npm - @blamejs/exceptd-skills - Versions diffs - 0.15.14 → 0.15.15 - Mend

@blamejs/exceptd-skills 0.15.14 → 0.15.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +4 -0
package/data/_indexes/_meta.json +5 -5
package/data/attack-techniques.json +2 -0
package/data/cve-catalog.json +109 -37
package/data/zeroday-lessons.json +252 -91
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +18 -18

package/data/zeroday-lessons.json CHANGED Viewed

@@ -7634,35 +7634,58 @@
   },
   "CVE-2025-60710": {
     "name": "Microsoft Windows Link Following Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows contains a link following vulnerability that allows for privilege escalation",
-      "privileges_required": "unprivileged local user",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a link-following / symlink-handling flaw (CWE-59) in a Windows component, exploited by a local foothold to redirect a privileged operation and gain SYSTEM. CISA KEV-listed 2026-04-13 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
+      "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2023-21529": {
     "name": "Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability",
@@ -7726,35 +7749,58 @@
   },
   "CVE-2023-36424": {
     "name": "Microsoft Windows Out-of-Bounds Read Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows Common Log File System Driver contains an out-of-bounds read vulnerability that could allow a threat actor for privileges escalation",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an out-of-bounds read (CWE-125) in a Windows kernel/driver component, used as an information-disclosure primitive in a privilege-escalation chain. CISA KEV-listed 2026-04-13 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
+      "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2020-9715": {
     "name": "Adobe Acrobat Use-After-Free Vulnerability",
@@ -13543,35 +13589,58 @@
   },
   "CVE-2026-20805": {
     "name": "Microsoft Windows Information Disclosure Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows Desktop Windows Manager contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an information-disclosure flaw (CWE-200) in a Windows component, used as a primitive in a privilege-escalation chain (kernel-address leaks defeat KASLR for follow-on exploits). CISA KEV-listed 2026-01-13 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
+      "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-8110": {
     "name": "Gogs Path Traversal Vulnerability",
@@ -14570,35 +14639,58 @@
   },
   "CVE-2025-62215": {
     "name": "Microsoft Windows Race Condition Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows Kernel contains a race condition vulnerability that allows a local attacker with low-level privileges to escalate privileges. Successful exploitation of this vulnerability could enable the attacker to gain SYSTEM-level access.",
-      "privileges_required": "unprivileged local user",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a race condition (CWE-362) in a Windows kernel-mode component, exploited by a local foothold to escalate privileges to SYSTEM. CISA KEV-listed 2025-11-12 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
+      "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-9242": {
     "name": "WatchGuard Firebox Out-of-Bounds Write Vulnerability",
@@ -15229,35 +15321,58 @@
   },
   "CVE-2025-24990": {
     "name": "Microsoft Windows Untrusted Pointer Dereference Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows Agere Modem Driver contains an untrusted pointer dereference vulnerability that allows for privilege escalation. An attacker who successfully exploited this vulnerability could gain administrator privileges.",
-      "privileges_required": "unprivileged local user",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an untrusted-pointer-dereference flaw (CWE-822) in a Windows kernel-mode component, exploited by a local foothold to gain kernel privilege. CISA KEV-listed 2025-10-14 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
+      "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-59230": {
     "name": "Microsoft Windows Improper Access Control Vulnerability",
@@ -15504,35 +15619,58 @@
   },
   "CVE-2021-43226": {
     "name": "Microsoft Windows Privilege Escalation Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows Common Log File System Driver contains a privilege escalation vulnerability that could allow a local, privileged attacker to bypass certain security mechanisms.",
-      "privileges_required": "unprivileged local user",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an improper privilege-management flaw (CWE-269) on Windows, escalating a local user's privileges. CISA KEV-listed 2025-10-06 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
+      "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2013-3918": {
     "name": "Microsoft Windows Out-of-Bounds Write Vulnerability",
@@ -19152,35 +19290,58 @@
   },
   "CVE-2025-32701": {
     "name": "Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.",
-      "privileges_required": "unprivileged local user",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a use-after-free (CWE-416) in the Windows Common Log File System (CLFS) driver — a recurring kernel-LPE target — exploited by a local foothold to escalate to SYSTEM. CISA KEV-listed 2025-05-13 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
+      "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2024-12450": {
     "name": "RAGFlow web_crawl Full-Read SSRF + Arbitrary File Read",