@blamejs/exceptd-skills 0.15.12 → 0.15.13

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.15.13 — 2026-05-29
+
+Draft-curation pass 11 — Citrix. Six CISA KEV-listed Citrix CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: four NetScaler ADC/Gateway appliance flaws (CVE-2026-3055 and CVE-2025-5777 — the CitrixBleed-class out-of-bounds reads that disclose authenticated session material; CVE-2025-7775 and CVE-2025-6543 memory-corruption buffer flaws) and two Session Recording flaws (CVE-2024-8069 deserialization RCE and CVE-2024-8068 privilege escalation). The CitrixBleed entries map T1552 alongside T1190 to surface session-token theft, and the lessons stress session termination + secret rotation (memory-disclosure class) and appliance rebuild (RCE class) as required steps beyond the patch.
+
 ## 0.15.12 — 2026-05-29
 
 Draft-curation pass 10 — Zimbra mail server. Seven CISA KEV-listed Synacor Zimbra Collaboration Suite (ZCS) CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the cross-site scripting cluster (CVE-2025-48700, CVE-2025-66376, CVE-2025-27915, CVE-2024-27443), the server-side request forgery pair (CVE-2020-7796, CVE-2019-9621), and the PHP remote-file-inclusion RCE (CVE-2025-68645). The lessons note ZCS is a recurring mass-exploited mail-server target where web-shell hunting and session-secret rotation are needed beyond the patch.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-29T20:13:44.758Z",
+  "generated_at": "2026-05-29T20:35:07.738Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "3bacb8aa107312617e0a571f7120ca76409f003a0ad1f48841aa5963e0d31e71",
+    "manifest.json": "8fe3f27879a535ce7242433d0a93dc71146f6a9f7fddc1fd9869c9f8270e1ea6",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "5c5f431f4764af9d1e3fa4fbc927df282d794c4ceef89ce65bb406dfac087e5d",
-    "data/cve-catalog.json": "a984c5200d64409419733ac577525b76308d0ed221142482f11defa0dd175a97",
+    "data/attack-techniques.json": "d139db4dc4cb4ec2be0ba517bbfa541215053aa6fa3aa1544dd061711d1acd8e",
+    "data/cve-catalog.json": "b24fe940b9752fd8ec37ec03954b0b99c8de523b1a5b6a7b79e2f55e3327baea",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "a06da4f17287974cf234a78a327ab6935cf71b65f61690773e50f2e499c3a4a1",
+    "data/zeroday-lessons.json": "a127b709dee1473f21804a85150aabfe1072e95443292d853b1fc6de554b4825",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json

@@ -298,6 +298,7 @@
       "CVE-2024-4889",
       "CVE-2024-50050",
       "CVE-2024-5565",
+      "CVE-2024-8069",
       "CVE-2025-10164",
       "CVE-2025-1094",
       "CVE-2025-11837",
@@ -965,6 +966,7 @@
       "CVE-2024-57726",
       "CVE-2024-6587",
       "CVE-2024-7694",
+      "CVE-2024-8068",
       "CVE-2024-8069",
       "CVE-2025-0282",
       "CVE-2025-10035",
@@ -1053,6 +1055,7 @@
       "CVE-2025-55177",
       "CVE-2025-55182",
       "CVE-2025-56520",
+      "CVE-2025-5777",
       "CVE-2025-57819",
       "CVE-2025-58034",
       "CVE-2025-58360",
@@ -1073,6 +1076,7 @@
       "CVE-2025-64446",
       "CVE-2025-64496",
       "CVE-2025-64513",
+      "CVE-2025-6543",
       "CVE-2025-6554",
       "CVE-2025-6558",
       "CVE-2025-66376",
@@ -1130,6 +1134,7 @@
       "CVE-2026-25108",
       "CVE-2026-26015",
       "CVE-2026-26190",
+      "CVE-2026-3055",
       "CVE-2026-3059",
       "CVE-2026-3060",
       "CVE-2026-30616",
@@ -1656,10 +1661,12 @@
       "CVE-2024-12450",
       "CVE-2025-30066",
       "CVE-2025-30154",
+      "CVE-2025-5777",
       "CVE-2025-68664",
       "CVE-2025-68665",
       "CVE-2026-20128",
       "CVE-2026-22219",
+      "CVE-2026-3055",
       "CVE-2026-48027",
       "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER",
       "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER"

