@blamejs/exceptd-skills 0.15.17 → 0.15.19

package/data/cve-catalog.json

@@ -7729,7 +7729,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190",
+      "T1505.003"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -7750,7 +7752,7 @@
     "cwe_refs": [
       "CWE-22"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8",
@@ -7779,11 +7781,21 @@
         "published_date": "2026-04-28"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-28; due date 2026-05-12. Notes reference: https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 ; https://nvd.nist.gov/vuln/detail/CVE-2024-1708",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "ConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and critical systems."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and critical systems.",
+    "iocs": {
+      "behavioral": [
+        "ConnectWise ScreenConnect reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the ScreenConnect consistent with path-traversal flaw (CWE-22) letting an attacker write or read files outside the intended directory.",
+        "Post-exploitation indicators on the ScreenConnect — web shells, unexpected process execution, use of forged or leaked key material, or access to functions/files with no corresponding legitimate login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-1708, CISA KEV (added 2026-04-28), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-29635": {
     "name": "D-Link DIR-823X Command Injection Vulnerability",
@@ -22837,7 +22849,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -22858,7 +22870,7 @@
     "cwe_refs": [
       "CWE-190"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://source.android.com/docs/security/bulletin/2026/2026-03-01",
@@ -22887,11 +22899,21 @@
         "published_date": "2026-03-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-03; due date 2026-03-24. Notes reference: Please check with specific vendors (OEMs,) for information on patching status. For more information, please see: https://source.android.com/docs/security/bulletin/2026/2026-03-01 ; https://nvd.nist.go",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Qualcomm chipsets contain a memory corruption vulnerability while using alignments for memory allocation. "
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Multiple Qualcomm chipsets contain a memory corruption vulnerability while using alignments for memory allocation. ",
+    "iocs": {
+      "behavioral": [
+        "Qualcomm chipsets at a patch level below the fixed version named in the Qualcomm / Android Security Bulletin advisory on a device with any local foothold.",
+        "GPU-driver crashes or memory-corruption signatures consistent with integer-overflow memory-corruption flaw (CWE-190) in Qualcomm chipset firmware/driver code, often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining elevated on-device privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation; the Adreno GPU flaws were used in Android targeted-spyware chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-21385, CISA KEV (added 2026-03-03), and the Qualcomm security bulletin advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2022-20775": {
     "name": "Cisco SD-WAN Path Traversal Vulnerability",
@@ -25983,7 +26005,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -26004,7 +26026,7 @@
     "cwe_refs": [
       "CWE-190"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/about/",
@@ -26036,11 +26058,21 @@
         "published_date": "2026-01-26"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-26; due date 2026-02-16. Notes reference: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For mor",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Linux Kernel contains an integer overflow vulnerability in the create_elf_tables() function which could allow an unprivileged local user with access to SUID (or otherwise privileged) binary to escalate their privileges on the system."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Linux Kernel contains an integer overflow vulnerability in the create_elf_tables() function which could allow an unprivileged local user with access to SUID (or otherwise privileged) binary to escalate their privileges on the system.",
+    "iocs": {
+      "behavioral": [
+        "Linux kernel at a patch level below the fixed version named in the distribution kernel advisory on a device with any local foothold.",
+        "Kernel crashes or memory-corruption signatures consistent with integer-overflow flaw (CWE-190) in the Linux kernel create_elf_tables() path ('Mutagen Astronomy'), often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining root privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2018-14634, CISA KEV (added 2026-01-26), and the kernel/distribution advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-52691": {
     "name": "SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability",
@@ -28084,7 +28116,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -28105,7 +28138,7 @@
     "cwe_refs": [
       "CWE-798"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.centrestack.com/p/gce_latest_release.html",
@@ -28136,11 +28169,21 @@
         "published_date": "2025-12-15"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-15; due date 2026-01-05. Notes reference: https://www.centrestack.com/p/gce_latest_release.html ; https://access.triofox.com/releases_history/; https://support.centrestack.com/hc/en-us/articles/360007159054-Hardening-the-CentreStack-Cluster#h",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Gladinet CentreStack and TrioFox contain a hardcoded cryptographic keys vulnerability for their implementation of the AES cryptoscheme. This vulnerability degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Gladinet CentreStack and TrioFox contain a hardcoded cryptographic keys vulnerability for their implementation of the AES cryptoscheme. This vulnerability degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication.",
+    "iocs": {
+      "behavioral": [
+        "Gladinet CentreStack and Triofox reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the CentreStack/Triofox consistent with use of hard-coded cryptographic key (CWE-798) letting an attacker forge trusted material to gain unauthorized access and code execution.",
+        "Post-exploitation indicators on the CentreStack/Triofox — web shells, unexpected process execution, use of forged or leaked key material, or access to functions/files with no corresponding legitimate login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-14611, CISA KEV (added 2025-12-15), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2018-4063": {
     "name": "Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability",
@@ -29666,7 +29709,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -29687,7 +29731,7 @@
     "cwe_refs": [
       "CWE-284"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://access.triofox.com/releases_history",
@@ -29716,11 +29760,21 @@
         "published_date": "2025-11-12"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-12; due date 2025-12-03. Notes reference: https://access.triofox.com/releases_history ; https://nvd.nist.gov/vuln/detail/CVE-2025-12480",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Gladinet Triofox contains an improper access control vulnerability that allows access to initial setup pages even after setup is complete."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Gladinet Triofox contains an improper access control vulnerability that allows access to initial setup pages even after setup is complete.",
+    "iocs": {
+      "behavioral": [
+        "Gladinet Triofox reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Triofox consistent with improper-access-control flaw (CWE-284) letting an unauthenticated attacker reach functionality reserved for authorized users.",
+        "Post-exploitation indicators on the Triofox — web shells, unexpected process execution, use of forged or leaked key material, or access to functions/files with no corresponding legitimate login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-12480, CISA KEV (added 2025-11-12), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-62215": {
     "name": "Microsoft Windows Race Condition Vulnerability",
@@ -30155,7 +30209,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -30176,7 +30231,7 @@
     "cwe_refs": [
       "CWE-552"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.centrestack.com/p/gce_latest_release.html",
@@ -30205,11 +30260,21 @@
         "published_date": "2025-11-04"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-04; due date 2025-11-25. Notes reference: https://www.centrestack.com/p/gce_latest_release.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-11371",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Gladinet CentreStack and Triofox contains a files or directories accessible to external parties vulnerability that allows unintended disclosure of system files."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Gladinet CentreStack and Triofox contains a files or directories accessible to external parties vulnerability that allows unintended disclosure of system files.",
+    "iocs": {
+      "behavioral": [
+        "Gladinet CentreStack and Triofox reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the CentreStack/Triofox consistent with files-or-directories-accessible-to-external-parties flaw (CWE-552) disclosing server files including the machine key.",
+        "Post-exploitation indicators on the CentreStack/Triofox — web shells, unexpected process execution, use of forged or leaked key material, or access to functions/files with no corresponding legitimate login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-11371, CISA KEV (added 2025-11-04), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-41244": {
     "name": "Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability",
@@ -30443,7 +30508,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -30464,7 +30530,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6204",
@@ -30493,11 +30559,21 @@
         "published_date": "2025-10-28"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-28; due date 2025-11-18. Notes reference: https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6204 ; https://nvd.nist.gov/vuln/detail/CVE-2025-6204",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Dassault Systèmes DELMIA Apriso contains a code injection vulnerability that could allow an attacker to execute arbitrary code."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Dassault Systèmes DELMIA Apriso contains a code injection vulnerability that could allow an attacker to execute arbitrary code.",
+    "iocs": {
+      "behavioral": [
+        "Dassault Systèmes DELMIA Apriso reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the DELMIA Apriso consistent with code-injection flaw (CWE-94) enabling unauthenticated remote code execution on the manufacturing-operations server.",
+        "Post-exploitation indicators on the DELMIA Apriso — web shells, unexpected process execution, use of forged or leaked key material, or access to functions/files with no corresponding legitimate login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-6204, CISA KEV (added 2025-10-28), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-6205": {
     "name": "Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability",
@@ -30539,7 +30615,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -30560,7 +30637,7 @@
     "cwe_refs": [
       "CWE-862"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6205",
@@ -30589,11 +30666,21 @@
         "published_date": "2025-10-28"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-28; due date 2025-11-18. Notes reference: https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6205 ; https://nvd.nist.gov/vuln/detail/CVE-2025-6205",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Dassault Systèmes DELMIA Apriso contains a missing authorization vulnerability that could allow an attacker to gain privileged access to the application."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Dassault Systèmes DELMIA Apriso contains a missing authorization vulnerability that could allow an attacker to gain privileged access to the application.",
+    "iocs": {
+      "behavioral": [
+        "Dassault Systèmes DELMIA Apriso reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the DELMIA Apriso consistent with missing-authorization flaw (CWE-862) letting an unauthenticated attacker reach privileged functionality.",
+        "Post-exploitation indicators on the DELMIA Apriso — web shells, unexpected process execution, use of forged or leaked key material, or access to functions/files with no corresponding legitimate login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-6205, CISA KEV (added 2025-10-28), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-54236": {
     "name": "Adobe Commerce and Magento Improper Input Validation Vulnerability",
@@ -32139,7 +32226,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -32160,7 +32247,7 @@
     "cwe_refs": [
       "CWE-787"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=9fa492cdc160cd27ce1046cb36f47d3b2b1efa21",
@@ -32192,11 +32279,21 @@
         "published_date": "2025-10-06"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-06; due date 2025-10-27. Notes reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=9fa492cdc160cd27ce1046cb36f47d3b2b1efa21 ; https://git.kernel.org/pub/scm/linux/kernel/git/torvald",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Linux Kernel contains a heap out-of-bounds write vulnerability that could allow an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Linux Kernel contains a heap out-of-bounds write vulnerability that could allow an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space.",
+    "iocs": {
+      "behavioral": [
+        "Linux kernel at a patch level below the fixed version named in the distribution kernel advisory on a device with any local foothold.",
+        "Kernel crashes or memory-corruption signatures consistent with heap out-of-bounds write (CWE-787) in the Linux kernel netfilter x_tables, often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining root privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2021-22555, CISA KEV (added 2025-10-06), and the kernel/distribution advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2010-3962": {
     "name": "Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability",
@@ -34054,7 +34151,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -34075,7 +34173,7 @@
     "cwe_refs": [
       "CWE-502"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.3ds.com/trust-center/security/security-advisories/cve-2025-5086",
@@ -34104,11 +34202,21 @@
         "published_date": "2025-09-11"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-11; due date 2025-10-02. Notes reference: https://www.3ds.com/trust-center/security/security-advisories/cve-2025-5086 ; https://nvd.nist.gov/vuln/detail/CVE-2025-5086",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Dassault Systèmes DELMIA Apriso contains a deserialization of untrusted data vulnerability that could lead to a remote code execution."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Dassault Systèmes DELMIA Apriso contains a deserialization of untrusted data vulnerability that could lead to a remote code execution.",
+    "iocs": {
+      "behavioral": [
+        "Dassault Systèmes DELMIA Apriso reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the DELMIA Apriso consistent with deserialization-of-untrusted-data flaw (CWE-502) enabling unauthenticated remote code execution.",
+        "Post-exploitation indicators on the DELMIA Apriso — web shells, unexpected process execution, use of forged or leaked key material, or access to functions/files with no corresponding legitimate login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-5086, CISA KEV (added 2025-09-11), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-48543": {
     "name": "Android Runtime Use-After-Free Vulnerability",
@@ -38586,7 +38694,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -38607,7 +38715,7 @@
     "cwe_refs": [
       "CWE-282"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a",
@@ -38638,11 +38746,21 @@
         "published_date": "2025-06-17"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-17; due date 2025-07-08. Notes reference: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. For more information, please see: https://git.kernel.org/pub/scm/linux/kernel/",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.",
+    "iocs": {
+      "behavioral": [
+        "Linux kernel at a patch level below the fixed version named in the distribution kernel advisory on a device with any local foothold.",
+        "Kernel crashes or memory-corruption signatures consistent with improper-ownership-management flaw (CWE-282) in the Linux kernel OverlayFS, often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining root privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2023-0386, CISA KEV (added 2025-06-17), and the kernel/distribution advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2023-33538": {
     "name": "TP-Link Multiple Routers Command Injection Vulnerability",
@@ -39383,7 +39501,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39404,7 +39522,7 @@
     "cwe_refs": [
       "CWE-863"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html",
@@ -39433,11 +39551,21 @@
         "published_date": "2025-06-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-03; due date 2025-06-24. Notes reference: Please check with specific vendors (OEMs,) for information on patching status. For more information, please see: https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.h",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.",
+    "iocs": {
+      "behavioral": [
+        "Qualcomm chipsets at a patch level below the fixed version named in the Qualcomm / Android Security Bulletin advisory on a device with any local foothold.",
+        "GPU-driver crashes or memory-corruption signatures consistent with incorrect-authorization flaw (CWE-863) in the Qualcomm Adreno GPU driver, often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining elevated on-device privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation; the Adreno GPU flaws were used in Android targeted-spyware chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-21479, CISA KEV (added 2025-06-03), and the Qualcomm security bulletin advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-21480": {
     "name": "Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability (variant: CVE-2025-21480)",
@@ -39478,7 +39606,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39499,7 +39627,7 @@
     "cwe_refs": [
       "CWE-863"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html",
@@ -39528,11 +39656,21 @@
         "published_date": "2025-06-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-03; due date 2025-06-24. Notes reference: Please check with specific vendors (OEMs,) for information on patching status. For more information, please see: https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.h",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.",
+    "iocs": {
+      "behavioral": [
+        "Qualcomm chipsets at a patch level below the fixed version named in the Qualcomm / Android Security Bulletin advisory on a device with any local foothold.",
+        "GPU-driver crashes or memory-corruption signatures consistent with incorrect-authorization flaw (CWE-863) in the Qualcomm Adreno GPU driver (a related variant), often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining elevated on-device privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation; the Adreno GPU flaws were used in Android targeted-spyware chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-21480, CISA KEV (added 2025-06-03), and the Qualcomm security bulletin advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-27038": {
     "name": "Qualcomm Multiple Chipsets Use-After-Free Vulnerability",
@@ -39573,7 +39711,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39594,7 +39732,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html",
@@ -39623,11 +39761,21 @@
         "published_date": "2025-06-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-03; due date 2025-06-24. Notes reference: Please check with specific vendors (OEMs,) for information on patching status. For more information, please see: https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.h",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Qualcomm chipsets contain a use-after-free vulnerability. This vulnerability allows for memory corruption while rendering graphics using Adreno GPU drivers in Chrome."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Multiple Qualcomm chipsets contain a use-after-free vulnerability. This vulnerability allows for memory corruption while rendering graphics using Adreno GPU drivers in Chrome.",
+    "iocs": {
+      "behavioral": [
+        "Qualcomm chipsets at a patch level below the fixed version named in the Qualcomm / Android Security Bulletin advisory on a device with any local foothold.",
+        "GPU-driver crashes or memory-corruption signatures consistent with use-after-free (CWE-416) in the Qualcomm Adreno GPU driver, often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining elevated on-device privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation; the Adreno GPU flaws were used in Android targeted-spyware chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-27038, CISA KEV (added 2025-06-03), and the Qualcomm security bulletin advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-32030": {
     "name": "ASUS Routers Improper Authentication Vulnerability",
@@ -39766,7 +39914,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39787,7 +39936,7 @@
     "cwe_refs": [
       "CWE-287"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4",
@@ -39816,11 +39965,21 @@
         "published_date": "2025-06-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-02; due date 2025-06-23. Notes reference: https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4 ;   https://nvd.nist.gov/vuln/detail/CVE-2025-3935",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "ConnectWise ScreenConnect contains an improper authentication vulnerability. This vulnerability could allow a ViewState code injection attack, which could allow remote code execution if machine keys are compromised."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ConnectWise ScreenConnect contains an improper authentication vulnerability. This vulnerability could allow a ViewState code injection attack, which could allow remote code execution if machine keys are compromised.",
+    "iocs": {
+      "behavioral": [
+        "ConnectWise ScreenConnect reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the ScreenConnect consistent with improper-authentication flaw (CWE-287) letting an unauthenticated attacker bypass authentication via ASP.NET ViewState / machine-key abuse.",
+        "Post-exploitation indicators on the ScreenConnect — web shells, unexpected process execution, use of forged or leaked key material, or access to functions/files with no corresponding legitimate login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-3935, CISA KEV (added 2025-06-02), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-35939": {
     "name": "Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability",