@blamejs/exceptd-skills 0.15.11 → 0.15.13

package/data/cve-catalog.json

@@ -8634,7 +8634,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1059.007"
+      "T1059.007",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -8655,7 +8656,7 @@
     "cwe_refs": [
       "CWE-79"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories",
@@ -8684,11 +8685,21 @@
         "published_date": "2026-04-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-20; due date 2026-04-23. Notes reference: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories ; https://nvd.nist.gov/vuln/detail/CVE-2025-48700",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information.",
+    "iocs": {
+      "behavioral": [
+        "Synacor Zimbra Collaboration Suite (ZCS) reachable on the network at a version below the fixed release named in the Zimbra advisory.",
+        "Requests to ZCS consistent with a cross-site scripting flaw (CWE-79) on the ZCS web client, letting an attacker run script in a victim's authenticated session for session/credential theft and mailbox access.",
+        "stored/reflected XSS payloads in email or request parameters, and session/credential theft following a victim viewing attacker content — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-48700, CISA KEV (added 2026-04-20), and the Zimbra security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-20128": {
     "name": "Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability",
@@ -10460,7 +10471,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1005"
+      "T1005",
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -10481,7 +10494,7 @@
     "cwe_refs": [
       "CWE-125"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2026_3055_and_CVE_2026_4368",
@@ -10510,11 +10523,21 @@
         "published_date": "2026-03-30"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-30; due date 2026-04-02. Notes reference: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2026_3055_and_CVE_2026_4368 ; https://nvd.nist",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC FIPS and NDcPP contain an out-of-bounds reads vulnerability when configured as a SAML IDP leading to memory overread."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Citrix NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC FIPS and NDcPP contain an out-of-bounds reads vulnerability when configured as a SAML IDP leading to memory overread.",
+    "iocs": {
+      "behavioral": [
+        "Citrix NetScaler reachable on the network at a build below the fixed version named in the Citrix advisory.",
+        "Requests to the NetScaler consistent with an out-of-bounds read (CWE-125) on Citrix NetScaler, disclosing adjacent memory used to steal authenticated session material.",
+        "the appliance returning oversized/leaked-looking response bodies on specific endpoint requests, and use of valid-looking session tokens for which there is no corresponding legitimate login event (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-3055, CISA KEV (added 2026-03-30), and the Citrix security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-53521": {
     "name": "F5 BIG-IP Stack-Based Buffer Overflow Vulnerability",
@@ -21209,7 +21232,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1059.007"
+      "T1059.007",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -21230,7 +21254,7 @@
     "cwe_refs": [
       "CWE-79"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories",
@@ -21259,11 +21283,21 @@
         "published_date": "2026-03-18"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-18; due date 2026-04-01. Notes reference: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories ; https://nvd.nist.gov/vuln/detail/CVE-2025-66376",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) @import directives in email HTML."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) @import directives in email HTML.",
+    "iocs": {
+      "behavioral": [
+        "Synacor Zimbra Collaboration Suite (ZCS) reachable on the network at a version below the fixed release named in the Zimbra advisory.",
+        "Requests to ZCS consistent with a cross-site scripting flaw (CWE-79) on the ZCS web client, letting an attacker run script in a victim's authenticated session.",
+        "XSS payloads in ZCS web requests/email and anomalous session activity — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-66376, CISA KEV (added 2026-03-18), and the Zimbra security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-20963": {
     "name": "Microsoft SharePoint Deserialization of Untrusted Data Vulnerability",
@@ -23556,7 +23590,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -23577,7 +23612,7 @@
     "cwe_refs": [
       "CWE-918"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P7",
@@ -23606,11 +23641,21 @@
         "published_date": "2026-02-17"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-17; due date 2026-03-10. Notes reference: https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P7 ; https://nvd.nist.gov/vuln/detail/CVE-2020-7796",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery vulnerability if WebEx zimlet installed and zimlet JSP is enabled."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery vulnerability if WebEx zimlet installed and zimlet JSP is enabled.",
+    "iocs": {
+      "behavioral": [
+        "Synacor Zimbra Collaboration Suite (ZCS) reachable on the network at a version below the fixed release named in the Zimbra advisory.",
+        "Requests to ZCS consistent with a server-side request forgery flaw (CWE-918) on ZCS, letting an unauthenticated attacker coerce the server into making requests to internal resources.",
+        "ZCS server making outbound requests to internal/metadata endpoints on attacker input — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2020-7796, CISA KEV (added 2026-02-17), and the Zimbra security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-7694": {
     "name": "TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability",
@@ -26438,7 +26483,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -26459,7 +26505,7 @@
     "cwe_refs": [
       "CWE-98"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://wiki.zimbra.com/wiki/Security_Center",
@@ -26488,11 +26534,21 @@
         "published_date": "2026-01-22"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-22; due date 2026-02-12. Notes reference: https://wiki.zimbra.com/wiki/Security_Center ; https://nvd.nist.gov/vuln/detail/CVE-2025-68645",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.",
+    "iocs": {
+      "behavioral": [
+        "Synacor Zimbra Collaboration Suite (ZCS) reachable on the network at a version below the fixed release named in the Zimbra advisory.",
+        "Requests to ZCS consistent with a PHP remote file inclusion flaw (CWE-98) on ZCS, enabling remote code execution on the mail server.",
+        "ZCS including/executing a remote PHP resource, and web shells or unexpected process execution by the mail-server process — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-68645, CISA KEV (added 2026-01-22), and the Zimbra security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-34026": {
     "name": "Versa Concerto Improper Authentication Vulnerability",
@@ -31807,7 +31863,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1059.007"
+      "T1059.007",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -31828,7 +31885,7 @@
     "cwe_refs": [
       "CWE-79"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://wiki.zimbra.com/wiki/Security_Center",
@@ -31857,11 +31914,21 @@
         "published_date": "2025-10-07"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-07; due date 2025-10-28. Notes reference: https://wiki.zimbra.com/wiki/Security_Center ; https://nvd.nist.gov/vuln/detail/CVE-2025-27915",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.",
+    "iocs": {
+      "behavioral": [
+        "Synacor Zimbra Collaboration Suite (ZCS) reachable on the network at a version below the fixed release named in the Zimbra advisory.",
+        "Requests to ZCS consistent with a cross-site scripting flaw (CWE-79) on the ZCS web client, letting an attacker run script in a victim's authenticated session.",
+        "XSS payloads in ZCS requests/email and anomalous session activity — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-27915, CISA KEV (added 2025-10-07), and the Zimbra security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-22555": {
     "name": "Linux Kernel Heap Out-of-Bounds Write Vulnerability",
@@ -34567,7 +34634,7 @@
     "cwe_refs": [
       "CWE-119"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938",
@@ -34596,11 +34663,21 @@
         "published_date": "2025-08-26"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-26; due date 2025-08-28. Notes reference: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938 ; https://nvd.nist.gov/vuln/detail/CVE-2025-7775",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix NetScaler ADC and NetScaler Gateway contain a memory overflow vulnerability that could allow for remote code execution and/or denial of service."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Citrix NetScaler ADC and NetScaler Gateway contain a memory overflow vulnerability that could allow for remote code execution and/or denial of service.",
+    "iocs": {
+      "behavioral": [
+        "Citrix NetScaler reachable on the network at a build below the fixed version named in the Citrix advisory.",
+        "Requests to the NetScaler consistent with a memory-overflow buffer flaw (CWE-119) on Citrix NetScaler, exploitable by an unauthenticated attacker for remote code execution.",
+        "appliance crashes consistent with memory corruption, unexpected processes on the NetScaler, and unexplained configuration changes (KEV-confirmed in-the-wild exploitation) (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-7775, CISA KEV (added 2025-08-26), and the Citrix security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-48384": {
     "name": "Git Link Following Vulnerability",
@@ -34742,7 +34819,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1068"
+      "T1068",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -34763,7 +34841,7 @@
     "cwe_refs": [