package/data/cve-catalog.json

@@ -10471,7 +10471,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1005"
+      "T1005",
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -10492,7 +10494,7 @@
     "cwe_refs": [
       "CWE-125"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2026_3055_and_CVE_2026_4368",
@@ -10521,11 +10523,21 @@
         "published_date": "2026-03-30"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-30; due date 2026-04-02. Notes reference: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2026_3055_and_CVE_2026_4368 ; https://nvd.nist",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC FIPS and NDcPP contain an out-of-bounds reads vulnerability when configured as a SAML IDP leading to memory overread."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Citrix NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC FIPS and NDcPP contain an out-of-bounds reads vulnerability when configured as a SAML IDP leading to memory overread.",
+    "iocs": {
+      "behavioral": [
+        "Citrix NetScaler reachable on the network at a build below the fixed version named in the Citrix advisory.",
+        "Requests to the NetScaler consistent with an out-of-bounds read (CWE-125) on Citrix NetScaler, disclosing adjacent memory used to steal authenticated session material.",
+        "the appliance returning oversized/leaked-looking response bodies on specific endpoint requests, and use of valid-looking session tokens for which there is no corresponding legitimate login event (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-3055, CISA KEV (added 2026-03-30), and the Citrix security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-53521": {
     "name": "F5 BIG-IP Stack-Based Buffer Overflow Vulnerability",
@@ -34622,7 +34634,7 @@
     "cwe_refs": [
       "CWE-119"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938",
@@ -34651,11 +34663,21 @@
         "published_date": "2025-08-26"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-26; due date 2025-08-28. Notes reference: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938 ; https://nvd.nist.gov/vuln/detail/CVE-2025-7775",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix NetScaler ADC and NetScaler Gateway contain a memory overflow vulnerability that could allow for remote code execution and/or denial of service."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Citrix NetScaler ADC and NetScaler Gateway contain a memory overflow vulnerability that could allow for remote code execution and/or denial of service.",
+    "iocs": {
+      "behavioral": [
+        "Citrix NetScaler reachable on the network at a build below the fixed version named in the Citrix advisory.",
+        "Requests to the NetScaler consistent with a memory-overflow buffer flaw (CWE-119) on Citrix NetScaler, exploitable by an unauthenticated attacker for remote code execution.",
+        "appliance crashes consistent with memory corruption, unexpected processes on the NetScaler, and unexplained configuration changes (KEV-confirmed in-the-wild exploitation) (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-7775, CISA KEV (added 2025-08-26), and the Citrix security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-48384": {
     "name": "Git Link Following Vulnerability",
@@ -34797,7 +34819,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1068"
+      "T1068",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -34818,7 +34841,7 @@
     "cwe_refs": [
       "CWE-269"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.citrix.com/external/article/691941/citrix-session-recording-security-bullet.html",
@@ -34847,11 +34870,21 @@
         "published_date": "2025-08-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-25; due date 2025-09-15. Notes reference: https://support.citrix.com/external/article/691941/citrix-session-recording-security-bullet.html ; https://nvd.nist.gov/vuln/detail/CVE-2024-8068",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix Session Recording contains an improper privilege management vulnerability that could allow for privilege escalation to NetworkService Account access. An attacker must be an authenticated user in the same Windows Active Directory domain as the session recording server domain."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Citrix Session Recording contains an improper privilege management vulnerability that could allow for privilege escalation to NetworkService Account access. An attacker must be an authenticated user in the same Windows Active Directory domain as the session recording server domain.",
+    "iocs": {
+      "behavioral": [
+        "Citrix Session Recording reachable on the network at a build below the fixed version named in the Citrix advisory.",
+        "Requests to the Session Recording consistent with an improper privilege-management flaw (CWE-269) on Citrix Session Recording, escalating an authenticated user's privileges on the recording server.",
+        "previously-low-privileged Session Recording users performing administrative actions or accessing recordings they shouldn't, with no corresponding role change (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-8068, CISA KEV (added 2025-08-25), and the Citrix security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-8069": {
