npm - @blamejs/exceptd-skills - Versions diffs - 0.15.14 → 0.15.16 - Mend

@blamejs/exceptd-skills 0.15.14 → 0.15.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +5 -5
package/data/attack-techniques.json +11 -0
package/data/cve-catalog.json +246 -85
package/data/zeroday-lessons.json +583 -198
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +18 -18

package/data/zeroday-lessons.json CHANGED Viewed

@@ -7179,35 +7179,63 @@
   },
   "CVE-2025-2749": {
     "name": "Kentico Xperience Path Traversal Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a path-traversal plus unrestricted-file-upload flaw (CWE-22/CWE-434), letting an unauthenticated attacker write a file outside the intended directory (e.g. a web shell) for code execution. CISA KEV-listed 2026-04-20 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the web application's public interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Kentico Xperience update; hunt for web shells under the CMS web root and rotate application secrets — an upload primitive leaves resident persistence the patch does not remove.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but, for web-app RCE/upload/auth-bypass, insufficient alone — web shells and stolen credentials/secrets survive the patch and require explicit cleanup."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Kentico Xperience CMS: exploit-shaped requests, new web-shell files under the web root, unexpected process execution by the app, and administrative actions without a matching authenticated session.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch resident persistence after patching; WAF rules help but trail novel payloads."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application secrets and credentials, and review data accessible through the Kentico Xperience CMS for exfiltration; assume compromise of any account reachable from it.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; patch-in-place without web-shell hunting and secret rotation leaves the attacker resident."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated web-application RCE/auth-bypass; these are mass-exploited within days of disclosure."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing web application."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing web applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / secret-rotation cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing web application in or adjacent to the CDE; PCI-DSS 6.4.x WAF coverage is partial mitigation, not remediation."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "Internet-facing Kentico Xperience CMS is run by audited organizations on a standard patch SLA and is mass-exploited within days of disclosure; the required web-shell hunt and secret rotation are rarely part of the documented patch procedure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2023-27351": {
     "name": "PaperCut NG/MF Improper Authentication Vulnerability",
@@ -7634,35 +7662,58 @@
   },
   "CVE-2025-60710": {
     "name": "Microsoft Windows Link Following Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows contains a link following vulnerability that allows for privilege escalation",
-      "privileges_required": "unprivileged local user",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a link-following / symlink-handling flaw (CWE-59) in a Windows component, exploited by a local foothold to redirect a privileged operation and gain SYSTEM. CISA KEV-listed 2026-04-13 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
+      "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2023-21529": {
     "name": "Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability",
@@ -7726,35 +7777,58 @@
   },
   "CVE-2023-36424": {
     "name": "Microsoft Windows Out-of-Bounds Read Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows Common Log File System Driver contains an out-of-bounds read vulnerability that could allow a threat actor for privileges escalation",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an out-of-bounds read (CWE-125) in a Windows kernel/driver component, used as an information-disclosure primitive in a privilege-escalation chain. CISA KEV-listed 2026-04-13 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
+      "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2020-9715": {
     "name": "Adobe Acrobat Use-After-Free Vulnerability",
@@ -10816,35 +10890,63 @@
   },
   "CVE-2025-32432": {
     "name": "Craft CMS Code Injection Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a code-injection flaw (CWE-94) enabling unauthenticated remote code execution on the web server. CISA KEV-listed 2026-03-20 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the web application's public interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Craft CMS update, rotate the Craft security key and any credentials the app held, and hunt for web shells — code-injection RCE is routinely followed by persistence.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but, for web-app RCE/upload/auth-bypass, insufficient alone — web shells and stolen credentials/secrets survive the patch and require explicit cleanup."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Craft CMS: exploit-shaped requests, new web-shell files under the web root, unexpected process execution by the app, and administrative actions without a matching authenticated session.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch resident persistence after patching; WAF rules help but trail novel payloads."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application secrets and credentials, and review data accessible through the Craft CMS for exfiltration; assume compromise of any account reachable from it.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; patch-in-place without web-shell hunting and secret rotation leaves the attacker resident."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated web-application RCE/auth-bypass; these are mass-exploited within days of disclosure."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing web application."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing web applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / secret-rotation cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing web application in or adjacent to the CDE; PCI-DSS 6.4.x WAF coverage is partial mitigation, not remediation."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "Internet-facing Craft CMS is run by audited organizations on a standard patch SLA and is mass-exploited within days of disclosure; the required web-shell hunt and secret rotation are rarely part of the documented patch procedure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-54068": {
     "name": "Laravel Livewire Code Injection Vulnerability",
@@ -11431,35 +11533,63 @@
   },
   "CVE-2025-26399": {
     "name": "SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "SolarWinds Web Help Desk contain a deserialization of untrusted data vulnerability in AjaxProxy that could allow an attacker to run commands on the host machine.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a deserialization-of-untrusted-data flaw (CWE-502) enabling unauthenticated remote code execution (the latest in the Web Help Desk deserialization chain). CISA KEV-listed 2026-03-09 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the web application's public interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the SolarWinds Web Help Desk update and rebuild if exploited; this is a repeated deserialization target, so confirm the full chain is patched and rotate service credentials.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but, for web-app RCE/upload/auth-bypass, insufficient alone — web shells and stolen credentials/secrets survive the patch and require explicit cleanup."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Web Help Desk: exploit-shaped requests, new web-shell files under the web root, unexpected process execution by the app, and administrative actions without a matching authenticated session.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch resident persistence after patching; WAF rules help but trail novel payloads."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application secrets and credentials, and review data accessible through the Web Help Desk for exfiltration; assume compromise of any account reachable from it.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; patch-in-place without web-shell hunting and secret rotation leaves the attacker resident."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated web-application RCE/auth-bypass; these are mass-exploited within days of disclosure."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing web application."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing web applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / secret-rotation cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing web application in or adjacent to the CDE; PCI-DSS 6.4.x WAF coverage is partial mitigation, not remediation."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "Internet-facing SolarWinds Web Help Desk is run by audited organizations on a standard patch SLA and is mass-exploited within days of disclosure; the required web-shell hunt and secret rotation are rarely part of the documented patch procedure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2026-1603": {
     "name": "Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability",
@@ -12024,35 +12154,63 @@
   },
   "CVE-2025-49113": {
     "name": "RoundCube Webmail Deserialization of Untrusted Data Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a deserialization-of-untrusted-data flaw (CWE-502) enabling remote code execution on the Roundcube webmail server. CISA KEV-listed 2026-02-20 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the web application's public interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Roundcube update, hunt for web shells, and rotate webmail/session secrets and mailbox credentials — webmail compromise targets mailbox data and persistence.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but, for web-app RCE/upload/auth-bypass, insufficient alone — web shells and stolen credentials/secrets survive the patch and require explicit cleanup."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Roundcube Webmail: exploit-shaped requests, new web-shell files under the web root, unexpected process execution by the app, and administrative actions without a matching authenticated session.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch resident persistence after patching; WAF rules help but trail novel payloads."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application secrets and credentials, and review data accessible through the Roundcube Webmail for exfiltration; assume compromise of any account reachable from it.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; patch-in-place without web-shell hunting and secret rotation leaves the attacker resident."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated web-application RCE/auth-bypass; these are mass-exploited within days of disclosure."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing web application."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing web applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / secret-rotation cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing web application in or adjacent to the CDE; PCI-DSS 6.4.x WAF coverage is partial mitigation, not remediation."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "Internet-facing Roundcube Webmail is run by audited organizations on a standard patch SLA and is mass-exploited within days of disclosure; the required web-shell hunt and secret rotation are rarely part of the documented patch procedure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-68461": {
     "name": "RoundCube Webmail Cross-site Scripting Vulnerability",
@@ -12954,36 +13112,64 @@
     "_intake_method": "v0.13.17-bulk-cisa-kev-import"
   },
   "CVE-2025-40551": {
-    "name": "SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability",
-    "lesson_date": "2026-05-18",
+    "name": "SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability (variant: CVE-2025-40551)",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a deserialization-of-untrusted-data flaw (CWE-502) enabling unauthenticated remote code execution. CISA KEV-listed 2026-02-03 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the web application's public interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the SolarWinds Web Help Desk update, hunt for web shells, and rotate service credentials; treat an exploited Help Desk as compromised given its IT-service-management reach.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but, for web-app RCE/upload/auth-bypass, insufficient alone — web shells and stolen credentials/secrets survive the patch and require explicit cleanup."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Web Help Desk: exploit-shaped requests, new web-shell files under the web root, unexpected process execution by the app, and administrative actions without a matching authenticated session.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch resident persistence after patching; WAF rules help but trail novel payloads."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application secrets and credentials, and review data accessible through the Web Help Desk for exfiltration; assume compromise of any account reachable from it.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; patch-in-place without web-shell hunting and secret rotation leaves the attacker resident."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated web-application RCE/auth-bypass; these are mass-exploited within days of disclosure."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing web application."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing web applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / secret-rotation cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing web application in or adjacent to the CDE; PCI-DSS 6.4.x WAF coverage is partial mitigation, not remediation."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "Internet-facing SolarWinds Web Help Desk is run by audited organizations on a standard patch SLA and is mass-exploited within days of disclosure; the required web-shell hunt and secret rotation are rarely part of the documented patch procedure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2026-1281": {
     "name": "Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability (variant: CVE-2026-1281)",
@@ -13543,35 +13729,58 @@
   },
   "CVE-2026-20805": {
     "name": "Microsoft Windows Information Disclosure Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows Desktop Windows Manager contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an information-disclosure flaw (CWE-200) in a Windows component, used as a primitive in a privilege-escalation chain (kernel-address leaks defeat KASLR for follow-on exploits). CISA KEV-listed 2026-01-13 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
+      "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-8110": {
     "name": "Gogs Path Traversal Vulnerability",
@@ -14570,35 +14779,58 @@
   },
   "CVE-2025-62215": {
     "name": "Microsoft Windows Race Condition Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows Kernel contains a race condition vulnerability that allows a local attacker with low-level privileges to escalate privileges. Successful exploitation of this vulnerability could enable the attacker to gain SYSTEM-level access.",
-      "privileges_required": "unprivileged local user",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a race condition (CWE-362) in a Windows kernel-mode component, exploited by a local foothold to escalate privileges to SYSTEM. CISA KEV-listed 2025-11-12 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
+      "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-9242": {
     "name": "WatchGuard Firebox Out-of-Bounds Write Vulnerability",
@@ -15037,67 +15269,123 @@
   },
   "CVE-2025-2746": {
     "name": "Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an authentication bypass using an alternate path or channel (CWE-288), letting an unauthenticated attacker reach administrative functionality. CISA KEV-listed 2025-10-20 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the web application's public interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Kentico Xperience update; review admin-account activity during the exposure window, since the bypass grants administrative access without credentials.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but, for web-app RCE/upload/auth-bypass, insufficient alone — web shells and stolen credentials/secrets survive the patch and require explicit cleanup."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Kentico Xperience CMS: exploit-shaped requests, new web-shell files under the web root, unexpected process execution by the app, and administrative actions without a matching authenticated session.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch resident persistence after patching; WAF rules help but trail novel payloads."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application secrets and credentials, and review data accessible through the Kentico Xperience CMS for exfiltration; assume compromise of any account reachable from it.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; patch-in-place without web-shell hunting and secret rotation leaves the attacker resident."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated web-application RCE/auth-bypass; these are mass-exploited within days of disclosure."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing web application."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing web applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / secret-rotation cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing web application in or adjacent to the CDE; PCI-DSS 6.4.x WAF coverage is partial mitigation, not remediation."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "Internet-facing Kentico Xperience CMS is run by audited organizations on a standard patch SLA and is mass-exploited within days of disclosure; the required web-shell hunt and secret rotation are rarely part of the documented patch procedure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-2747": {
-    "name": "Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability",
-    "lesson_date": "2026-05-18",
+    "name": "Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability (variant: CVE-2025-2747)",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an authentication bypass using an alternate path or channel (CWE-288, a variant of the same bypass class), letting an unauthenticated attacker reach administrative functionality. CISA KEV-listed 2025-10-20 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the web application's public interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Kentico Xperience update; review admin-account activity, as this is a second alternate-channel route to the same administrative bypass.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but, for web-app RCE/upload/auth-bypass, insufficient alone — web shells and stolen credentials/secrets survive the patch and require explicit cleanup."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Kentico Xperience CMS: exploit-shaped requests, new web-shell files under the web root, unexpected process execution by the app, and administrative actions without a matching authenticated session.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch resident persistence after patching; WAF rules help but trail novel payloads."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application secrets and credentials, and review data accessible through the Kentico Xperience CMS for exfiltration; assume compromise of any account reachable from it.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; patch-in-place without web-shell hunting and secret rotation leaves the attacker resident."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated web-application RCE/auth-bypass; these are mass-exploited within days of disclosure."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing web application."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing web applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / secret-rotation cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing web application in or adjacent to the CDE; PCI-DSS 6.4.x WAF coverage is partial mitigation, not remediation."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "Internet-facing Kentico Xperience CMS is run by audited organizations on a standard patch SLA and is mass-exploited within days of disclosure; the required web-shell hunt and secret rotation are rarely part of the documented patch procedure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-33073": {
     "name": "Microsoft Windows SMB Client Improper Access Control Vulnerability",
@@ -15229,35 +15517,58 @@
   },
   "CVE-2025-24990": {
     "name": "Microsoft Windows Untrusted Pointer Dereference Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows Agere Modem Driver contains an untrusted pointer dereference vulnerability that allows for privilege escalation. An attacker who successfully exploited this vulnerability could gain administrator privileges.",
-      "privileges_required": "unprivileged local user",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an untrusted-pointer-dereference flaw (CWE-822) in a Windows kernel-mode component, exploited by a local foothold to gain kernel privilege. CISA KEV-listed 2025-10-14 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
+      "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-59230": {
     "name": "Microsoft Windows Improper Access Control Vulnerability",
@@ -15504,35 +15815,58 @@
   },
   "CVE-2021-43226": {
     "name": "Microsoft Windows Privilege Escalation Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows Common Log File System Driver contains a privilege escalation vulnerability that could allow a local, privileged attacker to bypass certain security mechanisms.",
-      "privileges_required": "unprivileged local user",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an improper privilege-management flaw (CWE-269) on Windows, escalating a local user's privileges. CISA KEV-listed 2025-10-06 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
+      "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2013-3918": {
     "name": "Microsoft Windows Out-of-Bounds Write Vulnerability",
@@ -18559,36 +18893,64 @@
     "_intake_method": "v0.13.17-bulk-cisa-kev-import"
   },
   "CVE-2024-56145": {
-    "name": "Craft CMS Code Injection Vulnerability",
-    "lesson_date": "2026-05-18",
+    "name": "Craft CMS Code Injection Vulnerability (variant: CVE-2024-56145)",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a code-injection flaw (CWE-94, the related earlier variant) enabling unauthenticated remote code execution on the web server. CISA KEV-listed 2025-06-02 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the web application's public interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Craft CMS update, rotate the Craft security key and credentials, and hunt for web shells; confirm both this and the related variant are patched.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but, for web-app RCE/upload/auth-bypass, insufficient alone — web shells and stolen credentials/secrets survive the patch and require explicit cleanup."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Craft CMS: exploit-shaped requests, new web-shell files under the web root, unexpected process execution by the app, and administrative actions without a matching authenticated session.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch resident persistence after patching; WAF rules help but trail novel payloads."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application secrets and credentials, and review data accessible through the Craft CMS for exfiltration; assume compromise of any account reachable from it.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; patch-in-place without web-shell hunting and secret rotation leaves the attacker resident."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated web-application RCE/auth-bypass; these are mass-exploited within days of disclosure."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing web application."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing web applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / secret-rotation cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing web application in or adjacent to the CDE; PCI-DSS 6.4.x WAF coverage is partial mitigation, not remediation."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 74,
+      "basis": "Internet-facing Craft CMS is run by audited organizations on a standard patch SLA and is mass-exploited within days of disclosure; the required web-shell hunt and secret rotation are rarely part of the documented patch procedure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2023-39780": {
     "name": "ASUS RT-AX55 Routers OS Command Injection Vulnerability",
@@ -19152,35 +19514,58 @@
   },
   "CVE-2025-32701": {
     "name": "Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.",
-      "privileges_required": "unprivileged local user",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a use-after-free (CWE-416) in the Windows Common Log File System (CLFS) driver — a recurring kernel-LPE target — exploited by a local foothold to escalate to SYSTEM. CISA KEV-listed 2025-05-13 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
+      "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators typically pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2024-12450": {
     "name": "RAGFlow web_crawl Full-Read SSRF + Arbitrary File Read",