       "CWE-269"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.citrix.com/external/article/691941/citrix-session-recording-security-bullet.html",
@@ -34792,11 +34870,21 @@
         "published_date": "2025-08-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-25; due date 2025-09-15. Notes reference: https://support.citrix.com/external/article/691941/citrix-session-recording-security-bullet.html ; https://nvd.nist.gov/vuln/detail/CVE-2024-8068",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix Session Recording contains an improper privilege management vulnerability that could allow for privilege escalation to NetworkService Account access. An attacker must be an authenticated user in the same Windows Active Directory domain as the session recording server domain."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Citrix Session Recording contains an improper privilege management vulnerability that could allow for privilege escalation to NetworkService Account access. An attacker must be an authenticated user in the same Windows Active Directory domain as the session recording server domain.",
+    "iocs": {
+      "behavioral": [
+        "Citrix Session Recording reachable on the network at a build below the fixed version named in the Citrix advisory.",
+        "Requests to the Session Recording consistent with an improper privilege-management flaw (CWE-269) on Citrix Session Recording, escalating an authenticated user's privileges on the recording server.",
+        "previously-low-privileged Session Recording users performing administrative actions or accessing recordings they shouldn't, with no corresponding role change (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-8068, CISA KEV (added 2025-08-25), and the Citrix security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-8069": {
     "name": "Citrix Session Recording Deserialization of Untrusted Data Vulnerability",
@@ -34838,7 +34926,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -34859,7 +34948,7 @@
     "cwe_refs": [
       "CWE-502"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.citrix.com/external/article/691941/citrix-session-recording-security-bullet.html",
@@ -34888,11 +34977,21 @@
         "published_date": "2025-08-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-25; due date 2025-09-15. Notes reference: https://support.citrix.com/external/article/691941/citrix-session-recording-security-bullet.html ; https://nvd.nist.gov/vuln/detail/CVE-2024-8069",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix Session Recording contains a deserialization of untrusted data vulnerability that allows limited remote code execution with privilege of a NetworkService Account access. Attacker must be an authenticated user on the same intranet as the session recording server."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Citrix Session Recording contains a deserialization of untrusted data vulnerability that allows limited remote code execution with privilege of a NetworkService Account access. Attacker must be an authenticated user on the same intranet as the session recording server.",
+    "iocs": {
+      "behavioral": [
+        "Citrix Session Recording reachable on the network at a build below the fixed version named in the Citrix advisory.",
+        "Requests to the Session Recording consistent with a deserialization-of-untrusted-data flaw (CWE-502) on Citrix Session Recording, enabling remote code execution on the recording server.",
+        "deserialization-shaped requests to the Session Recording service, unexpected processes spawned by it, and web shells under the service's web root (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-8069, CISA KEV (added 2025-08-25), and the Citrix security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-54948": {
     "name": "Trend Micro Apex One OS Command Injection Vulnerability",
@@ -37062,7 +37161,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1005"
+      "T1005",
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -37083,7 +37184,7 @@
     "cwe_refs": [
       "CWE-125"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420",
@@ -37112,11 +37213,21 @@
         "published_date": "2025-07-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-10; due date 2025-07-11. Notes reference: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420 ; https://nvd.nist.gov/vuln/detail/CVE-2025-5777",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.",
+    "iocs": {
+      "behavioral": [
+        "Citrix NetScaler ADC and Gateway reachable on the network at a build below the fixed version named in the Citrix advisory.",
+        "Requests to the NetScaler ADC/Gateway consistent with an out-of-bounds read (CWE-125) on Citrix NetScaler ADC/Gateway (the CitrixBleed-2 class), disclosing memory containing authenticated session material that has been used in the wild for session hijack.",
+        "appliance responses that include leaked memory consistent with the CitrixBleed-2 disclosure shape, and authenticated session reuse from attacker infrastructure with no matching login event (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-5777, CISA KEV (added 2025-07-10), and the Citrix security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2019-9621": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability",