     "name": "Citrix Session Recording Deserialization of Untrusted Data Vulnerability",
@@ -34893,7 +34926,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -34914,7 +34948,7 @@
     "cwe_refs": [
       "CWE-502"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.citrix.com/external/article/691941/citrix-session-recording-security-bullet.html",
@@ -34943,11 +34977,21 @@
         "published_date": "2025-08-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-25; due date 2025-09-15. Notes reference: https://support.citrix.com/external/article/691941/citrix-session-recording-security-bullet.html ; https://nvd.nist.gov/vuln/detail/CVE-2024-8069",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix Session Recording contains a deserialization of untrusted data vulnerability that allows limited remote code execution with privilege of a NetworkService Account access. Attacker must be an authenticated user on the same intranet as the session recording server."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Citrix Session Recording contains a deserialization of untrusted data vulnerability that allows limited remote code execution with privilege of a NetworkService Account access. Attacker must be an authenticated user on the same intranet as the session recording server.",
+    "iocs": {
+      "behavioral": [
+        "Citrix Session Recording reachable on the network at a build below the fixed version named in the Citrix advisory.",
+        "Requests to the Session Recording consistent with a deserialization-of-untrusted-data flaw (CWE-502) on Citrix Session Recording, enabling remote code execution on the recording server.",
+        "deserialization-shaped requests to the Session Recording service, unexpected processes spawned by it, and web shells under the service's web root (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-8069, CISA KEV (added 2025-08-25), and the Citrix security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-54948": {
     "name": "Trend Micro Apex One OS Command Injection Vulnerability",
@@ -37117,7 +37161,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1005"
+      "T1005",
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -37138,7 +37184,7 @@
     "cwe_refs": [
       "CWE-125"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420",
@@ -37167,11 +37213,21 @@
         "published_date": "2025-07-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-10; due date 2025-07-11. Notes reference: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420 ; https://nvd.nist.gov/vuln/detail/CVE-2025-5777",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.",
+    "iocs": {
+      "behavioral": [
+        "Citrix NetScaler ADC and Gateway reachable on the network at a build below the fixed version named in the Citrix advisory.",
+        "Requests to the NetScaler ADC/Gateway consistent with an out-of-bounds read (CWE-125) on Citrix NetScaler ADC/Gateway (the CitrixBleed-2 class), disclosing memory containing authenticated session material that has been used in the wild for session hijack.",
+        "appliance responses that include leaked memory consistent with the CitrixBleed-2 disclosure shape, and authenticated session reuse from attacker infrastructure with no matching login event (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-5777, CISA KEV (added 2025-07-10), and the Citrix security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2019-9621": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability",
@@ -37880,7 +37936,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1499"
+      "T1499",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -37901,7 +37958,7 @@
     "cwe_refs": [
       "CWE-119"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788",
@@ -37931,11 +37988,21 @@
         "published_date": "2025-06-30"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-30; due date 2025-07-21. Notes reference: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788 ; https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/ ;   http",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix NetScaler ADC and Gateway contain a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Citrix NetScaler ADC and Gateway contain a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.",
+    "iocs": {
+      "behavioral": [
+        "Citrix NetScaler ADC and Gateway reachable on the network at a build below the fixed version named in the Citrix advisory.",
+        "Requests to the NetScaler ADC/Gateway consistent with a buffer-overflow flaw (CWE-119) on Citrix NetScaler ADC/Gateway, exploitable for memory corruption (DoS and code execution).",
+        "appliance crashes consistent with memory corruption, unexpected processes on the NetScaler, and configuration anomalies (KEV-confirmed in-the-wild exploitation) (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-6543, CISA KEV (added 2025-06-30), and the Citrix security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2019-6693": {
     "name": "Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability",