0e018847e2b55f575502b47a45fc5",
-    "data/cve-catalog.json": "6787e2aea49819872301629954f5a5d3ce9c27d984ffd45835eb097cab95e98c",
+    "data/attack-techniques.json": "5c5f431f4764af9d1e3fa4fbc927df282d794c4ceef89ce65bb406dfac087e5d",
+    "data/cve-catalog.json": "a984c5200d64409419733ac577525b76308d0ed221142482f11defa0dd175a97",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "775bcd4734117ccfc4d191f0a3ae337b43da6611a612c1e0074c3bb8e285bbbc",
+    "data/zeroday-lessons.json": "a06da4f17287974cf234a78a327ab6935cf71b65f61690773e50f2e499c3a4a1",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json

@@ -325,6 +325,7 @@
       "CVE-2025-58034",
       "CVE-2025-60455",
       "CVE-2025-64496",
+      "CVE-2025-68645",
       "CVE-2025-68664",
       "CVE-2025-68665",
       "CVE-2025-68668",
@@ -912,9 +913,11 @@
       "CVE-2017-1000353",
       "CVE-2018-4063",
       "CVE-2019-6693",
+      "CVE-2019-9621",
       "CVE-2020-10148",
       "CVE-2020-25078",
       "CVE-2020-25079",
+      "CVE-2020-7796",
       "CVE-2021-22681",
       "CVE-2021-26828",
       "CVE-2022-1471",
@@ -947,6 +950,7 @@
       "CVE-2024-21575",
       "CVE-2024-21576",
       "CVE-2024-21762",
+      "CVE-2024-27443",
       "CVE-2024-2912",
       "CVE-2024-31462",
       "CVE-2024-37032",
@@ -992,6 +996,7 @@
       "CVE-2025-27520",
       "CVE-2025-2775",
       "CVE-2025-2776",
+      "CVE-2025-27915",
       "CVE-2025-29635",
       "CVE-2025-30165",
       "CVE-2025-30202",
@@ -1023,6 +1028,7 @@
       "CVE-2025-47812",
       "CVE-2025-47827",
       "CVE-2025-48384",
+      "CVE-2025-48700",
       "CVE-2025-48703",
       "CVE-2025-48927",
       "CVE-2025-48928",
@@ -1069,6 +1075,7 @@
       "CVE-2025-64513",
       "CVE-2025-6554",
       "CVE-2025-6558",
+      "CVE-2025-66376",
       "CVE-2025-66644",
       "CVE-2025-67818",
       "CVE-2025-68613",

package/data/cve-catalog.json

@@ -8634,7 +8634,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1059.007"
+      "T1059.007",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -8655,7 +8656,7 @@
     "cwe_refs": [
       "CWE-79"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories",
@@ -8684,11 +8685,21 @@
         "published_date": "2026-04-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-20; due date 2026-04-23. Notes reference: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories ; https://nvd.nist.gov/vuln/detail/CVE-2025-48700",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information.",
+    "iocs": {
+      "behavioral": [
+        "Synacor Zimbra Collaboration Suite (ZCS) reachable on the network at a version below the fixed release named in the Zimbra advisory.",
+        "Requests to ZCS consistent with a cross-site scripting flaw (CWE-79) on the ZCS web client, letting an attacker run script in a victim's authenticated session for session/credential theft and mailbox access.",
+        "stored/reflected XSS payloads in email or request parameters, and session/credential theft following a victim viewing attacker content — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-48700, CISA KEV (added 2026-04-20), and the Zimbra security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-20128": {
     "name": "Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability",
@@ -21209,7 +21220,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1059.007"
+      "T1059.007",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -21230,7 +21242,7 @@
     "cwe_refs": [
       "CWE-79"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories",
@@ -21259,11 +21271,21 @@
         "published_date": "2026-03-18"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-18; due date 2026-04-01. Notes reference: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories ; https://nvd.nist.gov/vuln/detail/CVE-2025-66376",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) @import directives in email HTML."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) @import directives in email HTML.",
+    "iocs": {
+      "behavioral": [
+        "Synacor Zimbra Collaboration Suite (ZCS) reachable on the network at a version below the fixed release named in the Zimbra advisory.",
+        "Requests to ZCS consistent with a cross-site scripting flaw (CWE-79) on the ZCS web client, letting an attacker run script in a victim's authenticated session.",
+        "XSS payloads in ZCS web requests/email and anomalous session activity — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-66376, CISA KEV (added 2026-03-18), and the Zimbra security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-20963": {
     "name": "Microsoft SharePoint Deserialization of Untrusted Data Vulnerability",
@@ -23556,7 +23578,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -23577,7 +23600,7 @@
     "cwe_refs": [
       "CWE-918"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P7",
@@ -23606,11 +23629,21 @@
         "published_date": "2026-02-17"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-17; due date 2026-03-10. Notes reference: https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P7 ; https://nvd.nist.gov/vuln/detail/CVE-2020-7796",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery vulnerability if WebEx zimlet installed and zimlet JSP is enabled."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery vulnerability if WebEx zimlet installed and zimlet JSP is enabled.",
+    "iocs": {
+      "behavioral": [
+        "Synacor Zimbra Collaboration Suite (ZCS) reachable on the network at a version below the fixed release named in the Zimbra advisory.",
+        "Requests to ZCS consistent with a server-side request forgery flaw (CWE-918) on ZCS, letting an unauthenticated attacker coerce the server into making requests to internal resources.",
+        "ZCS server making outbound requests to internal/metadata endpoints on attacker input — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2020-7796, CISA KEV (added 2026-02-17), and the Zimbra security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-7694": {
     "name": "TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability",
@@ -26438,7 +26471,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -26459,7 +26493,7 @@
     "cwe_refs": [
       "CWE-98"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://wiki.zimbra.com/wiki/Security_Center",
@@ -26488,11 +26522,21 @@
         "published_date": "2026-01-22"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-22; due date 2026-02-12. Notes reference: https://wiki.zimbra.com/wiki/Security_Center ; https://nvd.nist.gov/vuln/detail/CVE-2025-68645",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.",
+    "iocs": {
+      "behavioral": [
+        "Synacor Zimbra Collaboration Suite (ZCS) reachable on the network at a version below the fixed release named in the Zimbra advisory.",
+        "Requests to ZCS consistent with a PHP remote file inclusion flaw (CWE-98) on ZCS, enabling remote code execution on the mail server.",
+        "ZCS including/executing a remote PHP resource, and web shells or unexpected process execution by the mail-server process — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-68645, CISA KEV (added 2026-01-22), and the Zimbra security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-34026": {
     "name": "Versa Concerto Improper Authentication Vulnerability",
@@ -31807,7 +31851,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1059.007"
+      "T1059.007",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -31828,7 +31873,7 @@
     "cwe_refs": [
       "CWE-79"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://wiki.zimbra.com/wiki/Security_Center",
@@ -31857,11 +31902,21 @@
         "published_date": "2025-10-07"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-07; due date 2025-10-28. Notes reference: https://wiki.zimbra.com/wiki/Security_Center ; https://nvd.nist.gov/vuln/detail/CVE-2025-27915",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.",
+    "iocs": {
+      "behavioral": [
+        "Synacor Zimbra Collaboration Suite (ZCS) reachable on the network at a version below the fixed release named in the Zimbra advisory.",
+        "Requests to ZCS consistent with a cross-site scripting flaw (CWE-79) on the ZCS web client, letting an attacker run script in a victim's authenticated session.",
+        "XSS payloads in ZCS requests/email and anomalous session activity — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-27915, CISA KEV (added 2025-10-07), and the Zimbra security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-22555": {
     "name": "Linux Kernel Heap Out-of-Bounds Write Vulnerability",
@@ -37157,7 +37212,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -37179,7 +37235,7 @@
       "CWE-918",
       "CWE-807"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories",
@@ -37209,11 +37265,21 @@
         "published_date": "2025-07-07"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-07; due date 2025-07-28. Notes reference: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories ; https://wiki.zimbra.com/wiki/Security_Center ; https://nvd.nist.gov/vuln/detail/CVE-2019-9621",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery (SSRF) vulnerability via the ProxyServlet component."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery (SSRF) vulnerability via the ProxyServlet component.",
+    "iocs": {
+      "behavioral": [
+        "Synacor Zimbra Collaboration Suite (ZCS) reachable on the network at a version below the fixed release named in the Zimbra advisory.",
+        "Requests to ZCS consistent with a server-side request forgery flaw (CWE-918/CWE-807) on ZCS, letting an unauthenticated attacker coerce server-side requests (a known chain toward RCE on ZCS).",
+        "ZCS server making attacker-directed internal requests, often chained toward code execution — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2019-9621, CISA KEV (added 2025-07-07), and the Zimbra security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2019-5418": {
     "name": "Rails Ruby on Rails Path Traversal Vulnerability",
@@ -39955,7 +40021,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1059.007"
+      "T1059.007",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39976,7 +40043,7 @@
     "cwe_refs": [
       "CWE-79"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes",
@@ -40007,11 +40074,21 @@
         "published_date": "2025-05-19"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-19; due date 2025-06-09. Notes reference: https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes ; https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes ; https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Sec",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Zimbra Collaboration contains a cross-site scripting (XSS) vulnerability in the CalendarInvite feature of the Zimbra webmail classic user interface. An attacker can exploit this vulnerability via an email message containing a crafted calendar header, leading to the execution of arbitrary JavaScript code."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Zimbra Collaboration contains a cross-site scripting (XSS) vulnerability in the CalendarInvite feature of the Zimbra webmail classic user interface. An attacker can exploit this vulnerability via an email message containing a crafted calendar header, leading to the execution of arbitrary JavaScript code.",
+    "iocs": {
+      "behavioral": [
+        "Synacor Zimbra Collaboration Suite (ZCS) reachable on the network at a version below the fixed release named in the Zimbra advisory.",
+        "Requests to ZCS consistent with a cross-site scripting flaw (CWE-79) on the ZCS web client, letting an attacker run script in a victim's authenticated session.",
+        "XSS payloads in ZCS calendar/email content and anomalous session activity — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-27443, CISA KEV (added 2025-05-19), and the Zimbra security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-27920": {
     "name": "Srimax Output Messenger Directory Traversal Vulnerability",