@@ -37157,7 +37268,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -37179,7 +37291,7 @@
       "CWE-918",
       "CWE-807"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories",
@@ -37209,11 +37321,21 @@
         "published_date": "2025-07-07"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-07; due date 2025-07-28. Notes reference: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories ; https://wiki.zimbra.com/wiki/Security_Center ; https://nvd.nist.gov/vuln/detail/CVE-2019-9621",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery (SSRF) vulnerability via the ProxyServlet component."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery (SSRF) vulnerability via the ProxyServlet component.",
+    "iocs": {
+      "behavioral": [
+        "Synacor Zimbra Collaboration Suite (ZCS) reachable on the network at a version below the fixed release named in the Zimbra advisory.",
+        "Requests to ZCS consistent with a server-side request forgery flaw (CWE-918/CWE-807) on ZCS, letting an unauthenticated attacker coerce server-side requests (a known chain toward RCE on ZCS).",
+        "ZCS server making attacker-directed internal requests, often chained toward code execution — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2019-9621, CISA KEV (added 2025-07-07), and the Zimbra security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2019-5418": {
     "name": "Rails Ruby on Rails Path Traversal Vulnerability",
@@ -37814,7 +37936,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1499"
+      "T1499",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -37835,7 +37958,7 @@
     "cwe_refs": [
       "CWE-119"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788",
@@ -37865,11 +37988,21 @@
         "published_date": "2025-06-30"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-30; due date 2025-07-21. Notes reference: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788 ; https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/ ;   http",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix NetScaler ADC and Gateway contain a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Citrix NetScaler ADC and Gateway contain a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.",
+    "iocs": {
+      "behavioral": [
+        "Citrix NetScaler ADC and Gateway reachable on the network at a build below the fixed version named in the Citrix advisory.",
+        "Requests to the NetScaler ADC/Gateway consistent with a buffer-overflow flaw (CWE-119) on Citrix NetScaler ADC/Gateway, exploitable for memory corruption (DoS and code execution).",
+        "appliance crashes consistent with memory corruption, unexpected processes on the NetScaler, and configuration anomalies (KEV-confirmed in-the-wild exploitation) (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-6543, CISA KEV (added 2025-06-30), and the Citrix security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2019-6693": {
     "name": "Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability",
@@ -39955,7 +40088,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1059.007"
+      "T1059.007",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39976,7 +40110,7 @@
     "cwe_refs": [
       "CWE-79"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes",
@@ -40007,11 +40141,21 @@
         "published_date": "2025-05-19"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-19; due date 2025-06-09. Notes reference: https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes ; https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P39#Security_Fixes ; https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.7#Sec",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Zimbra Collaboration contains a cross-site scripting (XSS) vulnerability in the CalendarInvite feature of the Zimbra webmail classic user interface. An attacker can exploit this vulnerability via an email message containing a crafted calendar header, leading to the execution of arbitrary JavaScript code."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Zimbra Collaboration contains a cross-site scripting (XSS) vulnerability in the CalendarInvite feature of the Zimbra webmail classic user interface. An attacker can exploit this vulnerability via an email message containing a crafted calendar header, leading to the execution of arbitrary JavaScript code.",
+    "iocs": {
+      "behavioral": [
+        "Synacor Zimbra Collaboration Suite (ZCS) reachable on the network at a version below the fixed release named in the Zimbra advisory.",
+        "Requests to ZCS consistent with a cross-site scripting flaw (CWE-79) on the ZCS web client, letting an attacker run script in a victim's authenticated session.",
+        "XSS payloads in ZCS calendar/email content and anomalous session activity — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-27443, CISA KEV (added 2025-05-19), and the Zimbra security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-27920": {
     "name": "Srimax Output Messenger Directory Traversal Vulnerability",