@blamejs/exceptd-skills 0.15.13 → 0.15.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/CHANGELOG.md +8 -0
  2. package/data/_indexes/_meta.json +5 -5
  3. package/data/attack-techniques.json +8 -6
  4. package/data/cve-catalog.json +205 -73
  5. package/data/zeroday-lessons.json +462 -163
  6. package/manifest.json +44 -44
  7. package/package.json +1 -1
  8. package/sbom.cdx.json +18 -18
package/data/zeroday-lessons.json CHANGED
@@ -7487,35 +7487,58 @@
7487
7487
  },
7488
7488
  "CVE-2009-0238": {
7489
7489
  "name": "Microsoft Office Remote Code Execution",
7490
- "lesson_date": "2026-05-18",
7490
+ "lesson_date": "2026-05-29",
7491
7491
  "attack_vector": {
7492
- "description": "Microsoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object.",
7493
- "privileges_required": "network attacker (no authentication required)",
7494
- "complexity": "moderate (bulk-import default)",
7495
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
7492
+ "description": "a code-injection / memory-corruption flaw (CWE-94) in Microsoft Office document parsing, exploitable by an attacker-controlled document for code execution in the Office process. CISA KEV-listed 2026-04-14 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched estates remain exposed.",
7493
+ "privileges_required": "none (the victim opens the attacker's document or visits the attacker's content)",
7494
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
7495
+ "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
7496
+ },
7497
+ "defense_chain": {
7498
+ "prevention": {
7499
+ "what_would_have_worked": "Apply the Microsoft security update for Microsoft Office; enforce centralized patch management on the long tail; harden Office (Protected View, ASR rules) and disable legacy ActiveX/IE components where unused.",
7500
+ "was_this_required": true,
7501
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
7502
+ "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail is the failure mode."
7503
+ },
7504
+ "detection": {
7505
+ "what_would_have_worked": "EDR signatures for child-process execution from Office after attacker-content open, document-exploit telemetry, and inbound-content filtering (mail/web).",
7506
+ "was_this_required": false,
7507
+ "framework_requiring_it": null,
7508
+ "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or legacy estates that cannot be patched promptly."
7509
+ },
7510
+ "response": {
7511
+ "what_would_have_worked": "Force the patch across the estate, isolate exploited endpoints, hunt for follow-on payloads (document-exploit chains often drop loaders), and review for credential theft.",
7512
+ "was_this_required": true,
7513
+ "framework_requiring_it": "NIST 800-53 IR-4",
7514
+ "adequacy": "Mandatory; document/browser RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
7515
+ }
7496
7516
  },
7497
7517
  "framework_coverage": {
7498
7518
  "NIST-800-53-SI-2": {
7499
7519
  "covered": true,
7500
7520
  "adequate": false,
7501
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
7521
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side document/browser RCE; legacy KEV re-listings document organizations still running unpatched builds."
7502
7522
  },
7503
7523
  "ISO-27001-2022-A.8.8": {
7504
7524
  "covered": true,
7505
7525
  "adequate": false,
7506
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7526
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy KEV re-listing exists because organizations still run vulnerable Office/IE/Windows builds."
7527
+ },
7528
+ "AU-ISM-1546": {
7529
+ "covered": true,
7530
+ "adequate": false,
7531
+ "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show that long-tail unpatched estates persist; centralized update management and Office hardening are the load-bearing controls."
7507
7532
  }
7508
7533
  },
7509
7534
  "compliance_exposure_score": {
7510
7535
  "percent_audit_passing_orgs_still_exposed": 55,
7511
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
7536
+ "basis": "Microsoft Office is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (older Windows, Office, IE) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
7512
7537
  "theater_pattern": "patch_management"
7513
7538
  },
7514
7539
  "ai_discovered_zeroday": false,
7515
- "ai_discovery_source": "unknown",
7516
- "ai_assist_factor": "none",
7517
- "_auto_imported": true,
7518
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
7540
+ "ai_discovery_source": "vendor_research",
7541
+ "ai_assist_factor": "none"
7519
7542
  },
7520
7543
  "CVE-2026-32201": {
7521
7544
  "name": "Microsoft SharePoint Server Improper Input Validation Vulnerability",
@@ -7611,35 +7634,58 @@
7611
7634
  },
7612
7635
  "CVE-2025-60710": {
7613
7636
  "name": "Microsoft Windows Link Following Vulnerability",
7614
- "lesson_date": "2026-05-18",
7637
+ "lesson_date": "2026-05-29",
7615
7638
  "attack_vector": {
7616
- "description": "Microsoft Windows contains a link following vulnerability that allows for privilege escalation",
7617
- "privileges_required": "unprivileged local user",
7618
- "complexity": "moderate (bulk-import default)",
7619
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
7639
+ "description": "a link-following / symlink-handling flaw (CWE-59) in a Windows component, exploited by a local foothold to redirect a privileged operation and gain SYSTEM. CISA KEV-listed 2026-04-13 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
7640
+ "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
7641
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
7642
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
7643
+ },
7644
+ "defense_chain": {
7645
+ "prevention": {
7646
+ "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
7647
+ "was_this_required": true,
7648
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
7649
+ "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
7650
+ },
7651
+ "detection": {
7652
+ "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
7653
+ "was_this_required": false,
7654
+ "framework_requiring_it": null,
7655
+ "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
7656
+ },
7657
+ "response": {
7658
+ "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
7659
+ "was_this_required": true,
7660
+ "framework_requiring_it": "NIST 800-53 IR-4",
7661
+ "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
7662
+ }
7620
7663
  },
7621
7664
  "framework_coverage": {
7622
7665
  "NIST-800-53-SI-2": {
7623
7666
  "covered": true,
7624
7667
  "adequate": false,
7625
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
7668
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
7626
7669
  },
7627
7670
  "ISO-27001-2022-A.8.8": {
7628
7671
  "covered": true,
7629
7672
  "adequate": false,
7630
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7673
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
7674
+ },
7675
+ "AU-ISM-1546": {
7676
+ "covered": true,
7677
+ "adequate": false,
7678
+ "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
7631
7679
  }
7632
7680
  },
7633
7681
  "compliance_exposure_score": {
7634
- "percent_audit_passing_orgs_still_exposed": 55,
7635
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
7682
+ "percent_audit_passing_orgs_still_exposed": 70,
7683
+ "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
7636
7684
  "theater_pattern": "patch_management"
7637
7685
  },
7638
7686
  "ai_discovered_zeroday": false,
7639
- "ai_discovery_source": "unknown",
7640
- "ai_assist_factor": "none",
7641
- "_auto_imported": true,
7642
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
7687
+ "ai_discovery_source": "vendor_research",
7688
+ "ai_assist_factor": "none"
7643
7689
  },
7644
7690
  "CVE-2023-21529": {
7645
7691
  "name": "Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability",
@@ -7703,35 +7749,58 @@
7703
7749
  },
7704
7750
  "CVE-2023-36424": {
7705
7751
  "name": "Microsoft Windows Out-of-Bounds Read Vulnerability",
7706
- "lesson_date": "2026-05-18",
7752
+ "lesson_date": "2026-05-29",
7707
7753
  "attack_vector": {
7708
- "description": "Microsoft Windows Common Log File System Driver contains an out-of-bounds read vulnerability that could allow a threat actor for privileges escalation",
7709
- "privileges_required": "network attacker (no authentication required)",
7710
- "complexity": "moderate (bulk-import default)",
7711
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
7754
+ "description": "an out-of-bounds read (CWE-125) in a Windows kernel/driver component, used as an information-disclosure primitive in a privilege-escalation chain. CISA KEV-listed 2026-04-13 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
7755
+ "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
7756
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
7757
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
7758
+ },
7759
+ "defense_chain": {
7760
+ "prevention": {
7761
+ "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
7762
+ "was_this_required": true,
7763
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
7764
+ "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
7765
+ },
7766
+ "detection": {
7767
+ "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
7768
+ "was_this_required": false,
7769
+ "framework_requiring_it": null,
7770
+ "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
7771
+ },
7772
+ "response": {
7773
+ "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
7774
+ "was_this_required": true,
7775
+ "framework_requiring_it": "NIST 800-53 IR-4",
7776
+ "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
7777
+ }
7712
7778
  },
7713
7779
  "framework_coverage": {
7714
7780
  "NIST-800-53-SI-2": {
7715
7781
  "covered": true,
7716
7782
  "adequate": false,
7717
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
7783
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
7718
7784
  },
7719
7785
  "ISO-27001-2022-A.8.8": {
7720
7786
  "covered": true,
7721
7787
  "adequate": false,
7722
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7788
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
7789
+ },
7790
+ "AU-ISM-1546": {
7791
+ "covered": true,
7792
+ "adequate": false,
7793
+ "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
7723
7794
  }
7724
7795
  },
7725
7796
  "compliance_exposure_score": {
7726
- "percent_audit_passing_orgs_still_exposed": 55,
7727
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
7797
+ "percent_audit_passing_orgs_still_exposed": 70,
7798
+ "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
7728
7799
  "theater_pattern": "patch_management"
7729
7800
  },
7730
7801
  "ai_discovered_zeroday": false,
7731
- "ai_discovery_source": "unknown",
7732
- "ai_assist_factor": "none",
7733
- "_auto_imported": true,
7734
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
7802
+ "ai_discovery_source": "vendor_research",
7803
+ "ai_assist_factor": "none"
7735
7804
  },
7736
7805
  "CVE-2020-9715": {
7737
7806
  "name": "Adobe Acrobat Use-After-Free Vulnerability",
@@ -13520,35 +13589,58 @@
13520
13589
  },
13521
13590
  "CVE-2026-20805": {
13522
13591
  "name": "Microsoft Windows Information Disclosure Vulnerability",
13523
- "lesson_date": "2026-05-18",
13592
+ "lesson_date": "2026-05-29",
13524
13593
  "attack_vector": {
13525
- "description": "Microsoft Windows Desktop Windows Manager contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally.",
13526
- "privileges_required": "network attacker (no authentication required)",
13527
- "complexity": "moderate (bulk-import default)",
13528
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
13594
+ "description": "an information-disclosure flaw (CWE-200) in a Windows component, used as a primitive in a privilege-escalation chain (kernel-address leaks defeat KASLR for follow-on exploits). CISA KEV-listed 2026-01-13 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
13595
+ "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
13596
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
13597
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
13598
+ },
13599
+ "defense_chain": {
13600
+ "prevention": {
13601
+ "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
13602
+ "was_this_required": true,
13603
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
13604
+ "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
13605
+ },
13606
+ "detection": {
13607
+ "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
13608
+ "was_this_required": false,
13609
+ "framework_requiring_it": null,
13610
+ "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
13611
+ },
13612
+ "response": {
13613
+ "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
13614
+ "was_this_required": true,
13615
+ "framework_requiring_it": "NIST 800-53 IR-4",
13616
+ "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
13617
+ }
13529
13618
  },
13530
13619
  "framework_coverage": {
13531
13620
  "NIST-800-53-SI-2": {
13532
13621
  "covered": true,
13533
13622
  "adequate": false,
13534
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
13623
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
13535
13624
  },
13536
13625
  "ISO-27001-2022-A.8.8": {
13537
13626
  "covered": true,
13538
13627
  "adequate": false,
13539
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13628
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
13629
+ },
13630
+ "AU-ISM-1546": {
13631
+ "covered": true,
13632
+ "adequate": false,
13633
+ "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
13540
13634
  }
13541
13635
  },
13542
13636
  "compliance_exposure_score": {
13543
- "percent_audit_passing_orgs_still_exposed": 55,
13544
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
13637
+ "percent_audit_passing_orgs_still_exposed": 70,
13638
+ "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
13545
13639
  "theater_pattern": "patch_management"
13546
13640
  },
13547
13641
  "ai_discovered_zeroday": false,
13548
- "ai_discovery_source": "unknown",
13549
- "ai_assist_factor": "none",
13550
- "_auto_imported": true,
13551
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
13642
+ "ai_discovery_source": "vendor_research",
13643
+ "ai_assist_factor": "none"
13552
13644
  },
13553
13645
  "CVE-2025-8110": {
13554
13646
  "name": "Gogs Path Traversal Vulnerability",
@@ -13584,35 +13676,58 @@
13584
13676
  },
13585
13677
  "CVE-2009-0556": {
13586
13678
  "name": "Microsoft Office PowerPoint Code Injection Vulnerability",
13587
- "lesson_date": "2026-05-18",
13679
+ "lesson_date": "2026-05-29",
13588
13680
  "attack_vector": {
13589
- "description": "Microsoft Office PowerPoint contains a code injection vulnerability that allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption.",
13590
- "privileges_required": "network attacker (no authentication required)",
13591
- "complexity": "moderate (bulk-import default)",
13592
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
13681
+ "description": "a code-injection / memory-corruption flaw (CWE-94) in Microsoft Office PowerPoint document parsing, exploitable by an attacker-controlled presentation for code execution in the PowerPoint process. CISA KEV-listed 2026-01-07 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched estates remain exposed.",
13682
+ "privileges_required": "none (the victim opens the attacker's document or visits the attacker's content)",
13683
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
13684
+ "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
13685
+ },
13686
+ "defense_chain": {
13687
+ "prevention": {
13688
+ "what_would_have_worked": "Apply the Microsoft security update for Microsoft Office PowerPoint; enforce centralized patch management on the long tail; harden Office (Protected View, ASR rules) and disable legacy ActiveX/IE components where unused.",
13689
+ "was_this_required": true,
13690
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
13691
+ "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail is the failure mode."
13692
+ },
13693
+ "detection": {
13694
+ "what_would_have_worked": "EDR signatures for child-process execution from PowerPoint after attacker-content open, document-exploit telemetry, and inbound-content filtering (mail/web).",
13695
+ "was_this_required": false,
13696
+ "framework_requiring_it": null,
13697
+ "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or legacy estates that cannot be patched promptly."
13698
+ },
13699
+ "response": {
13700
+ "what_would_have_worked": "Force the patch across the estate, isolate exploited endpoints, hunt for follow-on payloads (document-exploit chains often drop loaders), and review for credential theft.",
13701
+ "was_this_required": true,
13702
+ "framework_requiring_it": "NIST 800-53 IR-4",
13703
+ "adequacy": "Mandatory; document/browser RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
13704
+ }
13593
13705
  },
13594
13706
  "framework_coverage": {
13595
13707
  "NIST-800-53-SI-2": {
13596
13708
  "covered": true,
13597
13709
  "adequate": false,
13598
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
13710
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side document/browser RCE; legacy KEV re-listings document organizations still running unpatched builds."
13599
13711
  },
13600
13712
  "ISO-27001-2022-A.8.8": {
13601
13713
  "covered": true,
13602
13714
  "adequate": false,
13603
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13715
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy KEV re-listing exists because organizations still run vulnerable Office/IE/Windows builds."
13716
+ },
13717
+ "AU-ISM-1546": {
13718
+ "covered": true,
13719
+ "adequate": false,
13720
+ "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show that long-tail unpatched estates persist; centralized update management and Office hardening are the load-bearing controls."
13604
13721
  }
13605
13722
  },
13606
13723
  "compliance_exposure_score": {
13607
13724
  "percent_audit_passing_orgs_still_exposed": 55,
13608
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
13725
+ "basis": "Microsoft Office PowerPoint is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (older Windows, Office, IE) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
13609
13726
  "theater_pattern": "patch_management"
13610
13727
  },
13611
13728
  "ai_discovered_zeroday": false,
13612
- "ai_discovery_source": "unknown",
13613
- "ai_assist_factor": "none",
13614
- "_auto_imported": true,
13615
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
13729
+ "ai_discovery_source": "vendor_research",
13730
+ "ai_assist_factor": "none"
13616
13731
  },
13617
13732
  "CVE-2025-37164": {
13618
13733
  "name": "Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability",
@@ -14524,35 +14639,58 @@
14524
14639
  },
14525
14640
  "CVE-2025-62215": {
14526
14641
  "name": "Microsoft Windows Race Condition Vulnerability",
14527
- "lesson_date": "2026-05-18",
14642
+ "lesson_date": "2026-05-29",
14528
14643
  "attack_vector": {
14529
- "description": "Microsoft Windows Kernel contains a race condition vulnerability that allows a local attacker with low-level privileges to escalate privileges. Successful exploitation of this vulnerability could enable the attacker to gain SYSTEM-level access.",
14530
- "privileges_required": "unprivileged local user",
14531
- "complexity": "moderate (bulk-import default)",
14532
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
14644
+ "description": "a race condition (CWE-362) in a Windows kernel-mode component, exploited by a local foothold to escalate privileges to SYSTEM. CISA KEV-listed 2025-11-12 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
14645
+ "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
14646
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
14647
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
14648
+ },
14649
+ "defense_chain": {
14650
+ "prevention": {
14651
+ "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
14652
+ "was_this_required": true,
14653
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
14654
+ "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
14655
+ },
14656
+ "detection": {
14657
+ "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
14658
+ "was_this_required": false,
14659
+ "framework_requiring_it": null,
14660
+ "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
14661
+ },
14662
+ "response": {
14663
+ "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
14664
+ "was_this_required": true,
14665
+ "framework_requiring_it": "NIST 800-53 IR-4",
14666
+ "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
14667
+ }
14533
14668
  },
14534
14669
  "framework_coverage": {
14535
14670
  "NIST-800-53-SI-2": {
14536
14671
  "covered": true,
14537
14672
  "adequate": false,
14538
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
14673
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
14539
14674
  },
14540
14675
  "ISO-27001-2022-A.8.8": {
14541
14676
  "covered": true,
14542
14677
  "adequate": false,
14543
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14678
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
14679
+ },
14680
+ "AU-ISM-1546": {
14681
+ "covered": true,
14682
+ "adequate": false,
14683
+ "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
14544
14684
  }
14545
14685
  },
14546
14686
  "compliance_exposure_score": {
14547
- "percent_audit_passing_orgs_still_exposed": 55,
14548
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
14687
+ "percent_audit_passing_orgs_still_exposed": 70,
14688
+ "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
14549
14689
  "theater_pattern": "patch_management"
14550
14690
  },
14551
14691
  "ai_discovered_zeroday": false,
14552
- "ai_discovery_source": "unknown",
14553
- "ai_assist_factor": "none",
14554
- "_auto_imported": true,
14555
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
14692
+ "ai_discovery_source": "vendor_research",
14693
+ "ai_assist_factor": "none"
14556
14694
  },
14557
14695
  "CVE-2025-9242": {
14558
14696
  "name": "WatchGuard Firebox Out-of-Bounds Write Vulnerability",
@@ -15183,35 +15321,58 @@
15183
15321
  },
15184
15322
  "CVE-2025-24990": {
15185
15323
  "name": "Microsoft Windows Untrusted Pointer Dereference Vulnerability",
15186
- "lesson_date": "2026-05-18",
15324
+ "lesson_date": "2026-05-29",
15187
15325
  "attack_vector": {
15188
- "description": "Microsoft Windows Agere Modem Driver contains an untrusted pointer dereference vulnerability that allows for privilege escalation. An attacker who successfully exploited this vulnerability could gain administrator privileges.",
15189
- "privileges_required": "unprivileged local user",
15190
- "complexity": "moderate (bulk-import default)",
15191
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
15326
+ "description": "an untrusted-pointer-dereference flaw (CWE-822) in a Windows kernel-mode component, exploited by a local foothold to gain kernel privilege. CISA KEV-listed 2025-10-14 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
15327
+ "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
15328
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
15329
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
15330
+ },
15331
+ "defense_chain": {
15332
+ "prevention": {
15333
+ "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
15334
+ "was_this_required": true,
15335
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
15336
+ "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
15337
+ },
15338
+ "detection": {
15339
+ "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
15340
+ "was_this_required": false,
15341
+ "framework_requiring_it": null,
15342
+ "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
15343
+ },
15344
+ "response": {
15345
+ "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
15346
+ "was_this_required": true,
15347
+ "framework_requiring_it": "NIST 800-53 IR-4",
15348
+ "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
15349
+ }
15192
15350
  },
15193
15351
  "framework_coverage": {
15194
15352
  "NIST-800-53-SI-2": {
15195
15353
  "covered": true,
15196
15354
  "adequate": false,
15197
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
15355
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
15198
15356
  },
15199
15357
  "ISO-27001-2022-A.8.8": {
15200
15358
  "covered": true,
15201
15359
  "adequate": false,
15202
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15360
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
15361
+ },
15362
+ "AU-ISM-1546": {
15363
+ "covered": true,
15364
+ "adequate": false,
15365
+ "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
15203
15366
  }
15204
15367
  },
15205
15368
  "compliance_exposure_score": {
15206
- "percent_audit_passing_orgs_still_exposed": 55,
15207
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
15369
+ "percent_audit_passing_orgs_still_exposed": 70,
15370
+ "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
15208
15371
  "theater_pattern": "patch_management"
15209
15372
  },
15210
15373
  "ai_discovered_zeroday": false,
15211
- "ai_discovery_source": "unknown",
15212
- "ai_assist_factor": "none",
15213
- "_auto_imported": true,
15214
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
15374
+ "ai_discovery_source": "vendor_research",
15375
+ "ai_assist_factor": "none"
15215
15376
  },
15216
15377
  "CVE-2025-59230": {
15217
15378
  "name": "Microsoft Windows Improper Access Control Vulnerability",
@@ -15403,131 +15564,223 @@
15403
15564
  },
15404
15565
  "CVE-2010-3962": {
15405
15566
  "name": "Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability",
15406
- "lesson_date": "2026-05-18",
15567
+ "lesson_date": "2026-05-29",
15407
15568
  "attack_vector": {
15408
- "description": "Microsoft Internet Explorer contains an uninitialized memory corruption vulnerability that could allow for remote code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
15409
- "privileges_required": "network attacker (no authentication required)",
15410
- "complexity": "moderate (bulk-import default)",
15411
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
15569
+ "description": "an uninitialized-memory / use-after-free corruption flaw (CWE-94) in Internet Explorer, exploitable by an attacker-controlled web page for code execution in the browser (a landmark IE zero-day weaponized in the Operation Aurora era). CISA KEV-listed 2025-10-06 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched estates remain exposed.",
15570
+ "privileges_required": "none (the victim opens the attacker's document or visits the attacker's content)",
15571
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
15572
+ "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
15573
+ },
15574
+ "defense_chain": {
15575
+ "prevention": {
15576
+ "what_would_have_worked": "Apply the Microsoft security update for Microsoft Internet Explorer; enforce centralized patch management on the long tail; harden Office (Protected View, ASR rules) and disable legacy ActiveX/IE components where unused.",
15577
+ "was_this_required": true,
15578
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
15579
+ "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail is the failure mode."
15580
+ },
15581
+ "detection": {
15582
+ "what_would_have_worked": "EDR signatures for child-process execution from Internet Explorer after attacker-content open, document-exploit telemetry, and inbound-content filtering (mail/web).",
15583
+ "was_this_required": false,
15584
+ "framework_requiring_it": null,
15585
+ "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or legacy estates that cannot be patched promptly."
15586
+ },
15587
+ "response": {
15588
+ "what_would_have_worked": "Force the patch across the estate, isolate exploited endpoints, hunt for follow-on payloads (document-exploit chains often drop loaders), and review for credential theft.",
15589
+ "was_this_required": true,
15590
+ "framework_requiring_it": "NIST 800-53 IR-4",
15591
+ "adequacy": "Mandatory; document/browser RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
15592
+ }
15412
15593
  },
15413
15594
  "framework_coverage": {
15414
15595
  "NIST-800-53-SI-2": {
15415
15596
  "covered": true,
15416
15597
  "adequate": false,
15417
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
15598
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side document/browser RCE; legacy KEV re-listings document organizations still running unpatched builds."
15418
15599
  },
15419
15600
  "ISO-27001-2022-A.8.8": {
15420
15601
  "covered": true,
15421
15602
  "adequate": false,
15422
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15603
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy KEV re-listing exists because organizations still run vulnerable Office/IE/Windows builds."
15604
+ },
15605
+ "AU-ISM-1546": {
15606
+ "covered": true,
15607
+ "adequate": false,
15608
+ "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show that long-tail unpatched estates persist; centralized update management and Office hardening are the load-bearing controls."
15423
15609
  }
15424
15610
  },
15425
15611
  "compliance_exposure_score": {
15426
15612
  "percent_audit_passing_orgs_still_exposed": 55,
15427
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
15613
+ "basis": "Microsoft Internet Explorer is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (older Windows, Office, IE) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
15428
15614
  "theater_pattern": "patch_management"
15429
15615
  },
15430
15616
  "ai_discovered_zeroday": false,
15431
- "ai_discovery_source": "unknown",
15432
- "ai_assist_factor": "none",
15433
- "_auto_imported": true,
15434
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
15617
+ "ai_discovery_source": "vendor_research",
15618
+ "ai_assist_factor": "none"
15435
15619
  },
15436
15620
  "CVE-2021-43226": {
15437
15621
  "name": "Microsoft Windows Privilege Escalation Vulnerability",
15438
- "lesson_date": "2026-05-18",
15622
+ "lesson_date": "2026-05-29",
15439
15623
  "attack_vector": {
15440
- "description": "Microsoft Windows Common Log File System Driver contains a privilege escalation vulnerability that could allow a local, privileged attacker to bypass certain security mechanisms.",
15441
- "privileges_required": "unprivileged local user",
15442
- "complexity": "moderate (bulk-import default)",
15443
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
15624
+ "description": "an improper privilege-management flaw (CWE-269) on Windows, escalating a local user's privileges. CISA KEV-listed 2025-10-06 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
15625
+ "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
15626
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
15627
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
15628
+ },
15629
+ "defense_chain": {
15630
+ "prevention": {
15631
+ "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
15632
+ "was_this_required": true,
15633
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
15634
+ "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
15635
+ },
15636
+ "detection": {
15637
+ "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
15638
+ "was_this_required": false,
15639
+ "framework_requiring_it": null,
15640
+ "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
15641
+ },
15642
+ "response": {
15643
+ "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
15644
+ "was_this_required": true,
15645
+ "framework_requiring_it": "NIST 800-53 IR-4",
15646
+ "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
15647
+ }
15444
15648
  },
15445
15649
  "framework_coverage": {
15446
15650
  "NIST-800-53-SI-2": {
15447
15651
  "covered": true,
15448
15652
  "adequate": false,
15449
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
15653
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
15450
15654
  },
15451
15655
  "ISO-27001-2022-A.8.8": {
15452
15656
  "covered": true,
15453
15657
  "adequate": false,
15454
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15658
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
15659
+ },
15660
+ "AU-ISM-1546": {
15661
+ "covered": true,
15662
+ "adequate": false,
15663
+ "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
15455
15664
  }
15456
15665
  },
15457
15666
  "compliance_exposure_score": {
15458
- "percent_audit_passing_orgs_still_exposed": 55,
15459
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
15667
+ "percent_audit_passing_orgs_still_exposed": 70,
15668
+ "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
15460
15669
  "theater_pattern": "patch_management"
15461
15670
  },
15462
15671
  "ai_discovered_zeroday": false,
15463
- "ai_discovery_source": "unknown",
15464
- "ai_assist_factor": "none",
15465
- "_auto_imported": true,
15466
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
15672
+ "ai_discovery_source": "vendor_research",
15673
+ "ai_assist_factor": "none"
15467
15674
  },
15468
15675
  "CVE-2013-3918": {
15469
15676
  "name": "Microsoft Windows Out-of-Bounds Write Vulnerability",
15470
- "lesson_date": "2026-05-18",
15677
+ "lesson_date": "2026-05-29",
15471
15678
  "attack_vector": {
15472
- "description": "Microsoft Windows contains an out-of-bounds write vulnerability in the InformationCardSigninHelper Class ActiveX control, icardie.dll. An attacker could exploit the vulnerability by constructing a specially crafted webpage. When a user views the webpage, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
15473
- "privileges_required": "network attacker (no authentication required)",
15474
- "complexity": "moderate (bulk-import default)",
15475
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
15679
+ "description": "an out-of-bounds write / memory-corruption flaw (CWE-94) in a Microsoft Windows component reachable from Internet Explorer (the InformationCardSigninHelper ActiveX control), exploitable by an attacker-controlled web page for code execution; used in watering-hole campaigns. CISA KEV-listed 2025-10-06 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched estates remain exposed.",
15680
+ "privileges_required": "none (the victim opens the attacker's document or visits the attacker's content)",
15681
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
15682
+ "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
15683
+ },
15684
+ "defense_chain": {
15685
+ "prevention": {
15686
+ "what_would_have_worked": "Apply the Microsoft security update for Microsoft Windows; enforce centralized patch management on the long tail; harden Office (Protected View, ASR rules) and disable legacy ActiveX/IE components where unused.",
15687
+ "was_this_required": true,
15688
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
15689
+ "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail is the failure mode."
15690
+ },
15691
+ "detection": {
15692
+ "what_would_have_worked": "EDR signatures for child-process execution from Windows InformationCardSigninHelper / ActiveX after attacker-content open, document-exploit telemetry, and inbound-content filtering (mail/web).",
15693
+ "was_this_required": false,
15694
+ "framework_requiring_it": null,
15695
+ "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or legacy estates that cannot be patched promptly."
15696
+ },
15697
+ "response": {
15698
+ "what_would_have_worked": "Force the patch across the estate, isolate exploited endpoints, hunt for follow-on payloads (document-exploit chains often drop loaders), and review for credential theft.",
15699
+ "was_this_required": true,
15700
+ "framework_requiring_it": "NIST 800-53 IR-4",
15701
+ "adequacy": "Mandatory; document/browser RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
15702
+ }
15476
15703
  },
15477
15704
  "framework_coverage": {
15478
15705
  "NIST-800-53-SI-2": {
15479
15706
  "covered": true,
15480
15707
  "adequate": false,
15481
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
15708
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side document/browser RCE; legacy KEV re-listings document organizations still running unpatched builds."
15482
15709
  },
15483
15710
  "ISO-27001-2022-A.8.8": {
15484
15711
  "covered": true,
15485
15712
  "adequate": false,
15486
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15713
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy KEV re-listing exists because organizations still run vulnerable Office/IE/Windows builds."
15714
+ },
15715
+ "AU-ISM-1546": {
15716
+ "covered": true,
15717
+ "adequate": false,
15718
+ "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show that long-tail unpatched estates persist; centralized update management and Office hardening are the load-bearing controls."
15487
15719
  }
15488
15720
  },
15489
15721
  "compliance_exposure_score": {
15490
15722
  "percent_audit_passing_orgs_still_exposed": 55,
15491
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
15723
+ "basis": "Microsoft Windows is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (older Windows, Office, IE) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
15492
15724
  "theater_pattern": "patch_management"
15493
15725
  },
15494
15726
  "ai_discovered_zeroday": false,
15495
- "ai_discovery_source": "unknown",
15496
- "ai_assist_factor": "none",
15497
- "_auto_imported": true,
15498
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
15727
+ "ai_discovery_source": "vendor_research",
15728
+ "ai_assist_factor": "none"
15499
15729
  },
15500
15730
  "CVE-2011-3402": {
15501
15731
  "name": "Microsoft Windows Remote Code Execution Vulnerability",
15502
- "lesson_date": "2026-05-18",
15732
+ "lesson_date": "2026-05-29",
15503
15733
  "attack_vector": {
15504
- "description": "Microsoft Windows Kernel contains an unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers that allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page.",
15505
- "privileges_required": "network attacker (no authentication required)",
15506
- "complexity": "moderate (bulk-import default)",
15507
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
15734
+ "description": "a memory-corruption flaw (CWE-94) in the Windows TrueType font parsing kernel component, exploitable by an attacker-controlled embedded font for code execution at kernel privilege (the Duqu zero-day). CISA KEV-listed 2025-10-06 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched estates remain exposed.",
15735
+ "privileges_required": "none (the victim opens the attacker's document or visits the attacker's content)",
15736
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
15737
+ "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
15738
+ },
15739
+ "defense_chain": {
15740
+ "prevention": {
15741
+ "what_would_have_worked": "Apply the Microsoft security update for Microsoft Windows; enforce centralized patch management on the long tail; harden Office (Protected View, ASR rules) and disable legacy ActiveX/IE components where unused.",
15742
+ "was_this_required": true,
15743
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
15744
+ "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail is the failure mode."
15745
+ },
15746
+ "detection": {
15747
+ "what_would_have_worked": "EDR signatures for child-process execution from Windows TrueType font parser after attacker-content open, document-exploit telemetry, and inbound-content filtering (mail/web).",
15748
+ "was_this_required": false,
15749
+ "framework_requiring_it": null,
15750
+ "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or legacy estates that cannot be patched promptly."
15751
+ },
15752
+ "response": {
15753
+ "what_would_have_worked": "Force the patch across the estate, isolate exploited endpoints, hunt for follow-on payloads (document-exploit chains often drop loaders), and review for credential theft.",
15754
+ "was_this_required": true,
15755
+ "framework_requiring_it": "NIST 800-53 IR-4",
15756
+ "adequacy": "Mandatory; document/browser RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
15757
+ }
15508
15758
  },
15509
15759
  "framework_coverage": {
15510
15760
  "NIST-800-53-SI-2": {
15511
15761
  "covered": true,
15512
15762
  "adequate": false,
15513
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
15763
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side document/browser RCE; legacy KEV re-listings document organizations still running unpatched builds."
15514
15764
  },
15515
15765
  "ISO-27001-2022-A.8.8": {
15516
15766
  "covered": true,
15517
15767
  "adequate": false,
15518
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15768
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy KEV re-listing exists because organizations still run vulnerable Office/IE/Windows builds."
15769
+ },
15770
+ "AU-ISM-1546": {
15771
+ "covered": true,
15772
+ "adequate": false,
15773
+ "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show that long-tail unpatched estates persist; centralized update management and Office hardening are the load-bearing controls."
15519
15774
  }
15520
15775
  },
15521
15776
  "compliance_exposure_score": {
15522
15777
  "percent_audit_passing_orgs_still_exposed": 55,
15523
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
15778
+ "basis": "Microsoft Windows is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (older Windows, Office, IE) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
15524
15779
  "theater_pattern": "patch_management"
15525
15780
  },
15526
15781
  "ai_discovered_zeroday": false,
15527
- "ai_discovery_source": "unknown",
15528
- "ai_assist_factor": "none",
15529
- "_auto_imported": true,
15530
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
15782
+ "ai_discovery_source": "vendor_research",
15783
+ "ai_assist_factor": "none"
15531
15784
  },
15532
15785
  "CVE-2010-3765": {
15533
15786
  "name": "Mozilla Multiple Products Remote Code Execution Vulnerability",
@@ -16659,35 +16912,58 @@
16659
16912
  },
16660
16913
  "CVE-2007-0671": {
16661
16914
  "name": "Microsoft Office Excel Remote Code Execution Vulnerability",
16662
- "lesson_date": "2026-05-18",
16915
+ "lesson_date": "2026-05-29",
16663
16916
  "attack_vector": {
16664
- "description": "Microsoft Office Excel contains a remote code execution vulnerability that can be exploited when a specially crafted Excel file is opened. This malicious file could be delivered as an email attachment or hosted on a malicious website. An attacker could leverage this vulnerability by creating a specially crafted Excel file, which, when opened, allowing an attacker to execute remote code on the affected system.",
16665
- "privileges_required": "network attacker (no authentication required)",
16666
- "complexity": "moderate (bulk-import default)",
16667
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
16917
+ "description": "a code-injection / memory-corruption flaw (CWE-94) in Microsoft Office Excel document parsing, exploitable by an attacker-controlled spreadsheet for code execution in the Excel process. CISA KEV-listed 2025-08-12 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched estates remain exposed.",
16918
+ "privileges_required": "none (the victim opens the attacker's document or visits the attacker's content)",
16919
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
16920
+ "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
16921
+ },
16922
+ "defense_chain": {
16923
+ "prevention": {
16924
+ "what_would_have_worked": "Apply the Microsoft security update for Microsoft Office Excel; enforce centralized patch management on the long tail; harden Office (Protected View, ASR rules) and disable legacy ActiveX/IE components where unused.",
16925
+ "was_this_required": true,
16926
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
16927
+ "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail is the failure mode."
16928
+ },
16929
+ "detection": {
16930
+ "what_would_have_worked": "EDR signatures for child-process execution from Excel after attacker-content open, document-exploit telemetry, and inbound-content filtering (mail/web).",
16931
+ "was_this_required": false,
16932
+ "framework_requiring_it": null,
16933
+ "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or legacy estates that cannot be patched promptly."
16934
+ },
16935
+ "response": {
16936
+ "what_would_have_worked": "Force the patch across the estate, isolate exploited endpoints, hunt for follow-on payloads (document-exploit chains often drop loaders), and review for credential theft.",
16937
+ "was_this_required": true,
16938
+ "framework_requiring_it": "NIST 800-53 IR-4",
16939
+ "adequacy": "Mandatory; document/browser RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
16940
+ }
16668
16941
  },
16669
16942
  "framework_coverage": {
16670
16943
  "NIST-800-53-SI-2": {
16671
16944
  "covered": true,
16672
16945
  "adequate": false,
16673
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
16946
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side document/browser RCE; legacy KEV re-listings document organizations still running unpatched builds."
16674
16947
  },
16675
16948
  "ISO-27001-2022-A.8.8": {
16676
16949
  "covered": true,
16677
16950
  "adequate": false,
16678
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
16951
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy KEV re-listing exists because organizations still run vulnerable Office/IE/Windows builds."
16952
+ },
16953
+ "AU-ISM-1546": {
16954
+ "covered": true,
16955
+ "adequate": false,
16956
+ "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show that long-tail unpatched estates persist; centralized update management and Office hardening are the load-bearing controls."
16679
16957
  }
16680
16958
  },
16681
16959
  "compliance_exposure_score": {
16682
16960
  "percent_audit_passing_orgs_still_exposed": 55,
16683
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
16961
+ "basis": "Microsoft Office Excel is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (older Windows, Office, IE) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
16684
16962
  "theater_pattern": "patch_management"
16685
16963
  },
16686
16964
  "ai_discovered_zeroday": false,
16687
- "ai_discovery_source": "unknown",
16688
- "ai_assist_factor": "none",
16689
- "_auto_imported": true,
16690
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
16965
+ "ai_discovery_source": "vendor_research",
16966
+ "ai_assist_factor": "none"
16691
16967
  },
16692
16968
  "CVE-2013-3893": {
16693
16969
  "name": "Microsoft Internet Explorer Resource Management Errors Vulnerability",
@@ -19014,35 +19290,58 @@
19014
19290
  },
19015
19291
  "CVE-2025-32701": {
19016
19292
  "name": "Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability",
19017
- "lesson_date": "2026-05-18",
19293
+ "lesson_date": "2026-05-29",
19018
19294
  "attack_vector": {
19019
- "description": "Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.",
19020
- "privileges_required": "unprivileged local user",
19021
- "complexity": "moderate (bulk-import default)",
19022
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
19295
+ "description": "a use-after-free (CWE-416) in the Windows Common Log File System (CLFS) driver a recurring kernel-LPE target exploited by a local foothold to escalate to SYSTEM. CISA KEV-listed 2025-05-13 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
19296
+ "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
19297
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
19298
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
19299
+ },
19300
+ "defense_chain": {
19301
+ "prevention": {
19302
+ "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
19303
+ "was_this_required": true,
19304
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
19305
+ "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
19306
+ },
19307
+ "detection": {
19308
+ "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
19309
+ "was_this_required": false,
19310
+ "framework_requiring_it": null,
19311
+ "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
19312
+ },
19313
+ "response": {
19314
+ "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
19315
+ "was_this_required": true,
19316
+ "framework_requiring_it": "NIST 800-53 IR-4",
19317
+ "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
19318
+ }
19023
19319
  },
19024
19320
  "framework_coverage": {
19025
19321
  "NIST-800-53-SI-2": {
19026
19322
  "covered": true,
19027
19323
  "adequate": false,
19028
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
19324
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
19029
19325
  },
19030
19326
  "ISO-27001-2022-A.8.8": {
19031
19327
  "covered": true,
19032
19328
  "adequate": false,
19033
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
19329
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
19330
+ },
19331
+ "AU-ISM-1546": {
19332
+ "covered": true,
19333
+ "adequate": false,
19334
+ "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
19034
19335
  }
19035
19336
  },
19036
19337
  "compliance_exposure_score": {
19037
- "percent_audit_passing_orgs_still_exposed": 55,
19038
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
19338
+ "percent_audit_passing_orgs_still_exposed": 70,
19339
+ "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
19039
19340
  "theater_pattern": "patch_management"
19040
19341
  },
19041
19342
  "ai_discovered_zeroday": false,
19042
- "ai_discovery_source": "unknown",
19043
- "ai_assist_factor": "none",
19044
- "_auto_imported": true,
19045
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
19343
+ "ai_discovery_source": "vendor_research",
19344
+ "ai_assist_factor": "none"
19046
19345
  },
19047
19346
  "CVE-2024-12450": {
19048
19347
  "name": "RAGFlow web_crawl Full-Read SSRF + Arbitrary File Read",