@blamejs/exceptd-skills 0.15.15 → 0.15.16

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.15.16 — 2026-05-29
+
+Draft-curation pass 14 — web-application server-side RCE. Eight CISA KEV-listed unauthenticated web-app CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Kentico Xperience CMS (CVE-2025-2749 path-traversal + file upload, CVE-2025-2746 and CVE-2025-2747 alternate-channel authentication bypasses), Craft CMS code injection (CVE-2025-32432 and the related CVE-2024-56145), Roundcube Webmail deserialization (CVE-2025-49113), and SolarWinds Web Help Desk deserialization (CVE-2025-26399, CVE-2025-40551). All map T1190, with per-class T1059 (code injection / deserialization), T1078 (auth bypass), or T1505.003 (upload → web shell). The lessons stress web-shell hunting and application-secret rotation as required cleanup beyond the patch.
+
 ## 0.15.15 — 2026-05-29
 
 Draft-curation pass 13 — Windows kernel/driver LPE. Seven CISA KEV-listed Windows local-privilege-escalation CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: a Common Log File System (CLFS) driver use-after-free (CVE-2025-32701 — CLFS is a recurring kernel-LPE target), a race condition (CVE-2025-62215), an untrusted-pointer dereference (CVE-2025-24990), link-following (CVE-2025-60710), a kernel out-of-bounds read primitive (CVE-2023-36424), an information-disclosure primitive (CVE-2026-20805), and improper privilege management (CVE-2021-43226). All map T1068 (Exploitation for Privilege Escalation). The lessons frame these as the second half of the ransomware chain (initial access → unpatched LPE → SYSTEM within hours) and stress hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist as load-bearing endpoint controls beyond the patch.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-29T21:03:43.254Z",
+  "generated_at": "2026-05-29T21:41:35.237Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "4583ef83386e42795c8990101aaad4526d7965db5c29cabb4899d8b4d807a3ca",
+    "manifest.json": "1bf79bbc78662fe233ebd4ae9d66a6715054a144dbe6d414f145d6f895b6cdb2",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "8a593b6a67125e0eb4e5d167654b5fc24531ca2f95be4362a1c4d80e3df2d3a3",
-    "data/cve-catalog.json": "a97c16dbf941e68e2e0fda7a82d821e64952eb224170e48dfbd2c5a2af61999d",
+    "data/attack-techniques.json": "ab66fbbc079bec071f9f2d2e92f194ce95289f91a19a188e9d6d0489c4fafb97",
+    "data/cve-catalog.json": "369f3585bd52254f928ed322ab30b1cf3d207fed5d7e3b5c76c4de8cd89dc709",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "23155c21ee4dd4e7a6402cd4215f266dae559892b3f317e43fac9f64f4a10ef2",
+    "data/zeroday-lessons.json": "549c3ef8ffd0b42743d9939ef0d2a083acbb6e61f0c6f83b4aac718d4c62e978",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json

@@ -298,6 +298,7 @@
       "CVE-2024-4889",
       "CVE-2024-50050",
       "CVE-2024-5565",
+      "CVE-2024-56145",
       "CVE-2024-8069",
       "CVE-2025-10164",
       "CVE-2025-1094",
@@ -307,16 +308,20 @@
       "CVE-2025-20281",
       "CVE-2025-20337",
       "CVE-2025-23254",
+      "CVE-2025-26399",
       "CVE-2025-27520",
       "CVE-2025-29635",
       "CVE-2025-30165",
+      "CVE-2025-32432",
       "CVE-2025-32434",
       "CVE-2025-32444",
       "CVE-2025-3248",
       "CVE-2025-33236",
       "CVE-2025-34291",
       "CVE-2025-3466",
+      "CVE-2025-40551",
       "CVE-2025-4428",
+      "CVE-2025-49113",
       "CVE-2025-49596",
       "CVE-2025-49704",
       "CVE-2025-51480",
@@ -991,6 +996,9 @@
       "CVE-2025-25257",
       "CVE-2025-25297",
       "CVE-2025-26399",
+      "CVE-2025-2746",
+      "CVE-2025-2747",
+      "CVE-2025-2749",
       "CVE-2025-27520",
       "CVE-2025-2775",
       "CVE-2025-2776",
@@ -12071,6 +12079,7 @@
     "_auto_imported": true,
     "_intake_method": "mitre-attack-stix",
     "cve_refs": [
+      "CVE-2025-2749",
       "CVE-2025-31324",
       "CVE-2025-49704",
       "CVE-2025-53770"

package/data/cve-catalog.json

@@ -8440,7 +8440,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190",
+      "T1505.003"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -8462,7 +8464,7 @@
       "CWE-22",
       "CWE-434"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://devnet.kentico.com/download/hotfixes",
@@ -8491,11 +8493,21 @@
         "published_date": "2026-04-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-20; due date 2026-05-04. Notes reference: https://devnet.kentico.com/download/hotfixes ; https://nvd.nist.gov/vuln/detail/CVE-2025-2749",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations.",
+    "iocs": {
+      "behavioral": [
+        "Kentico Xperience CMS reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Kentico Xperience CMS consistent with path-traversal plus unrestricted-file-upload flaw (CWE-22/CWE-434).",
+        "Post-exploitation indicators on the Kentico Xperience CMS — web shells under the web root, unexpected process execution, or use of administrative functions with no corresponding legitimate login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-2749, CISA KEV (added 2026-04-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2023-27351": {
     "name": "PaperCut NG/MF Improper Authentication Vulnerability",
@@ -20626,7 +20638,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -20647,7 +20660,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432",
@@ -20677,11 +20690,21 @@
         "published_date": "2026-03-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-20; due date 2026-04-03. Notes reference: https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432 ; https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3 ; https://nvd.nist.gov/vuln/detail/CVE-2025-32432",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code.",
+    "iocs": {
+      "behavioral": [
+        "Craft CMS reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Craft CMS consistent with code-injection flaw (CWE-94) enabling unauthenticated remote code execution on the web server.",
+        "Post-exploitation indicators on the Craft CMS — web shells under the web root, unexpected process execution, or use of administrative functions with no corresponding legitimate login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-32432, CISA KEV (added 2026-03-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-54068": {
     "name": "Laravel Livewire Code Injection Vulnerability",
@@ -21974,7 +21997,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -21995,7 +22019,7 @@
     "cwe_refs": [
       "CWE-502"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26399",
@@ -22025,11 +22049,21 @@
         "published_date": "2026-03-09"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-09; due date 2026-03-12. Notes reference: https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26399 ; https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-8-7-hotfix-1_release_notes.htm ; ht",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SolarWinds Web Help Desk contain a deserialization of untrusted data vulnerability in AjaxProxy that could allow an attacker to run commands on the host machine."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "SolarWinds Web Help Desk contain a deserialization of untrusted data vulnerability in AjaxProxy that could allow an attacker to run commands on the host machine.",
+    "iocs": {
+      "behavioral": [
+        "SolarWinds Web Help Desk reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Web Help Desk consistent with deserialization-of-untrusted-data flaw (CWE-502) enabling unauthenticated remote code execution (the latest in the Web Help Desk deserialization chain).",
+        "Post-exploitation indicators on the Web Help Desk — web shells under the web root, unexpected process execution, or use of administrative functions with no corresponding legitimate login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-26399, CISA KEV (added 2026-03-09), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-1603": {
     "name": "Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability",
@@ -23224,7 +23258,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -23245,7 +23280,7 @@
     "cwe_refs": [
       "CWE-502"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10",
@@ -23276,11 +23311,21 @@
         "published_date": "2026-02-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-20; due date 2026-03-13. Notes reference: https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 ; https://github.com/roundcube/roundcubemail/releases/tag/1.5.10 ; https://github.com/roundcube/roundcubemail/releases/tag/1.6.",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.",
+    "iocs": {
+      "behavioral": [
+        "Roundcube Webmail reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Roundcube Webmail consistent with deserialization-of-untrusted-data flaw (CWE-502) enabling remote code execution on the Roundcube webmail server.",
+        "Post-exploitation indicators on the Roundcube Webmail — web shells under the web root, unexpected process execution, or use of administrative functions with no corresponding legitimate login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-49113, CISA KEV (added 2026-02-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-68461": {
     "name": "RoundCube Webmail Cross-site Scripting Vulnerability",
@@ -25605,7 +25650,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -25626,7 +25672,7 @@
     "cwe_refs": [
       "CWE-502"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40551",
@@ -25655,11 +25701,21 @@
         "published_date": "2026-02-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-03; due date 2026-02-06. Notes reference: https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40551 ; https://nvd.nist.gov/vuln/detail/CVE-2025-40551",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.",
+    "iocs": {
+      "behavioral": [
+        "SolarWinds Web Help Desk reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Web Help Desk consistent with deserialization-of-untrusted-data flaw (CWE-502) enabling unauthenticated remote code execution.",
+        "Post-exploitation indicators on the Web Help Desk — web shells under the web root, unexpected process execution, or use of administrative functions with no corresponding legitimate login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-40551, CISA KEV (added 2026-02-03), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-1281": {
     "name": "Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability (variant: CVE-2026-1281)",
@@ -30967,7 +31023,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -30988,7 +31045,7 @@
     "cwe_refs": [
       "CWE-288"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://devnet.kentico.com/download/hotfixes",
@@ -31017,11 +31074,21 @@
         "published_date": "2025-10-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-20; due date 2025-11-10. Notes reference: https://devnet.kentico.com/download/hotfixes ; https://nvd.nist.gov/vuln/detail/CVE-2025-2746",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects.",
+    "iocs": {
+      "behavioral": [
+        "Kentico Xperience CMS reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Kentico Xperience CMS consistent with an authentication bypass using an alternate path or channel (CWE-288).",
+        "Post-exploitation indicators on the Kentico Xperience CMS — web shells under the web root, unexpected process execution, or use of administrative functions with no corresponding legitimate login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-2746, CISA KEV (added 2025-10-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-2747": {
     "name": "Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability (variant: CVE-2025-2747)",
@@ -31063,7 +31130,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -31084,7 +31152,7 @@
     "cwe_refs": [
       "CWE-288"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://devnet.kentico.com/download/hotfixes",
@@ -31113,11 +31181,21 @@
         "published_date": "2025-10-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-20; due date 2025-11-10. Notes reference: https://devnet.kentico.com/download/hotfixes ; https://nvd.nist.gov/vuln/detail/CVE-2025-2747",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects.",
+    "iocs": {
+      "behavioral": [
+        "Kentico Xperience CMS reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Kentico Xperience CMS consistent with an authentication bypass using an alternate path or channel (CWE-288.",
+        "Post-exploitation indicators on the Kentico Xperience CMS — web shells under the web root, unexpected process execution, or use of administrative functions with no corresponding legitimate login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-2747, CISA KEV (added 2025-10-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-33073": {
     "name": "Microsoft Windows SMB Client Improper Access Control Vulnerability",
@@ -39828,7 +39906,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39849,7 +39928,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9",
@@ -39878,11 +39957,21 @@
         "published_date": "2025-06-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-02; due date 2025-06-23. Notes reference: https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9 ; https://nvd.nist.gov/vuln/detail/CVE-2024-56145",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled.",
+    "iocs": {
+      "behavioral": [
+        "Craft CMS reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Craft CMS consistent with code-injection flaw (CWE-94.",
+        "Post-exploitation indicators on the Craft CMS — web shells under the web root, unexpected process execution, or use of administrative functions with no corresponding legitimate login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-56145, CISA KEV (added 2025-06-02), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2023-39780": {
     "name": "ASUS RT-AX55 Routers OS Command Injection Vulnerability",