@blamejs/exceptd-skills 0.15.12 → 0.15.14

package/data/cve-catalog.json

@@ -9152,7 +9152,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -9173,7 +9173,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://learn.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-009",
@@ -9202,11 +9202,21 @@
         "published_date": "2026-04-14"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-14; due date 2026-04-28. Notes reference: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-009 ; https://nvd.nist.gov/vuln/detail/CVE-2009-0238",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Office at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Process crashes or memory-corruption signatures consistent with a code-injection / memory-corruption flaw (CWE-94) in Microsoft Office document parsing on an affected endpoint.",
+        "Inbound delivery of weaponized Office content (a document, web page, or embedded font) followed by unexpected child-process execution from the Office process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2009-0238, CISA KEV (added 2026-04-14), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-32201": {
     "name": "Microsoft SharePoint Server Improper Input Validation Vulnerability",
@@ -10471,7 +10481,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1005"
+      "T1005",
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -10492,7 +10504,7 @@
     "cwe_refs": [
       "CWE-125"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2026_3055_and_CVE_2026_4368",
@@ -10521,11 +10533,21 @@
         "published_date": "2026-03-30"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-30; due date 2026-04-02. Notes reference: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2026_3055_and_CVE_2026_4368 ; https://nvd.nist",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC FIPS and NDcPP contain an out-of-bounds reads vulnerability when configured as a SAML IDP leading to memory overread."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Citrix NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC FIPS and NDcPP contain an out-of-bounds reads vulnerability when configured as a SAML IDP leading to memory overread.",
+    "iocs": {
+      "behavioral": [
+        "Citrix NetScaler reachable on the network at a build below the fixed version named in the Citrix advisory.",
+        "Requests to the NetScaler consistent with an out-of-bounds read (CWE-125) on Citrix NetScaler, disclosing adjacent memory used to steal authenticated session material.",
+        "the appliance returning oversized/leaked-looking response bodies on specific endpoint requests, and use of valid-looking session tokens for which there is no corresponding legitimate login event (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-3055, CISA KEV (added 2026-03-30), and the Citrix security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-53521": {
     "name": "F5 BIG-IP Stack-Based Buffer Overflow Vulnerability",
@@ -27165,7 +27187,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -27186,7 +27208,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://learn.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-017",
@@ -27215,11 +27237,21 @@
         "published_date": "2026-01-07"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-07; due date 2026-01-28. Notes reference: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-017 ; https://nvd.nist.gov/vuln/detail/CVE-2009-0556",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Office PowerPoint contains a code injection vulnerability that allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Office PowerPoint contains a code injection vulnerability that allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Office PowerPoint at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Process crashes or memory-corruption signatures consistent with a code-injection / memory-corruption flaw (CWE-94) in Microsoft Office PowerPoint document parsing on an affected endpoint.",
+        "Inbound delivery of weaponized PowerPoint content (a document, web page, or embedded font) followed by unexpected child-process execution from the PowerPoint process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2009-0556, CISA KEV (added 2026-01-07), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-37164": {
     "name": "Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability",
@@ -32056,7 +32088,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -32077,7 +32109,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2010/2458511?redirectedfrom=MSDN",
@@ -32106,11 +32138,21 @@
         "published_date": "2025-10-06"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-06; due date 2025-10-27. Notes reference: https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2010/2458511?redirectedfrom=MSDN ; https://nvd.nist.gov/vuln/detail/CVE-2010-3962",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Internet Explorer contains an uninitialized memory corruption vulnerability that could allow for remote code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Internet Explorer contains an uninitialized memory corruption vulnerability that could allow for remote code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Internet Explorer at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Process crashes or memory-corruption signatures consistent with an uninitialized-memory / use-after-free corruption flaw (CWE-94) in Internet Explorer on an affected endpoint.",
+        "Inbound delivery of weaponized Internet Explorer content (a document, web page, or embedded font) followed by unexpected child-process execution from the Internet Explorer process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2010-3962, CISA KEV (added 2025-10-06), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-43226": {
     "name": "Microsoft Windows Privilege Escalation Vulnerability",
@@ -32247,7 +32289,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -32268,7 +32310,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-090",
@@ -32297,11 +32339,21 @@
         "published_date": "2025-10-06"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-06; due date 2025-10-27. Notes reference: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-090 ; https://nvd.nist.gov/vuln/detail/CVE-2013-3918",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows contains an out-of-bounds write vulnerability in the InformationCardSigninHelper Class ActiveX control, icardie.dll. An attacker could exploit the vulnerability by constructing a specially crafted webpage. When a user views the webpage, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows contains an out-of-bounds write vulnerability in the InformationCardSigninHelper Class ActiveX control, icardie.dll. An attacker could exploit the vulnerability by constructing a specially crafted webpage. When a user views the webpage, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Windows at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Process crashes or memory-corruption signatures consistent with an out-of-bounds write / memory-corruption flaw (CWE-94) in a Microsoft Windows component reachable from Internet Explorer (the InformationCardSigninHelper ActiveX control) on an affected endpoint.",
+        "Inbound delivery of weaponized Windows InformationCardSigninHelper / ActiveX content (a document, web page, or embedded font) followed by unexpected child-process execution from the Windows InformationCardSigninHelper / ActiveX process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2013-3918, CISA KEV (added 2025-10-06), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2011-3402": {
     "name": "Microsoft Windows Remote Code Execution Vulnerability",
@@ -32343,7 +32395,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -32364,7 +32416,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-087",
@@ -32393,11 +32445,21 @@
         "published_date": "2025-10-06"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-06; due date 2025-10-27. Notes reference: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-087 ; https://nvd.nist.gov/vuln/detail/CVE-2011-3402",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Kernel contains an unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers that allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Kernel contains an unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers that allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Windows at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Process crashes or memory-corruption signatures consistent with a memory-corruption flaw (CWE-94) in the Windows TrueType font parsing kernel component on an affected endpoint.",
+        "Inbound delivery of weaponized Windows TrueType font parser content (a document, web page, or embedded font) followed by unexpected child-process execution from the Windows TrueType font parser process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2011-3402, CISA KEV (added 2025-10-06), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2010-3765": {
     "name": "Mozilla Multiple Products Remote Code Execution Vulnerability",
@@ -34622,7 +34684,7 @@
     "cwe_refs": [
       "CWE-119"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938",
@@ -34651,11 +34713,21 @@
         "published_date": "2025-08-26"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-26; due date 2025-08-28. Notes reference: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938 ; https://nvd.nist.gov/vuln/detail/CVE-2025-7775",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix NetScaler ADC and NetScaler Gateway contain a memory overflow vulnerability that could allow for remote code execution and/or denial of service."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Citrix NetScaler ADC and NetScaler Gateway contain a memory overflow vulnerability that could allow for remote code execution and/or denial of service.",
+    "iocs": {
+      "behavioral": [
+        "Citrix NetScaler reachable on the network at a build below the fixed version named in the Citrix advisory.",
+        "Requests to the NetScaler consistent with a memory-overflow buffer flaw (CWE-119) on Citrix NetScaler, exploitable by an unauthenticated attacker for remote code execution.",
+        "appliance crashes consistent with memory corruption, unexpected processes on the NetScaler, and unexplained configuration changes (KEV-confirmed in-the-wild exploitation) (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-7775, CISA KEV (added 2025-08-26), and the Citrix security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-48384": {
     "name": "Git Link Following Vulnerability",
@@ -34797,7 +34869,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1068"
+      "T1068",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -34818,7 +34891,7 @@
     "cwe_refs": [
       "CWE-269"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.citrix.com/external/article/691941/citrix-session-recording-security-bullet.html",
@@ -34847,11 +34920,21 @@
         "published_date": "2025-08-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-25; due date 2025-09-15. Notes reference: https://support.citrix.com/external/article/691941/citrix-session-recording-security-bullet.html ; https://nvd.nist.gov/vuln/detail/CVE-2024-8068",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix Session Recording contains an improper privilege management vulnerability that could allow for privilege escalation to NetworkService Account access. An attacker must be an authenticated user in the same Windows Active Directory domain as the session recording server domain."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Citrix Session Recording contains an improper privilege management vulnerability that could allow for privilege escalation to NetworkService Account access. An attacker must be an authenticated user in the same Windows Active Directory domain as the session recording server domain.",
+    "iocs": {
+      "behavioral": [
+        "Citrix Session Recording reachable on the network at a build below the fixed version named in the Citrix advisory.",
+        "Requests to the Session Recording consistent with an improper privilege-management flaw (CWE-269) on Citrix Session Recording, escalating an authenticated user's privileges on the recording server.",
+        "previously-low-privileged Session Recording users performing administrative actions or accessing recordings they shouldn't, with no corresponding role change (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-8068, CISA KEV (added 2025-08-25), and the Citrix security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-8069": {
     "name": "Citrix Session Recording Deserialization of Untrusted Data Vulnerability",
@@ -34893,7 +34976,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -34914,7 +34998,7 @@
     "cwe_refs": [
       "CWE-502"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.citrix.com/external/article/691941/citrix-session-recording-security-bullet.html",
@@ -34943,11 +35027,21 @@
         "published_date": "2025-08-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-25; due date 2025-09-15. Notes reference: https://support.citrix.com/external/article/691941/citrix-session-recording-security-bullet.html ; https://nvd.nist.gov/vuln/detail/CVE-2024-8069",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix Session Recording contains a deserialization of untrusted data vulnerability that allows limited remote code execution with privilege of a NetworkService Account access. Attacker must be an authenticated user on the same intranet as the session recording server."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Citrix Session Recording contains a deserialization of untrusted data vulnerability that allows limited remote code execution with privilege of a NetworkService Account access. Attacker must be an authenticated user on the same intranet as the session recording server.",
+    "iocs": {
+      "behavioral": [
+        "Citrix Session Recording reachable on the network at a build below the fixed version named in the Citrix advisory.",
+        "Requests to the Session Recording consistent with a deserialization-of-untrusted-data flaw (CWE-502) on Citrix Session Recording, enabling remote code execution on the recording server.",
+        "deserialization-shaped requests to the Session Recording service, unexpected processes spawned by it, and web shells under the service's web root (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-8069, CISA KEV (added 2025-08-25), and the Citrix security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-54948": {
     "name": "Trend Micro Apex One OS Command Injection Vulnerability",
@@ -35372,7 +35466,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -35393,7 +35487,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://learn.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-015",
@@ -35422,11 +35516,21 @@
         "published_date": "2025-08-12"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-12; due date 2025-09-02. Notes reference: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-015 ; https://nvd.nist.gov/vuln/detail/CVE-2007-0671",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Office Excel contains a remote code execution vulnerability that can be exploited when a specially crafted Excel file is opened. This malicious file could be delivered as an email attachment or hosted on a malicious website. An attacker could leverage this vulnerability by creating a specially crafted Excel file, which, when opened, allowing an attacker to execute remote code on the affected system."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Office Excel contains a remote code execution vulnerability that can be exploited when a specially crafted Excel file is opened. This malicious file could be delivered as an email attachment or hosted on a malicious website. An attacker could leverage this vulnerability by creating a specially crafted Excel file, which, when opened, allowing an attacker to execute remote code on the affected system.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Office Excel at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Process crashes or memory-corruption signatures consistent with a code-injection / memory-corruption flaw (CWE-94) in Microsoft Office Excel document parsing on an affected endpoint.",
+        "Inbound delivery of weaponized Excel content (a document, web page, or embedded font) followed by unexpected child-process execution from the Excel process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2007-0671, CISA KEV (added 2025-08-12), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2013-3893": {
     "name": "Microsoft Internet Explorer Resource Management Errors Vulnerability",
@@ -37117,7 +37221,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1005"
+      "T1005",
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -37138,7 +37244,7 @@
     "cwe_refs": [
       "CWE-125"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420",
@@ -37167,11 +37273,21 @@
         "published_date": "2025-07-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-10; due date 2025-07-11. Notes reference: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420 ; https://nvd.nist.gov/vuln/detail/CVE-2025-5777",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.",
+    "iocs": {
+      "behavioral": [
+        "Citrix NetScaler ADC and Gateway reachable on the network at a build below the fixed version named in the Citrix advisory.",
+        "Requests to the NetScaler ADC/Gateway consistent with an out-of-bounds read (CWE-125) on Citrix NetScaler ADC/Gateway (the CitrixBleed-2 class), disclosing memory containing authenticated session material that has been used in the wild for session hijack.",
+        "appliance responses that include leaked memory consistent with the CitrixBleed-2 disclosure shape, and authenticated session reuse from attacker infrastructure with no matching login event (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-5777, CISA KEV (added 2025-07-10), and the Citrix security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2019-9621": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability",
@@ -37880,7 +37996,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1499"
+      "T1499",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -37901,7 +38018,7 @@
     "cwe_refs": [
       "CWE-119"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788",
@@ -37931,11 +38048,21 @@
         "published_date": "2025-06-30"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-30; due date 2025-07-21. Notes reference: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788 ; https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/ ;   http",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Citrix NetScaler ADC and Gateway contain a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Citrix NetScaler ADC and Gateway contain a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.",
+    "iocs": {
+      "behavioral": [
+        "Citrix NetScaler ADC and Gateway reachable on the network at a build below the fixed version named in the Citrix advisory.",
+        "Requests to the NetScaler ADC/Gateway consistent with a buffer-overflow flaw (CWE-119) on Citrix NetScaler ADC/Gateway, exploitable for memory corruption (DoS and code execution).",
+        "appliance crashes consistent with memory corruption, unexpected processes on the NetScaler, and configuration anomalies (KEV-confirmed in-the-wild exploitation) (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-6543, CISA KEV (added 2025-06-30), and the Citrix security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2019-6693": {
     "name": "Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability",