@blamejs/exceptd-skills 0.15.17 → 0.15.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/CHANGELOG.md +8 -0
  2. package/data/_indexes/_meta.json +5 -5
  3. package/data/attack-techniques.json +16 -7
  4. package/data/cve-catalog.json +249 -90
  5. package/data/zeroday-lessons.json +582 -197
  6. package/manifest.json +44 -44
  7. package/package.json +1 -1
  8. package/sbom.cdx.json +18 -18
package/data/zeroday-lessons.json CHANGED
@@ -6871,35 +6871,63 @@
6871
6871
  },
6872
6872
  "CVE-2024-1708": {
6873
6873
  "name": "ConnectWise ScreenConnect Path Traversal Vulnerability",
6874
- "lesson_date": "2026-05-18",
6874
+ "lesson_date": "2026-05-29",
6875
6875
  "attack_vector": {
6876
- "description": "ConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and critical systems.",
6877
- "privileges_required": "network attacker (no authentication required)",
6878
- "complexity": "moderate (bulk-import default)",
6879
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
6876
+ "description": "a path-traversal flaw (CWE-22) letting an attacker write or read files outside the intended directory (used with the companion authentication bypass to drop a web shell). CISA KEV-listed 2026-04-28 with confirmed in-the-wild exploitation.",
6877
+ "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
6878
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
6879
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
6880
+ },
6881
+ "defense_chain": {
6882
+ "prevention": {
6883
+ "what_would_have_worked": "Apply the ConnectWise ScreenConnect update; hunt for ASPX/web shells dropped via the traversal and rotate ScreenConnect credentials. ScreenConnect is RMM, so downstream managed endpoints are in the blast radius.",
6884
+ "was_this_required": true,
6885
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
6886
+ "adequacy": "Patch is necessary but, for these RCE/auth-bypass flaws, insufficient alone — web shells and stolen credentials survive the patch and require explicit cleanup."
6887
+ },
6888
+ "detection": {
6889
+ "what_would_have_worked": "Monitoring on the ScreenConnect: exploit-shaped requests, new web-shell files, unexpected process execution, and authentication/authorization events with no matching legitimate session or with forged key material.",
6890
+ "was_this_required": false,
6891
+ "framework_requiring_it": null,
6892
+ "adequacy": "Necessary to catch resident persistence and key abuse after patching."
6893
+ },
6894
+ "response": {
6895
+ "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application secrets and credentials, and review data and downstream systems reachable from the ScreenConnect; assume compromise of accounts and managed endpoints in its reach.",
6896
+ "was_this_required": true,
6897
+ "framework_requiring_it": "NIST 800-53 IR-4",
6898
+ "adequacy": "Mandatory; patch-in-place without key rotation / web-shell hunting leaves the attacker resident or able to re-authenticate."
6899
+ }
6880
6900
  },
6881
6901
  "framework_coverage": {
6882
6902
  "NIST-800-53-SI-2": {
6883
6903
  "covered": true,
6884
6904
  "adequate": false,
6885
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
6905
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated server-side application RCE/auth-bypass; these are mass-exploited within days, and RMM/file-sharing compromise reaches downstream systems."
6886
6906
  },
6887
6907
  "ISO-27001-2022-A.8.8": {
6888
6908
  "covered": true,
6889
6909
  "adequate": false,
6890
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6910
+ "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing enterprise application."
6911
+ },
6912
+ "NIS2-Art21-network-security": {
6913
+ "covered": true,
6914
+ "adequate": false,
6915
+ "gap": "Treats internet-facing enterprise applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / key-rotation cleanup these RCEs and key-disclosure flaws need."
6916
+ },
6917
+ "PCI-DSS-4.0-6.3.3": {
6918
+ "covered": true,
6919
+ "adequate": false,
6920
+ "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing enterprise application in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
6891
6921
  }
6892
6922
  },
6893
6923
  "compliance_exposure_score": {
6894
- "percent_audit_passing_orgs_still_exposed": 75,
6895
- "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
6924
+ "percent_audit_passing_orgs_still_exposed": 76,
6925
+ "basis": "Internet-facing ConnectWise ScreenConnect is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt and key rotation are rarely part of the documented patch procedure, and RMM/file-sharing/MES reach amplifies the blast radius.",
6896
6926
  "theater_pattern": "patch_management"
6897
6927
  },
6898
6928
  "ai_discovered_zeroday": false,
6899
- "ai_discovery_source": "unknown",
6900
- "ai_assist_factor": "none",
6901
- "_auto_imported": true,
6902
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
6929
+ "ai_discovery_source": "vendor_research",
6930
+ "ai_assist_factor": "none"
6903
6931
  },
6904
6932
  "CVE-2025-29635": {
6905
6933
  "name": "D-Link DIR-823X Command Injection Vulnerability",
@@ -11942,35 +11970,58 @@
11942
11970
  },
11943
11971
  "CVE-2026-21385": {
11944
11972
  "name": "Qualcomm Multiple Chipsets Memory Corruption Vulnerability",
11945
- "lesson_date": "2026-05-18",
11973
+ "lesson_date": "2026-05-29",
11946
11974
  "attack_vector": {
11947
- "description": "Multiple Qualcomm chipsets contain a memory corruption vulnerability while using alignments for memory allocation. ",
11948
- "privileges_required": "network attacker (no authentication required)",
11949
- "complexity": "moderate (bulk-import default)",
11950
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
11975
+ "description": "an integer-overflow memory-corruption flaw (CWE-190) in Qualcomm chipset firmware/driver code, exploited by a local foothold to escalate privileges on the device. CISA KEV-listed 2026-03-03 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
11976
+ "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
11977
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
11978
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
11979
+ },
11980
+ "defense_chain": {
11981
+ "prevention": {
11982
+ "what_would_have_worked": "Apply the Qualcomm chipset fix via the device's Android Security Bulletin OTA update; on managed mobile fleets enforce update SLAs via MDM. SELinux/seccomp confinement limits but does not remove the GPU-driver LPE.",
11983
+ "was_this_required": true,
11984
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
11985
+ "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
11986
+ },
11987
+ "detection": {
11988
+ "what_would_have_worked": "Mobile-threat-defense telemetry for the LPE primitive (GPU-driver crashes, anomalous GPU command submission) and unprivileged-to-elevated transitions without a legitimate trigger.",
11989
+ "was_this_required": false,
11990
+ "framework_requiring_it": null,
11991
+ "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
11992
+ },
11993
+ "response": {
11994
+ "what_would_have_worked": "Force the OTA update across the mobile fleet; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
11995
+ "was_this_required": true,
11996
+ "framework_requiring_it": "NIST 800-53 IR-4",
11997
+ "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
11998
+ }
11951
11999
  },
11952
12000
  "framework_coverage": {
11953
12001
  "NIST-800-53-SI-2": {
11954
12002
  "covered": true,
11955
12003
  "adequate": false,
11956
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
12004
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
11957
12005
  },
11958
12006
  "ISO-27001-2022-A.8.8": {
11959
12007
  "covered": true,
11960
12008
  "adequate": false,
11961
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12009
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
12010
+ },
12011
+ "AU-ISM-1546": {
12012
+ "covered": true,
12013
+ "adequate": false,
12014
+ "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
11962
12015
  }
11963
12016
  },
11964
12017
  "compliance_exposure_score": {
11965
- "percent_audit_passing_orgs_still_exposed": 55,
11966
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
12018
+ "percent_audit_passing_orgs_still_exposed": 66,
12019
+ "basis": "Qualcomm chipsets is ubiquitous; audited organizations gate mobile OTA updates behind carrier/OEM cadence and MDM windows, leaving the LPE chain open well past the in-the-wild exploitation window.",
11967
12020
  "theater_pattern": "patch_management"
11968
12021
  },
11969
12022
  "ai_discovered_zeroday": false,
11970
- "ai_discovery_source": "unknown",
11971
- "ai_assist_factor": "none",
11972
- "_auto_imported": true,
11973
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
12023
+ "ai_discovery_source": "vendor_research",
12024
+ "ai_assist_factor": "none"
11974
12025
  },
11975
12026
  "CVE-2022-20775": {
11976
12027
  "name": "Cisco SD-WAN Path Traversal Vulnerability",
@@ -13316,35 +13367,58 @@
13316
13367
  },
13317
13368
  "CVE-2018-14634": {
13318
13369
  "name": "Linux Kernel Integer Overflow Vulnerability",
13319
- "lesson_date": "2026-05-18",
13370
+ "lesson_date": "2026-05-29",
13320
13371
  "attack_vector": {
13321
- "description": "Linux Kernel contains an integer overflow vulnerability in the create_elf_tables() function which could allow an unprivileged local user with access to SUID (or otherwise privileged) binary to escalate their privileges on the system.",
13322
- "privileges_required": "network attacker (no authentication required)",
13323
- "complexity": "moderate (bulk-import default)",
13324
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
13372
+ "description": "an integer-overflow flaw (CWE-190) in the Linux kernel create_elf_tables() path ('Mutagen Astronomy'), exploited by a local user via a crafted SUID binary to gain root. CISA KEV-listed 2026-01-26 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
13373
+ "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
13374
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
13375
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
13376
+ },
13377
+ "defense_chain": {
13378
+ "prevention": {
13379
+ "what_would_have_worked": "Apply the distribution kernel update (or live-patch via kpatch/livepatch); enable kernel hardening (lockdown, restricting unprivileged user namespaces where the flaw requires them) to shrink the LPE surface.",
13380
+ "was_this_required": true,
13381
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
13382
+ "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
13383
+ },
13384
+ "detection": {
13385
+ "what_would_have_worked": "EDR/auditd telemetry for the LPE primitive (kernel crashes, unexpected SUID/namespace activity) and unprivileged-to-root transitions without a legitimate trigger.",
13386
+ "was_this_required": false,
13387
+ "framework_requiring_it": null,
13388
+ "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
13389
+ },
13390
+ "response": {
13391
+ "what_would_have_worked": "Force the kernel update across the estate; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
13392
+ "was_this_required": true,
13393
+ "framework_requiring_it": "NIST 800-53 IR-4",
13394
+ "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
13395
+ }
13325
13396
  },
13326
13397
  "framework_coverage": {
13327
13398
  "NIST-800-53-SI-2": {
13328
13399
  "covered": true,
13329
13400
  "adequate": false,
13330
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
13401
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
13331
13402
  },
13332
13403
  "ISO-27001-2022-A.8.8": {
13333
13404
  "covered": true,
13334
13405
  "adequate": false,
13335
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13406
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
13407
+ },
13408
+ "AU-ISM-1546": {
13409
+ "covered": true,
13410
+ "adequate": false,
13411
+ "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
13336
13412
  }
13337
13413
  },
13338
13414
  "compliance_exposure_score": {
13339
- "percent_audit_passing_orgs_still_exposed": 55,
13340
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
13415
+ "percent_audit_passing_orgs_still_exposed": 66,
13416
+ "basis": "Linux kernel is ubiquitous; audited organizations gate kernel patches behind change windows or reboot-avoidance, leaving the LPE chain open well past the in-the-wild exploitation window.",
13341
13417
  "theater_pattern": "patch_management"
13342
13418
  },
13343
13419
  "ai_discovered_zeroday": false,
13344
- "ai_discovery_source": "unknown",
13345
- "ai_assist_factor": "none",
13346
- "_auto_imported": true,
13347
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
13420
+ "ai_discovery_source": "vendor_research",
13421
+ "ai_assist_factor": "none"
13348
13422
  },
13349
13423
  "CVE-2025-52691": {
13350
13424
  "name": "SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability",
@@ -14174,35 +14248,63 @@
14174
14248
  },
14175
14249
  "CVE-2025-14611": {
14176
14250
  "name": "Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability",
14177
- "lesson_date": "2026-05-18",
14251
+ "lesson_date": "2026-05-29",
14178
14252
  "attack_vector": {
14179
- "description": "Gladinet CentreStack and TrioFox contain a hardcoded cryptographic keys vulnerability for their implementation of the AES cryptoscheme. This vulnerability degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication.",
14180
- "privileges_required": "network attacker (no authentication required)",
14181
- "complexity": "moderate (bulk-import default)",
14182
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
14253
+ "description": "a use of hard-coded cryptographic key (CWE-798) letting an attacker forge trusted material to gain unauthorized access and code execution. CISA KEV-listed 2025-12-15 with confirmed in-the-wild exploitation.",
14254
+ "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
14255
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
14256
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
14257
+ },
14258
+ "defense_chain": {
14259
+ "prevention": {
14260
+ "what_would_have_worked": "Apply the Gladinet CentreStack/Triofox update and confirm the hard-coded key is regenerated, not just patched — stale forged tokens remain valid until the key is rotated.",
14261
+ "was_this_required": true,
14262
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
14263
+ "adequacy": "Patch is necessary but insufficient alone — forged tokens / leaked keys survive the patch and require explicit key rotation."
14264
+ },
14265
+ "detection": {
14266
+ "what_would_have_worked": "Monitoring on the CentreStack/Triofox: exploit-shaped requests, new web-shell files, unexpected process execution, and authentication/authorization events with no matching legitimate session or with forged key material.",
14267
+ "was_this_required": false,
14268
+ "framework_requiring_it": null,
14269
+ "adequacy": "Necessary to catch resident persistence and key abuse after patching."
14270
+ },
14271
+ "response": {
14272
+ "what_would_have_worked": "Patch immediately, rotate the affected cryptographic/machine keys, rotate application secrets and credentials, and review data and downstream systems reachable from the CentreStack/Triofox; assume compromise of accounts and managed endpoints in its reach.",
14273
+ "was_this_required": true,
14274
+ "framework_requiring_it": "NIST 800-53 IR-4",
14275
+ "adequacy": "Mandatory; patch-in-place without key rotation / web-shell hunting leaves the attacker resident or able to re-authenticate."
14276
+ }
14183
14277
  },
14184
14278
  "framework_coverage": {
14185
14279
  "NIST-800-53-SI-2": {
14186
14280
  "covered": true,
14187
14281
  "adequate": false,
14188
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
14282
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated server-side application RCE/auth-bypass; these are mass-exploited within days, and RMM/file-sharing compromise reaches downstream systems."
14189
14283
  },
14190
14284
  "ISO-27001-2022-A.8.8": {
14191
14285
  "covered": true,
14192
14286
  "adequate": false,
14193
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14287
+ "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing enterprise application."
14288
+ },
14289
+ "NIS2-Art21-network-security": {
14290
+ "covered": true,
14291
+ "adequate": false,
14292
+ "gap": "Treats internet-facing enterprise applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / key-rotation cleanup these RCEs and key-disclosure flaws need."
14293
+ },
14294
+ "PCI-DSS-4.0-6.3.3": {
14295
+ "covered": true,
14296
+ "adequate": false,
14297
+ "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing enterprise application in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
14194
14298
  }
14195
14299
  },
14196
14300
  "compliance_exposure_score": {
14197
- "percent_audit_passing_orgs_still_exposed": 55,
14198
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
14301
+ "percent_audit_passing_orgs_still_exposed": 76,
14302
+ "basis": "Internet-facing Gladinet CentreStack and Triofox is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt and key rotation are rarely part of the documented patch procedure, and RMM/file-sharing/MES reach amplifies the blast radius.",
14199
14303
  "theater_pattern": "patch_management"
14200
14304
  },
14201
14305
  "ai_discovered_zeroday": false,
14202
- "ai_discovery_source": "unknown",
14203
- "ai_assist_factor": "none",
14204
- "_auto_imported": true,
14205
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
14306
+ "ai_discovery_source": "vendor_research",
14307
+ "ai_assist_factor": "none"
14206
14308
  },
14207
14309
  "CVE-2018-4063": {
14208
14310
  "name": "Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability",
@@ -14793,35 +14895,63 @@
14793
14895
  },
14794
14896
  "CVE-2025-12480": {
14795
14897
  "name": "Gladinet Triofox Improper Access Control Vulnerability",
14796
- "lesson_date": "2026-05-18",
14898
+ "lesson_date": "2026-05-29",
14797
14899
  "attack_vector": {
14798
- "description": "Gladinet Triofox contains an improper access control vulnerability that allows access to initial setup pages even after setup is complete.",
14799
- "privileges_required": "network attacker (no authentication required)",
14800
- "complexity": "moderate (bulk-import default)",
14801
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
14900
+ "description": "an improper-access-control flaw (CWE-284) letting an unauthenticated attacker reach functionality reserved for authorized users. CISA KEV-listed 2025-11-12 with confirmed in-the-wild exploitation.",
14901
+ "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
14902
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
14903
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
14904
+ },
14905
+ "defense_chain": {
14906
+ "prevention": {
14907
+ "what_would_have_worked": "Apply the Gladinet Triofox update and review for unauthorized access to shared files during the exposure window.",
14908
+ "was_this_required": true,
14909
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
14910
+ "adequacy": "Patch is necessary but, for these RCE/auth-bypass flaws, insufficient alone — web shells and stolen credentials survive the patch and require explicit cleanup."
14911
+ },
14912
+ "detection": {
14913
+ "what_would_have_worked": "Monitoring on the Triofox: exploit-shaped requests, new web-shell files, unexpected process execution, and authentication/authorization events with no matching legitimate session or with forged key material.",
14914
+ "was_this_required": false,
14915
+ "framework_requiring_it": null,
14916
+ "adequacy": "Necessary to catch resident persistence and key abuse after patching."
14917
+ },
14918
+ "response": {
14919
+ "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application secrets and credentials, and review data and downstream systems reachable from the Triofox; assume compromise of accounts and managed endpoints in its reach.",
14920
+ "was_this_required": true,
14921
+ "framework_requiring_it": "NIST 800-53 IR-4",
14922
+ "adequacy": "Mandatory; patch-in-place without key rotation / web-shell hunting leaves the attacker resident or able to re-authenticate."
14923
+ }
14802
14924
  },
14803
14925
  "framework_coverage": {
14804
14926
  "NIST-800-53-SI-2": {
14805
14927
  "covered": true,
14806
14928
  "adequate": false,
14807
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
14929
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated server-side application RCE/auth-bypass; these are mass-exploited within days, and RMM/file-sharing compromise reaches downstream systems."
14808
14930
  },
14809
14931
  "ISO-27001-2022-A.8.8": {
14810
14932
  "covered": true,
14811
14933
  "adequate": false,
14812
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14934
+ "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing enterprise application."
14935
+ },
14936
+ "NIS2-Art21-network-security": {
14937
+ "covered": true,
14938
+ "adequate": false,
14939
+ "gap": "Treats internet-facing enterprise applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / key-rotation cleanup these RCEs and key-disclosure flaws need."
14940
+ },
14941
+ "PCI-DSS-4.0-6.3.3": {
14942
+ "covered": true,
14943
+ "adequate": false,
14944
+ "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing enterprise application in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
14813
14945
  }
14814
14946
  },
14815
14947
  "compliance_exposure_score": {
14816
- "percent_audit_passing_orgs_still_exposed": 55,
14817
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
14948
+ "percent_audit_passing_orgs_still_exposed": 76,
14949
+ "basis": "Internet-facing Gladinet Triofox is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt and key rotation are rarely part of the documented patch procedure, and RMM/file-sharing/MES reach amplifies the blast radius.",
14818
14950
  "theater_pattern": "patch_management"
14819
14951
  },
14820
14952
  "ai_discovered_zeroday": false,
14821
- "ai_discovery_source": "unknown",
14822
- "ai_assist_factor": "none",
14823
- "_auto_imported": true,
14824
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
14953
+ "ai_discovery_source": "vendor_research",
14954
+ "ai_assist_factor": "none"
14825
14955
  },
14826
14956
  "CVE-2025-62215": {
14827
14957
  "name": "Microsoft Windows Race Condition Vulnerability",
@@ -14976,35 +15106,63 @@
14976
15106
  },
14977
15107
  "CVE-2025-11371": {
14978
15108
  "name": "Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability",
14979
- "lesson_date": "2026-05-18",
15109
+ "lesson_date": "2026-05-29",
14980
15110
  "attack_vector": {
14981
- "description": "Gladinet CentreStack and Triofox contains a files or directories accessible to external parties vulnerability that allows unintended disclosure of system files.",
14982
- "privileges_required": "network attacker (no authentication required)",
14983
- "complexity": "moderate (bulk-import default)",
14984
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
15111
+ "description": "a files-or-directories-accessible-to-external-parties flaw (CWE-552) disclosing server files including the machine key, enabling a follow-on deserialization remote code execution. CISA KEV-listed 2025-11-04 with confirmed in-the-wild exploitation.",
15112
+ "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
15113
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
15114
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
15115
+ },
15116
+ "defense_chain": {
15117
+ "prevention": {
15118
+ "what_would_have_worked": "Apply the Gladinet CentreStack/Triofox update AND rotate the machine key — the disclosure leaks the key that enables the deserialization RCE, so patching without key rotation leaves the RCE path open.",
15119
+ "was_this_required": true,
15120
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
15121
+ "adequacy": "Patch is necessary but insufficient alone — forged tokens / leaked keys survive the patch and require explicit key rotation."
15122
+ },
15123
+ "detection": {
15124
+ "what_would_have_worked": "Monitoring on the CentreStack/Triofox: exploit-shaped requests, new web-shell files, unexpected process execution, and authentication/authorization events with no matching legitimate session or with forged key material.",
15125
+ "was_this_required": false,
15126
+ "framework_requiring_it": null,
15127
+ "adequacy": "Necessary to catch resident persistence and key abuse after patching."
15128
+ },
15129
+ "response": {
15130
+ "what_would_have_worked": "Patch immediately, rotate the affected cryptographic/machine keys, rotate application secrets and credentials, and review data and downstream systems reachable from the CentreStack/Triofox; assume compromise of accounts and managed endpoints in its reach.",
15131
+ "was_this_required": true,
15132
+ "framework_requiring_it": "NIST 800-53 IR-4",
15133
+ "adequacy": "Mandatory; patch-in-place without key rotation / web-shell hunting leaves the attacker resident or able to re-authenticate."
15134
+ }
14985
15135
  },
14986
15136
  "framework_coverage": {
14987
15137
  "NIST-800-53-SI-2": {
14988
15138
  "covered": true,
14989
15139
  "adequate": false,
14990
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
15140
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated server-side application RCE/auth-bypass; these are mass-exploited within days, and RMM/file-sharing compromise reaches downstream systems."
14991
15141
  },
14992
15142
  "ISO-27001-2022-A.8.8": {
14993
15143
  "covered": true,
14994
15144
  "adequate": false,
14995
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15145
+ "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing enterprise application."
15146
+ },
15147
+ "NIS2-Art21-network-security": {
15148
+ "covered": true,
15149
+ "adequate": false,
15150
+ "gap": "Treats internet-facing enterprise applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / key-rotation cleanup these RCEs and key-disclosure flaws need."
15151
+ },
15152
+ "PCI-DSS-4.0-6.3.3": {
15153
+ "covered": true,
15154
+ "adequate": false,
15155
+ "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing enterprise application in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
14996
15156
  }
14997
15157
  },
14998
15158
  "compliance_exposure_score": {
14999
- "percent_audit_passing_orgs_still_exposed": 55,
15000
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
15159
+ "percent_audit_passing_orgs_still_exposed": 76,
15160
+ "basis": "Internet-facing Gladinet CentreStack and Triofox is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt and key rotation are rarely part of the documented patch procedure, and RMM/file-sharing/MES reach amplifies the blast radius.",
15001
15161
  "theater_pattern": "patch_management"
15002
15162
  },
15003
15163
  "ai_discovered_zeroday": false,
15004
- "ai_discovery_source": "unknown",
15005
- "ai_assist_factor": "none",
15006
- "_auto_imported": true,
15007
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
15164
+ "ai_discovery_source": "vendor_research",
15165
+ "ai_assist_factor": "none"
15008
15166
  },
15009
15167
  "CVE-2025-41244": {
15010
15168
  "name": "Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability",
@@ -15072,67 +15230,123 @@
15072
15230
  },
15073
15231
  "CVE-2025-6204": {
15074
15232
  "name": "Dassault Systèmes DELMIA Apriso Code Injection Vulnerability",
15075
- "lesson_date": "2026-05-18",
15233
+ "lesson_date": "2026-05-29",
15076
15234
  "attack_vector": {
15077
- "description": "Dassault Systèmes DELMIA Apriso contains a code injection vulnerability that could allow an attacker to execute arbitrary code.",
15078
- "privileges_required": "network attacker (no authentication required)",
15079
- "complexity": "moderate (bulk-import default)",
15080
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
15235
+ "description": "a code-injection flaw (CWE-94) enabling unauthenticated remote code execution on the manufacturing-operations server. CISA KEV-listed 2025-10-28 with confirmed in-the-wild exploitation.",
15236
+ "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
15237
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
15238
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
15239
+ },
15240
+ "defense_chain": {
15241
+ "prevention": {
15242
+ "what_would_have_worked": "Apply the Dassault DELMIA Apriso update; hunt for web shells and rotate service credentials. DELMIA Apriso sits in the manufacturing-operations layer, so treat compromise as OT-adjacent.",
15243
+ "was_this_required": true,
15244
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
15245
+ "adequacy": "Patch is necessary but, for these RCE/auth-bypass flaws, insufficient alone — web shells and stolen credentials survive the patch and require explicit cleanup."
15246
+ },
15247
+ "detection": {
15248
+ "what_would_have_worked": "Monitoring on the DELMIA Apriso: exploit-shaped requests, new web-shell files, unexpected process execution, and authentication/authorization events with no matching legitimate session or with forged key material.",
15249
+ "was_this_required": false,
15250
+ "framework_requiring_it": null,
15251
+ "adequacy": "Necessary to catch resident persistence and key abuse after patching."
15252
+ },
15253
+ "response": {
15254
+ "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application secrets and credentials, and review data and downstream systems reachable from the DELMIA Apriso; assume compromise of accounts and managed endpoints in its reach.",
15255
+ "was_this_required": true,
15256
+ "framework_requiring_it": "NIST 800-53 IR-4",
15257
+ "adequacy": "Mandatory; patch-in-place without key rotation / web-shell hunting leaves the attacker resident or able to re-authenticate."
15258
+ }
15081
15259
  },
15082
15260
  "framework_coverage": {
15083
15261
  "NIST-800-53-SI-2": {
15084
15262
  "covered": true,
15085
15263
  "adequate": false,
15086
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
15264
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated server-side application RCE/auth-bypass; these are mass-exploited within days, and RMM/file-sharing compromise reaches downstream systems."
15087
15265
  },
15088
15266
  "ISO-27001-2022-A.8.8": {
15089
15267
  "covered": true,
15090
15268
  "adequate": false,
15091
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15092
- }
15269
+ "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing enterprise application."
15270
+ },
15271
+ "NIS2-Art21-network-security": {
15272
+ "covered": true,
15273
+ "adequate": false,
15274
+ "gap": "Treats internet-facing enterprise applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / key-rotation cleanup these RCEs and key-disclosure flaws need."
15275
+ },
15276
+ "PCI-DSS-4.0-6.3.3": {
15277
+ "covered": true,
15278
+ "adequate": false,
15279
+ "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing enterprise application in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
15280
+ }
15093
15281
  },
15094
15282
  "compliance_exposure_score": {
15095
- "percent_audit_passing_orgs_still_exposed": 55,
15096
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
15283
+ "percent_audit_passing_orgs_still_exposed": 76,
15284
+ "basis": "Internet-facing Dassault Systèmes DELMIA Apriso is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt and key rotation are rarely part of the documented patch procedure, and RMM/file-sharing/MES reach amplifies the blast radius.",
15097
15285
  "theater_pattern": "patch_management"
15098
15286
  },
15099
15287
  "ai_discovered_zeroday": false,
15100
- "ai_discovery_source": "unknown",
15101
- "ai_assist_factor": "none",
15102
- "_auto_imported": true,
15103
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
15288
+ "ai_discovery_source": "vendor_research",
15289
+ "ai_assist_factor": "none"
15104
15290
  },
15105
15291
  "CVE-2025-6205": {
15106
15292
  "name": "Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability",
15107
- "lesson_date": "2026-05-18",
15293
+ "lesson_date": "2026-05-29",
15108
15294
  "attack_vector": {
15109
- "description": "Dassault Systèmes DELMIA Apriso contains a missing authorization vulnerability that could allow an attacker to gain privileged access to the application.",
15110
- "privileges_required": "network attacker (no authentication required)",
15111
- "complexity": "moderate (bulk-import default)",
15112
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
15295
+ "description": "a missing-authorization flaw (CWE-862) letting an unauthenticated attacker reach privileged functionality. CISA KEV-listed 2025-10-28 with confirmed in-the-wild exploitation.",
15296
+ "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
15297
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
15298
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
15299
+ },
15300
+ "defense_chain": {
15301
+ "prevention": {
15302
+ "what_would_have_worked": "Apply the Dassault DELMIA Apriso update and review privileged-function access during the exposure window.",
15303
+ "was_this_required": true,
15304
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
15305
+ "adequacy": "Patch is necessary but, for these RCE/auth-bypass flaws, insufficient alone — web shells and stolen credentials survive the patch and require explicit cleanup."
15306
+ },
15307
+ "detection": {
15308
+ "what_would_have_worked": "Monitoring on the DELMIA Apriso: exploit-shaped requests, new web-shell files, unexpected process execution, and authentication/authorization events with no matching legitimate session or with forged key material.",
15309
+ "was_this_required": false,
15310
+ "framework_requiring_it": null,
15311
+ "adequacy": "Necessary to catch resident persistence and key abuse after patching."
15312
+ },
15313
+ "response": {
15314
+ "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application secrets and credentials, and review data and downstream systems reachable from the DELMIA Apriso; assume compromise of accounts and managed endpoints in its reach.",
15315
+ "was_this_required": true,
15316
+ "framework_requiring_it": "NIST 800-53 IR-4",
15317
+ "adequacy": "Mandatory; patch-in-place without key rotation / web-shell hunting leaves the attacker resident or able to re-authenticate."
15318
+ }
15113
15319
  },
15114
15320
  "framework_coverage": {
15115
15321
  "NIST-800-53-SI-2": {
15116
15322
  "covered": true,
15117
15323
  "adequate": false,
15118
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
15324
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated server-side application RCE/auth-bypass; these are mass-exploited within days, and RMM/file-sharing compromise reaches downstream systems."
15119
15325
  },
15120
15326
  "ISO-27001-2022-A.8.8": {
15121
15327
  "covered": true,
15122
15328
  "adequate": false,
15123
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15329
+ "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing enterprise application."
15330
+ },
15331
+ "NIS2-Art21-network-security": {
15332
+ "covered": true,
15333
+ "adequate": false,
15334
+ "gap": "Treats internet-facing enterprise applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / key-rotation cleanup these RCEs and key-disclosure flaws need."
15335
+ },
15336
+ "PCI-DSS-4.0-6.3.3": {
15337
+ "covered": true,
15338
+ "adequate": false,
15339
+ "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing enterprise application in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
15124
15340
  }
15125
15341
  },
15126
15342
  "compliance_exposure_score": {
15127
- "percent_audit_passing_orgs_still_exposed": 55,
15128
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
15343
+ "percent_audit_passing_orgs_still_exposed": 76,
15344
+ "basis": "Internet-facing Dassault Systèmes DELMIA Apriso is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt and key rotation are rarely part of the documented patch procedure, and RMM/file-sharing/MES reach amplifies the blast radius.",
15129
15345
  "theater_pattern": "patch_management"
15130
15346
  },
15131
15347
  "ai_discovered_zeroday": false,
15132
- "ai_discovery_source": "unknown",
15133
- "ai_assist_factor": "none",
15134
- "_auto_imported": true,
15135
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
15348
+ "ai_discovery_source": "vendor_research",
15349
+ "ai_assist_factor": "none"
15136
15350
  },
15137
15351
  "CVE-2025-54236": {
15138
15352
  "name": "Adobe Commerce and Magento Improper Input Validation Vulnerability",
@@ -15774,35 +15988,58 @@
15774
15988
  },
15775
15989
  "CVE-2021-22555": {
15776
15990
  "name": "Linux Kernel Heap Out-of-Bounds Write Vulnerability",
15777
- "lesson_date": "2026-05-18",
15991
+ "lesson_date": "2026-05-29",
15778
15992
  "attack_vector": {
15779
- "description": "Linux Kernel contains a heap out-of-bounds write vulnerability that could allow an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space.",
15780
- "privileges_required": "network attacker (no authentication required)",
15781
- "complexity": "moderate (bulk-import default)",
15782
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
15993
+ "description": "a heap out-of-bounds write (CWE-787) in the Linux kernel netfilter x_tables, exploited by a local user (with user-namespace access) to gain root. CISA KEV-listed 2025-10-06 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
15994
+ "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
15995
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
15996
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
15997
+ },
15998
+ "defense_chain": {
15999
+ "prevention": {
16000
+ "what_would_have_worked": "Apply the distribution kernel update (or live-patch via kpatch/livepatch); enable kernel hardening (lockdown, restricting unprivileged user namespaces where the flaw requires them) to shrink the LPE surface.",
16001
+ "was_this_required": true,
16002
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
16003
+ "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
16004
+ },
16005
+ "detection": {
16006
+ "what_would_have_worked": "EDR/auditd telemetry for the LPE primitive (kernel crashes, unexpected SUID/namespace activity) and unprivileged-to-root transitions without a legitimate trigger.",
16007
+ "was_this_required": false,
16008
+ "framework_requiring_it": null,
16009
+ "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
16010
+ },
16011
+ "response": {
16012
+ "what_would_have_worked": "Force the kernel update across the estate; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
16013
+ "was_this_required": true,
16014
+ "framework_requiring_it": "NIST 800-53 IR-4",
16015
+ "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
16016
+ }
15783
16017
  },
15784
16018
  "framework_coverage": {
15785
16019
  "NIST-800-53-SI-2": {
15786
16020
  "covered": true,
15787
16021
  "adequate": false,
15788
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
16022
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
15789
16023
  },
15790
16024
  "ISO-27001-2022-A.8.8": {
15791
16025
  "covered": true,
15792
16026
  "adequate": false,
15793
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
16027
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
16028
+ },
16029
+ "AU-ISM-1546": {
16030
+ "covered": true,
16031
+ "adequate": false,
16032
+ "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
15794
16033
  }
15795
16034
  },
15796
16035
  "compliance_exposure_score": {
15797
- "percent_audit_passing_orgs_still_exposed": 55,
15798
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
16036
+ "percent_audit_passing_orgs_still_exposed": 66,
16037
+ "basis": "Linux kernel is ubiquitous; audited organizations gate kernel patches behind change windows or reboot-avoidance, leaving the LPE chain open well past the in-the-wild exploitation window.",
15799
16038
  "theater_pattern": "patch_management"
15800
16039
  },
15801
16040
  "ai_discovered_zeroday": false,
15802
- "ai_discovery_source": "unknown",
15803
- "ai_assist_factor": "none",
15804
- "_auto_imported": true,
15805
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
16041
+ "ai_discovery_source": "vendor_research",
16042
+ "ai_assist_factor": "none"
15806
16043
  },
15807
16044
  "CVE-2010-3962": {
15808
16045
  "name": "Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability",
@@ -16558,35 +16795,63 @@
16558
16795
  },
16559
16796
  "CVE-2025-5086": {
16560
16797
  "name": "Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability",
16561
- "lesson_date": "2026-05-18",
16798
+ "lesson_date": "2026-05-29",
16562
16799
  "attack_vector": {
16563
- "description": "Dassault Systèmes DELMIA Apriso contains a deserialization of untrusted data vulnerability that could lead to a remote code execution.",
16564
- "privileges_required": "network attacker (no authentication required)",
16565
- "complexity": "moderate (bulk-import default)",
16566
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
16800
+ "description": "a deserialization-of-untrusted-data flaw (CWE-502) enabling unauthenticated remote code execution. CISA KEV-listed 2025-09-11 with confirmed in-the-wild exploitation.",
16801
+ "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
16802
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
16803
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
16804
+ },
16805
+ "defense_chain": {
16806
+ "prevention": {
16807
+ "what_would_have_worked": "Apply the Dassault DELMIA Apriso update, hunt for web shells, and rotate service credentials; treat the manufacturing-operations server as OT-adjacent on compromise.",
16808
+ "was_this_required": true,
16809
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
16810
+ "adequacy": "Patch is necessary but, for these RCE/auth-bypass flaws, insufficient alone — web shells and stolen credentials survive the patch and require explicit cleanup."
16811
+ },
16812
+ "detection": {
16813
+ "what_would_have_worked": "Monitoring on the DELMIA Apriso: exploit-shaped requests, new web-shell files, unexpected process execution, and authentication/authorization events with no matching legitimate session or with forged key material.",
16814
+ "was_this_required": false,
16815
+ "framework_requiring_it": null,
16816
+ "adequacy": "Necessary to catch resident persistence and key abuse after patching."
16817
+ },
16818
+ "response": {
16819
+ "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application secrets and credentials, and review data and downstream systems reachable from the DELMIA Apriso; assume compromise of accounts and managed endpoints in its reach.",
16820
+ "was_this_required": true,
16821
+ "framework_requiring_it": "NIST 800-53 IR-4",
16822
+ "adequacy": "Mandatory; patch-in-place without key rotation / web-shell hunting leaves the attacker resident or able to re-authenticate."
16823
+ }
16567
16824
  },
16568
16825
  "framework_coverage": {
16569
16826
  "NIST-800-53-SI-2": {
16570
16827
  "covered": true,
16571
16828
  "adequate": false,
16572
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
16829
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated server-side application RCE/auth-bypass; these are mass-exploited within days, and RMM/file-sharing compromise reaches downstream systems."
16573
16830
  },
16574
16831
  "ISO-27001-2022-A.8.8": {
16575
16832
  "covered": true,
16576
16833
  "adequate": false,
16577
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
16834
+ "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing enterprise application."
16835
+ },
16836
+ "NIS2-Art21-network-security": {
16837
+ "covered": true,
16838
+ "adequate": false,
16839
+ "gap": "Treats internet-facing enterprise applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / key-rotation cleanup these RCEs and key-disclosure flaws need."
16840
+ },
16841
+ "PCI-DSS-4.0-6.3.3": {
16842
+ "covered": true,
16843
+ "adequate": false,
16844
+ "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing enterprise application in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
16578
16845
  }
16579
16846
  },
16580
16847
  "compliance_exposure_score": {
16581
- "percent_audit_passing_orgs_still_exposed": 55,
16582
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
16848
+ "percent_audit_passing_orgs_still_exposed": 76,
16849
+ "basis": "Internet-facing Dassault Systèmes DELMIA Apriso is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt and key rotation are rarely part of the documented patch procedure, and RMM/file-sharing/MES reach amplifies the blast radius.",
16583
16850
  "theater_pattern": "patch_management"
16584
16851
  },
16585
16852
  "ai_discovered_zeroday": false,
16586
- "ai_discovery_source": "unknown",
16587
- "ai_assist_factor": "none",
16588
- "_auto_imported": true,
16589
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
16853
+ "ai_discovery_source": "vendor_research",
16854
+ "ai_assist_factor": "none"
16590
16855
  },
16591
16856
  "CVE-2025-48543": {
16592
16857
  "name": "Android Runtime Use-After-Free Vulnerability",
@@ -18515,35 +18780,58 @@
18515
18780
  },
18516
18781
  "CVE-2023-0386": {
18517
18782
  "name": "Linux Kernel Improper Ownership Management Vulnerability",
18518
- "lesson_date": "2026-05-18",
18783
+ "lesson_date": "2026-05-29",
18519
18784
  "attack_vector": {
18520
- "description": "Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.",
18521
- "privileges_required": "network attacker (no authentication required)",
18522
- "complexity": "moderate (bulk-import default)",
18523
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
18785
+ "description": "an improper-ownership-management flaw (CWE-282) in the Linux kernel OverlayFS, exploited by a local user to copy a SUID file across mounts and gain root. CISA KEV-listed 2025-06-17 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
18786
+ "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
18787
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
18788
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
18789
+ },
18790
+ "defense_chain": {
18791
+ "prevention": {
18792
+ "what_would_have_worked": "Apply the distribution kernel update (or live-patch via kpatch/livepatch); enable kernel hardening (lockdown, restricting unprivileged user namespaces where the flaw requires them) to shrink the LPE surface.",
18793
+ "was_this_required": true,
18794
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
18795
+ "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
18796
+ },
18797
+ "detection": {
18798
+ "what_would_have_worked": "EDR/auditd telemetry for the LPE primitive (kernel crashes, unexpected SUID/namespace activity) and unprivileged-to-root transitions without a legitimate trigger.",
18799
+ "was_this_required": false,
18800
+ "framework_requiring_it": null,
18801
+ "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
18802
+ },
18803
+ "response": {
18804
+ "what_would_have_worked": "Force the kernel update across the estate; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
18805
+ "was_this_required": true,
18806
+ "framework_requiring_it": "NIST 800-53 IR-4",
18807
+ "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
18808
+ }
18524
18809
  },
18525
18810
  "framework_coverage": {
18526
18811
  "NIST-800-53-SI-2": {
18527
18812
  "covered": true,
18528
18813
  "adequate": false,
18529
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
18814
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
18530
18815
  },
18531
18816
  "ISO-27001-2022-A.8.8": {
18532
18817
  "covered": true,
18533
18818
  "adequate": false,
18534
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
18819
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
18820
+ },
18821
+ "AU-ISM-1546": {
18822
+ "covered": true,
18823
+ "adequate": false,
18824
+ "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
18535
18825
  }
18536
18826
  },
18537
18827
  "compliance_exposure_score": {
18538
- "percent_audit_passing_orgs_still_exposed": 55,
18539
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
18828
+ "percent_audit_passing_orgs_still_exposed": 66,
18829
+ "basis": "Linux kernel is ubiquitous; audited organizations gate kernel patches behind change windows or reboot-avoidance, leaving the LPE chain open well past the in-the-wild exploitation window.",
18540
18830
  "theater_pattern": "patch_management"
18541
18831
  },
18542
18832
  "ai_discovered_zeroday": false,
18543
- "ai_discovery_source": "unknown",
18544
- "ai_assist_factor": "none",
18545
- "_auto_imported": true,
18546
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
18833
+ "ai_discovery_source": "vendor_research",
18834
+ "ai_assist_factor": "none"
18547
18835
  },
18548
18836
  "CVE-2023-33538": {
18549
18837
  "name": "TP-Link Multiple Routers Command Injection Vulnerability",
@@ -18817,99 +19105,168 @@
18817
19105
  },
18818
19106
  "CVE-2025-21479": {
18819
19107
  "name": "Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability",
18820
- "lesson_date": "2026-05-18",
19108
+ "lesson_date": "2026-05-29",
18821
19109
  "attack_vector": {
18822
- "description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.",
18823
- "privileges_required": "network attacker (no authentication required)",
18824
- "complexity": "moderate (bulk-import default)",
18825
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
19110
+ "description": "an incorrect-authorization flaw (CWE-863) in the Qualcomm Adreno GPU driver, allowing unauthorized GPU command execution that corrupts memory to escalate privilege (exploited in the wild in Android targeted chains). CISA KEV-listed 2025-06-03 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
19111
+ "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
19112
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
19113
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
19114
+ },
19115
+ "defense_chain": {
19116
+ "prevention": {
19117
+ "what_would_have_worked": "Apply the Qualcomm chipset fix via the device's Android Security Bulletin OTA update; on managed mobile fleets enforce update SLAs via MDM. SELinux/seccomp confinement limits but does not remove the GPU-driver LPE.",
19118
+ "was_this_required": true,
19119
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
19120
+ "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
19121
+ },
19122
+ "detection": {
19123
+ "what_would_have_worked": "Mobile-threat-defense telemetry for the LPE primitive (GPU-driver crashes, anomalous GPU command submission) and unprivileged-to-elevated transitions without a legitimate trigger.",
19124
+ "was_this_required": false,
19125
+ "framework_requiring_it": null,
19126
+ "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
19127
+ },
19128
+ "response": {
19129
+ "what_would_have_worked": "Force the OTA update across the mobile fleet; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
19130
+ "was_this_required": true,
19131
+ "framework_requiring_it": "NIST 800-53 IR-4",
19132
+ "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
19133
+ }
18826
19134
  },
18827
19135
  "framework_coverage": {
18828
19136
  "NIST-800-53-SI-2": {
18829
19137
  "covered": true,
18830
19138
  "adequate": false,
18831
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
19139
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
18832
19140
  },
18833
19141
  "ISO-27001-2022-A.8.8": {
18834
19142
  "covered": true,
18835
19143
  "adequate": false,
18836
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
19144
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
19145
+ },
19146
+ "AU-ISM-1546": {
19147
+ "covered": true,
19148
+ "adequate": false,
19149
+ "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
18837
19150
  }
18838
19151
  },
18839
19152
  "compliance_exposure_score": {
18840
- "percent_audit_passing_orgs_still_exposed": 55,
18841
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
19153
+ "percent_audit_passing_orgs_still_exposed": 66,
19154
+ "basis": "Qualcomm chipsets is ubiquitous; audited organizations gate mobile OTA updates behind carrier/OEM cadence and MDM windows, leaving the LPE chain open well past the in-the-wild exploitation window.",
18842
19155
  "theater_pattern": "patch_management"
18843
19156
  },
18844
19157
  "ai_discovered_zeroday": false,
18845
- "ai_discovery_source": "unknown",
18846
- "ai_assist_factor": "none",
18847
- "_auto_imported": true,
18848
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
19158
+ "ai_discovery_source": "vendor_research",
19159
+ "ai_assist_factor": "none"
18849
19160
  },
18850
19161
  "CVE-2025-21480": {
18851
- "name": "Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability",
18852
- "lesson_date": "2026-05-18",
19162
+ "name": "Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability (variant: CVE-2025-21480)",
19163
+ "lesson_date": "2026-05-29",
18853
19164
  "attack_vector": {
18854
- "description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.",
18855
- "privileges_required": "network attacker (no authentication required)",
18856
- "complexity": "moderate (bulk-import default)",
18857
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
19165
+ "description": "an incorrect-authorization flaw (CWE-863) in the Qualcomm Adreno GPU driver (a related variant), allowing unauthorized GPU command execution that corrupts memory to escalate privilege (exploited in the wild in Android targeted chains). CISA KEV-listed 2025-06-03 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
19166
+ "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
19167
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
19168
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
19169
+ },
19170
+ "defense_chain": {
19171
+ "prevention": {
19172
+ "what_would_have_worked": "Apply the Qualcomm chipset fix via the device's Android Security Bulletin OTA update; on managed mobile fleets enforce update SLAs via MDM. SELinux/seccomp confinement limits but does not remove the GPU-driver LPE.",
19173
+ "was_this_required": true,
19174
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
19175
+ "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
19176
+ },
19177
+ "detection": {
19178
+ "what_would_have_worked": "Mobile-threat-defense telemetry for the LPE primitive (GPU-driver crashes, anomalous GPU command submission) and unprivileged-to-elevated transitions without a legitimate trigger.",
19179
+ "was_this_required": false,
19180
+ "framework_requiring_it": null,
19181
+ "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
19182
+ },
19183
+ "response": {
19184
+ "what_would_have_worked": "Force the OTA update across the mobile fleet; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
19185
+ "was_this_required": true,
19186
+ "framework_requiring_it": "NIST 800-53 IR-4",
19187
+ "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
19188
+ }
18858
19189
  },
18859
19190
  "framework_coverage": {
18860
19191
  "NIST-800-53-SI-2": {
18861
19192
  "covered": true,
18862
19193
  "adequate": false,
18863
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
19194
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
18864
19195
  },
18865
19196
  "ISO-27001-2022-A.8.8": {
18866
19197
  "covered": true,
18867
19198
  "adequate": false,
18868
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
19199
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
19200
+ },
19201
+ "AU-ISM-1546": {
19202
+ "covered": true,
19203
+ "adequate": false,
19204
+ "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
18869
19205
  }
18870
19206
  },
18871
19207
  "compliance_exposure_score": {
18872
- "percent_audit_passing_orgs_still_exposed": 55,
18873
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
19208
+ "percent_audit_passing_orgs_still_exposed": 66,
19209
+ "basis": "Qualcomm chipsets is ubiquitous; audited organizations gate mobile OTA updates behind carrier/OEM cadence and MDM windows, leaving the LPE chain open well past the in-the-wild exploitation window.",
18874
19210
  "theater_pattern": "patch_management"
18875
19211
  },
18876
19212
  "ai_discovered_zeroday": false,
18877
- "ai_discovery_source": "unknown",
18878
- "ai_assist_factor": "none",
18879
- "_auto_imported": true,
18880
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
19213
+ "ai_discovery_source": "vendor_research",
19214
+ "ai_assist_factor": "none"
18881
19215
  },
18882
19216
  "CVE-2025-27038": {
18883
19217
  "name": "Qualcomm Multiple Chipsets Use-After-Free Vulnerability",
18884
- "lesson_date": "2026-05-18",
19218
+ "lesson_date": "2026-05-29",
18885
19219
  "attack_vector": {
18886
- "description": "Multiple Qualcomm chipsets contain a use-after-free vulnerability. This vulnerability allows for memory corruption while rendering graphics using Adreno GPU drivers in Chrome.",
18887
- "privileges_required": "network attacker (no authentication required)",
18888
- "complexity": "moderate (bulk-import default)",
18889
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
19220
+ "description": "a use-after-free (CWE-416) in the Qualcomm Adreno GPU driver, exploited by a local foothold to escalate privilege on the device. CISA KEV-listed 2025-06-03 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
19221
+ "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
19222
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
19223
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
19224
+ },
19225
+ "defense_chain": {
19226
+ "prevention": {
19227
+ "what_would_have_worked": "Apply the Qualcomm chipset fix via the device's Android Security Bulletin OTA update; on managed mobile fleets enforce update SLAs via MDM. SELinux/seccomp confinement limits but does not remove the GPU-driver LPE.",
19228
+ "was_this_required": true,
19229
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
19230
+ "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
19231
+ },
19232
+ "detection": {
19233
+ "what_would_have_worked": "Mobile-threat-defense telemetry for the LPE primitive (GPU-driver crashes, anomalous GPU command submission) and unprivileged-to-elevated transitions without a legitimate trigger.",
19234
+ "was_this_required": false,
19235
+ "framework_requiring_it": null,
19236
+ "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
19237
+ },
19238
+ "response": {
19239
+ "what_would_have_worked": "Force the OTA update across the mobile fleet; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
19240
+ "was_this_required": true,
19241
+ "framework_requiring_it": "NIST 800-53 IR-4",
19242
+ "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
19243
+ }
18890
19244
  },
18891
19245
  "framework_coverage": {
18892
19246
  "NIST-800-53-SI-2": {
18893
19247
  "covered": true,
18894
19248
  "adequate": false,
18895
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
19249
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
18896
19250
  },
18897
19251
  "ISO-27001-2022-A.8.8": {
18898
19252
  "covered": true,
18899
19253
  "adequate": false,
18900
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
19254
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
19255
+ },
19256
+ "AU-ISM-1546": {
19257
+ "covered": true,
19258
+ "adequate": false,
19259
+ "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
18901
19260
  }
18902
19261
  },
18903
19262
  "compliance_exposure_score": {
18904
- "percent_audit_passing_orgs_still_exposed": 55,
18905
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
19263
+ "percent_audit_passing_orgs_still_exposed": 66,
19264
+ "basis": "Qualcomm chipsets is ubiquitous; audited organizations gate mobile OTA updates behind carrier/OEM cadence and MDM windows, leaving the LPE chain open well past the in-the-wild exploitation window.",
18906
19265
  "theater_pattern": "patch_management"
18907
19266
  },
18908
19267
  "ai_discovered_zeroday": false,
18909
- "ai_discovery_source": "unknown",
18910
- "ai_assist_factor": "none",
18911
- "_auto_imported": true,
18912
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
19268
+ "ai_discovery_source": "vendor_research",
19269
+ "ai_assist_factor": "none"
18913
19270
  },
18914
19271
  "CVE-2021-32030": {
18915
19272
  "name": "ASUS Routers Improper Authentication Vulnerability",
@@ -18945,35 +19302,63 @@
18945
19302
  },
18946
19303
  "CVE-2025-3935": {
18947
19304
  "name": "ConnectWise ScreenConnect Improper Authentication Vulnerability",
18948
- "lesson_date": "2026-05-18",
19305
+ "lesson_date": "2026-05-29",
18949
19306
  "attack_vector": {
18950
- "description": "ConnectWise ScreenConnect contains an improper authentication vulnerability. This vulnerability could allow a ViewState code injection attack, which could allow remote code execution if machine keys are compromised.",
18951
- "privileges_required": "network attacker (no authentication required)",
18952
- "complexity": "moderate (bulk-import default)",
18953
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
19307
+ "description": "an improper-authentication flaw (CWE-287) letting an unauthenticated attacker bypass authentication via ASP.NET ViewState / machine-key abuse. CISA KEV-listed 2025-06-02 with confirmed in-the-wild exploitation.",
19308
+ "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
19309
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
19310
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
19311
+ },
19312
+ "defense_chain": {
19313
+ "prevention": {
19314
+ "what_would_have_worked": "Apply the ConnectWise ScreenConnect update and rotate the ASP.NET machine keys — the bypass abuses key material, so rotation is required beyond patching. RMM compromise reaches downstream endpoints.",
19315
+ "was_this_required": true,
19316
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
19317
+ "adequacy": "Patch is necessary but, for these RCE/auth-bypass flaws, insufficient alone — web shells and stolen credentials survive the patch and require explicit cleanup."
19318
+ },
19319
+ "detection": {
19320
+ "what_would_have_worked": "Monitoring on the ScreenConnect: exploit-shaped requests, new web-shell files, unexpected process execution, and authentication/authorization events with no matching legitimate session or with forged key material.",
19321
+ "was_this_required": false,
19322
+ "framework_requiring_it": null,
19323
+ "adequacy": "Necessary to catch resident persistence and key abuse after patching."
19324
+ },
19325
+ "response": {
19326
+ "what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application secrets and credentials, and review data and downstream systems reachable from the ScreenConnect; assume compromise of accounts and managed endpoints in its reach.",
19327
+ "was_this_required": true,
19328
+ "framework_requiring_it": "NIST 800-53 IR-4",
19329
+ "adequacy": "Mandatory; patch-in-place without key rotation / web-shell hunting leaves the attacker resident or able to re-authenticate."
19330
+ }
18954
19331
  },
18955
19332
  "framework_coverage": {
18956
19333
  "NIST-800-53-SI-2": {
18957
19334
  "covered": true,
18958
19335
  "adequate": false,
18959
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
19336
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated server-side application RCE/auth-bypass; these are mass-exploited within days, and RMM/file-sharing compromise reaches downstream systems."
18960
19337
  },
18961
19338
  "ISO-27001-2022-A.8.8": {
18962
19339
  "covered": true,
18963
19340
  "adequate": false,
18964
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
19341
+ "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing enterprise application."
19342
+ },
19343
+ "NIS2-Art21-network-security": {
19344
+ "covered": true,
19345
+ "adequate": false,
19346
+ "gap": "Treats internet-facing enterprise applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / key-rotation cleanup these RCEs and key-disclosure flaws need."
19347
+ },
19348
+ "PCI-DSS-4.0-6.3.3": {
19349
+ "covered": true,
19350
+ "adequate": false,
19351
+ "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing enterprise application in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
18965
19352
  }
18966
19353
  },
18967
19354
  "compliance_exposure_score": {
18968
- "percent_audit_passing_orgs_still_exposed": 55,
18969
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
19355
+ "percent_audit_passing_orgs_still_exposed": 76,
19356
+ "basis": "Internet-facing ConnectWise ScreenConnect is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt and key rotation are rarely part of the documented patch procedure, and RMM/file-sharing/MES reach amplifies the blast radius.",
18970
19357
  "theater_pattern": "patch_management"
18971
19358
  },
18972
19359
  "ai_discovered_zeroday": false,
18973
- "ai_discovery_source": "unknown",
18974
- "ai_assist_factor": "none",
18975
- "_auto_imported": true,
18976
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
19360
+ "ai_discovery_source": "vendor_research",
19361
+ "ai_assist_factor": "none"
18977
19362
  },
18978
19363
  "CVE-2025-35939": {
18979
19364
  "name": "Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability",