@blamejs/exceptd-skills 0.15.18 → 0.15.20
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +8 -0
- package/data/_indexes/_meta.json +5 -5
- package/data/attack-techniques.json +15 -0
- package/data/cve-catalog.json +269 -94
- package/data/zeroday-lessons.json +660 -212
- package/manifest.json +44 -44
- package/package.json +1 -1
- package/sbom.cdx.json +18 -18
|
@@ -6871,35 +6871,63 @@
|
|
|
6871
6871
|
},
|
|
6872
6872
|
"CVE-2024-1708": {
|
|
6873
6873
|
"name": "ConnectWise ScreenConnect Path Traversal Vulnerability",
|
|
6874
|
-
"lesson_date": "2026-05-
|
|
6874
|
+
"lesson_date": "2026-05-29",
|
|
6875
6875
|
"attack_vector": {
|
|
6876
|
-
"description": "
|
|
6877
|
-
"privileges_required": "
|
|
6878
|
-
"complexity": "
|
|
6879
|
-
"ai_factor": "
|
|
6876
|
+
"description": "a path-traversal flaw (CWE-22) letting an attacker write or read files outside the intended directory (used with the companion authentication bypass to drop a web shell). CISA KEV-listed 2026-04-28 with confirmed in-the-wild exploitation.",
|
|
6877
|
+
"privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
|
|
6878
|
+
"complexity": "low — KEV-listed, actively exploited; treat as weaponized",
|
|
6879
|
+
"ai_factor": "No AI involvement documented in discovery or weaponization."
|
|
6880
|
+
},
|
|
6881
|
+
"defense_chain": {
|
|
6882
|
+
"prevention": {
|
|
6883
|
+
"what_would_have_worked": "Apply the ConnectWise ScreenConnect update; hunt for ASPX/web shells dropped via the traversal and rotate ScreenConnect credentials. ScreenConnect is RMM, so downstream managed endpoints are in the blast radius.",
|
|
6884
|
+
"was_this_required": true,
|
|
6885
|
+
"framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
|
|
6886
|
+
"adequacy": "Patch is necessary but, for these RCE/auth-bypass flaws, insufficient alone — web shells and stolen credentials survive the patch and require explicit cleanup."
|
|
6887
|
+
},
|
|
6888
|
+
"detection": {
|
|
6889
|
+
"what_would_have_worked": "Monitoring on the ScreenConnect: exploit-shaped requests, new web-shell files, unexpected process execution, and authentication/authorization events with no matching legitimate session or with forged key material.",
|
|
6890
|
+
"was_this_required": false,
|
|
6891
|
+
"framework_requiring_it": null,
|
|
6892
|
+
"adequacy": "Necessary to catch resident persistence and key abuse after patching."
|
|
6893
|
+
},
|
|
6894
|
+
"response": {
|
|
6895
|
+
"what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application secrets and credentials, and review data and downstream systems reachable from the ScreenConnect; assume compromise of accounts and managed endpoints in its reach.",
|
|
6896
|
+
"was_this_required": true,
|
|
6897
|
+
"framework_requiring_it": "NIST 800-53 IR-4",
|
|
6898
|
+
"adequacy": "Mandatory; patch-in-place without key rotation / web-shell hunting leaves the attacker resident or able to re-authenticate."
|
|
6899
|
+
}
|
|
6880
6900
|
},
|
|
6881
6901
|
"framework_coverage": {
|
|
6882
6902
|
"NIST-800-53-SI-2": {
|
|
6883
6903
|
"covered": true,
|
|
6884
6904
|
"adequate": false,
|
|
6885
|
-
"gap": "30-day SLA
|
|
6905
|
+
"gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated server-side application RCE/auth-bypass; these are mass-exploited within days, and RMM/file-sharing compromise reaches downstream systems."
|
|
6886
6906
|
},
|
|
6887
6907
|
"ISO-27001-2022-A.8.8": {
|
|
6888
6908
|
"covered": true,
|
|
6889
6909
|
"adequate": false,
|
|
6890
|
-
"gap": "
|
|
6910
|
+
"gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing enterprise application."
|
|
6911
|
+
},
|
|
6912
|
+
"NIS2-Art21-network-security": {
|
|
6913
|
+
"covered": true,
|
|
6914
|
+
"adequate": false,
|
|
6915
|
+
"gap": "Treats internet-facing enterprise applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / key-rotation cleanup these RCEs and key-disclosure flaws need."
|
|
6916
|
+
},
|
|
6917
|
+
"PCI-DSS-4.0-6.3.3": {
|
|
6918
|
+
"covered": true,
|
|
6919
|
+
"adequate": false,
|
|
6920
|
+
"gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing enterprise application in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
|
|
6891
6921
|
}
|
|
6892
6922
|
},
|
|
6893
6923
|
"compliance_exposure_score": {
|
|
6894
|
-
"percent_audit_passing_orgs_still_exposed":
|
|
6895
|
-
"basis": "
|
|
6924
|
+
"percent_audit_passing_orgs_still_exposed": 76,
|
|
6925
|
+
"basis": "Internet-facing ConnectWise ScreenConnect is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt and key rotation are rarely part of the documented patch procedure, and RMM/file-sharing/MES reach amplifies the blast radius.",
|
|
6896
6926
|
"theater_pattern": "patch_management"
|
|
6897
6927
|
},
|
|
6898
6928
|
"ai_discovered_zeroday": false,
|
|
6899
|
-
"ai_discovery_source": "
|
|
6900
|
-
"ai_assist_factor": "none"
|
|
6901
|
-
"_auto_imported": true,
|
|
6902
|
-
"_intake_method": "v0.13.17-bulk-cisa-kev-import"
|
|
6929
|
+
"ai_discovery_source": "vendor_research",
|
|
6930
|
+
"ai_assist_factor": "none"
|
|
6903
6931
|
},
|
|
6904
6932
|
"CVE-2025-29635": {
|
|
6905
6933
|
"name": "D-Link DIR-823X Command Injection Vulnerability",
|
|
@@ -13095,35 +13123,63 @@
|
|
|
13095
13123
|
},
|
|
13096
13124
|
"CVE-2025-64328": {
|
|
13097
13125
|
"name": "Sangoma FreePBX OS Command Injection Vulnerability",
|
|
13098
|
-
"lesson_date": "2026-05-
|
|
13126
|
+
"lesson_date": "2026-05-29",
|
|
13099
13127
|
"attack_vector": {
|
|
13100
|
-
"description": "
|
|
13101
|
-
"privileges_required": "
|
|
13102
|
-
"complexity": "
|
|
13103
|
-
"ai_factor": "
|
|
13128
|
+
"description": "an OS command-injection flaw (CWE-78) enabling unauthenticated remote command execution on the telephony server. CISA KEV-listed 2026-02-03 with confirmed in-the-wild exploitation.",
|
|
13129
|
+
"privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the device's network interface)",
|
|
13130
|
+
"complexity": "low — KEV-listed, actively exploited; treat as weaponized",
|
|
13131
|
+
"ai_factor": "No AI involvement documented in discovery or weaponization."
|
|
13132
|
+
},
|
|
13133
|
+
"defense_chain": {
|
|
13134
|
+
"prevention": {
|
|
13135
|
+
"what_would_have_worked": "Apply the Sangoma FreePBX / module update; hunt for web shells and toll-fraud (anomalous outbound SIP/calls), and rotate SIP and administrative credentials — FreePBX compromise is routinely monetized via telephony fraud.",
|
|
13136
|
+
"was_this_required": true,
|
|
13137
|
+
"framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
|
|
13138
|
+
"adequacy": "Patch is necessary but, given the device's trust position, an exploited unit must be rebuilt and its secrets rotated — a patch in place does not evict a resident attacker."
|
|
13139
|
+
},
|
|
13140
|
+
"detection": {
|
|
13141
|
+
"what_would_have_worked": "Monitoring of the FreePBX: exploit-shaped requests, toll-fraud call patterns and new admin objects.",
|
|
13142
|
+
"was_this_required": false,
|
|
13143
|
+
"framework_requiring_it": null,
|
|
13144
|
+
"adequacy": "Necessary because device compromise is often silent and persists across reboots in firmware/config."
|
|
13145
|
+
},
|
|
13146
|
+
"response": {
|
|
13147
|
+
"what_would_have_worked": "Rebuild the device from a known-good image, rotate all credentials and secrets it held, and review the network behind it for lateral movement; assume the device's trust is fully compromised.",
|
|
13148
|
+
"was_this_required": true,
|
|
13149
|
+
"framework_requiring_it": "NIST 800-53 IR-4",
|
|
13150
|
+
"adequacy": "Mandatory; network-device compromise gives an attacker a durable, trusted position that patching alone does not remove."
|
|
13151
|
+
}
|
|
13104
13152
|
},
|
|
13105
13153
|
"framework_coverage": {
|
|
13106
13154
|
"NIST-800-53-SI-2": {
|
|
13107
13155
|
"covered": true,
|
|
13108
13156
|
"adequate": false,
|
|
13109
|
-
"gap": "30-day SLA
|
|
13157
|
+
"gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network device; SOHO routers and edge appliances are mass-exploited into botnets and operational-relay (ORB) networks within days, and many run end-of-life firmware with no available fix."
|
|
13110
13158
|
},
|
|
13111
13159
|
"ISO-27001-2022-A.8.8": {
|
|
13112
13160
|
"covered": true,
|
|
13113
13161
|
"adequate": false,
|
|
13114
|
-
"gap": "
|
|
13162
|
+
"gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited internet-facing device, and unmanaged/EOL devices fall outside most patch programs entirely."
|
|
13163
|
+
},
|
|
13164
|
+
"NIS2-Art21-network-security": {
|
|
13165
|
+
"covered": true,
|
|
13166
|
+
"adequate": false,
|
|
13167
|
+
"gap": "Treats network devices/appliances as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA and does not address end-of-life devices that can only be replaced, not patched."
|
|
13168
|
+
},
|
|
13169
|
+
"PCI-DSS-4.0-6.3.3": {
|
|
13170
|
+
"covered": true,
|
|
13171
|
+
"adequate": false,
|
|
13172
|
+
"gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network device fronting or bridging the CDE."
|
|
13115
13173
|
}
|
|
13116
13174
|
},
|
|
13117
13175
|
"compliance_exposure_score": {
|
|
13118
|
-
"percent_audit_passing_orgs_still_exposed":
|
|
13119
|
-
"basis": "
|
|
13176
|
+
"percent_audit_passing_orgs_still_exposed": 80,
|
|
13177
|
+
"basis": "Internet-facing Sangoma FreePBX is frequently unmanaged or end-of-life; audited organizations rarely track SOHO/edge-device firmware on a KEV SLA, and the required re-flash/replace and secret rotation are almost never part of a routine patch procedure.",
|
|
13120
13178
|
"theater_pattern": "patch_management"
|
|
13121
13179
|
},
|
|
13122
13180
|
"ai_discovered_zeroday": false,
|
|
13123
|
-
"ai_discovery_source": "
|
|
13124
|
-
"ai_assist_factor": "none"
|
|
13125
|
-
"_auto_imported": true,
|
|
13126
|
-
"_intake_method": "v0.13.17-bulk-cisa-kev-import"
|
|
13181
|
+
"ai_discovery_source": "vendor_research",
|
|
13182
|
+
"ai_assist_factor": "none"
|
|
13127
13183
|
},
|
|
13128
13184
|
"CVE-2019-19006": {
|
|
13129
13185
|
"name": " Sangoma FreePBX Improper Authentication Vulnerability",
|
|
@@ -14004,35 +14060,63 @@
|
|
|
14004
14060
|
},
|
|
14005
14061
|
"CVE-2025-14733": {
|
|
14006
14062
|
"name": "WatchGuard Firebox Out of Bounds Write Vulnerability",
|
|
14007
|
-
"lesson_date": "2026-05-
|
|
14063
|
+
"lesson_date": "2026-05-29",
|
|
14008
14064
|
"attack_vector": {
|
|
14009
|
-
"description": "
|
|
14010
|
-
"privileges_required": "
|
|
14011
|
-
"complexity": "
|
|
14012
|
-
"ai_factor": "
|
|
14065
|
+
"description": "an out-of-bounds write (CWE-787) exploitable by an unauthenticated attacker for memory-corruption remote code execution on the firewall. CISA KEV-listed 2025-12-19 with confirmed in-the-wild exploitation.",
|
|
14066
|
+
"privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the device's network interface)",
|
|
14067
|
+
"complexity": "low — KEV-listed, actively exploited; treat as weaponized",
|
|
14068
|
+
"ai_factor": "No AI involvement documented in discovery or weaponization."
|
|
14069
|
+
},
|
|
14070
|
+
"defense_chain": {
|
|
14071
|
+
"prevention": {
|
|
14072
|
+
"what_would_have_worked": "Apply the WatchGuard Fireware update; treat an exploited firewall as fully compromised — rebuild it and rotate every credential and VPN/IKE secret it held, since the firewall terminates trust for the network behind it.",
|
|
14073
|
+
"was_this_required": true,
|
|
14074
|
+
"framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
|
|
14075
|
+
"adequacy": "Patch is necessary but, given the device's trust position, an exploited unit must be rebuilt and its secrets rotated — a patch in place does not evict a resident attacker."
|
|
14076
|
+
},
|
|
14077
|
+
"detection": {
|
|
14078
|
+
"what_would_have_worked": "Monitoring of the Firebox firewall: exploit-shaped requests, device crashes, new processes, and credential/config changes.",
|
|
14079
|
+
"was_this_required": false,
|
|
14080
|
+
"framework_requiring_it": null,
|
|
14081
|
+
"adequacy": "Necessary because device compromise is often silent and persists across reboots in firmware/config."
|
|
14082
|
+
},
|
|
14083
|
+
"response": {
|
|
14084
|
+
"what_would_have_worked": "Rebuild the device from a known-good image, rotate all credentials and secrets it held, and review the network behind it for lateral movement; assume the device's trust is fully compromised.",
|
|
14085
|
+
"was_this_required": true,
|
|
14086
|
+
"framework_requiring_it": "NIST 800-53 IR-4",
|
|
14087
|
+
"adequacy": "Mandatory; network-device compromise gives an attacker a durable, trusted position that patching alone does not remove."
|
|
14088
|
+
}
|
|
14013
14089
|
},
|
|
14014
14090
|
"framework_coverage": {
|
|
14015
14091
|
"NIST-800-53-SI-2": {
|
|
14016
14092
|
"covered": true,
|
|
14017
14093
|
"adequate": false,
|
|
14018
|
-
"gap": "30-day SLA
|
|
14094
|
+
"gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network device; SOHO routers and edge appliances are mass-exploited into botnets and operational-relay (ORB) networks within days, and many run end-of-life firmware with no available fix."
|
|
14019
14095
|
},
|
|
14020
14096
|
"ISO-27001-2022-A.8.8": {
|
|
14021
14097
|
"covered": true,
|
|
14022
14098
|
"adequate": false,
|
|
14023
|
-
"gap": "
|
|
14099
|
+
"gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited internet-facing device, and unmanaged/EOL devices fall outside most patch programs entirely."
|
|
14100
|
+
},
|
|
14101
|
+
"NIS2-Art21-network-security": {
|
|
14102
|
+
"covered": true,
|
|
14103
|
+
"adequate": false,
|
|
14104
|
+
"gap": "Treats network devices/appliances as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA and does not address end-of-life devices that can only be replaced, not patched."
|
|
14105
|
+
},
|
|
14106
|
+
"PCI-DSS-4.0-6.3.3": {
|
|
14107
|
+
"covered": true,
|
|
14108
|
+
"adequate": false,
|
|
14109
|
+
"gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network device fronting or bridging the CDE."
|
|
14024
14110
|
}
|
|
14025
14111
|
},
|
|
14026
14112
|
"compliance_exposure_score": {
|
|
14027
|
-
"percent_audit_passing_orgs_still_exposed":
|
|
14028
|
-
"basis": "
|
|
14113
|
+
"percent_audit_passing_orgs_still_exposed": 80,
|
|
14114
|
+
"basis": "Internet-facing WatchGuard Firebox is frequently unmanaged or end-of-life; audited organizations rarely track SOHO/edge-device firmware on a KEV SLA, and the required re-flash/replace and secret rotation are almost never part of a routine patch procedure.",
|
|
14029
14115
|
"theater_pattern": "patch_management"
|
|
14030
14116
|
},
|
|
14031
14117
|
"ai_discovered_zeroday": false,
|
|
14032
|
-
"ai_discovery_source": "
|
|
14033
|
-
"ai_assist_factor": "none"
|
|
14034
|
-
"_auto_imported": true,
|
|
14035
|
-
"_intake_method": "v0.13.17-bulk-cisa-kev-import"
|
|
14118
|
+
"ai_discovery_source": "vendor_research",
|
|
14119
|
+
"ai_assist_factor": "none"
|
|
14036
14120
|
},
|
|
14037
14121
|
"CVE-2025-59374": {
|
|
14038
14122
|
"name": "ASUS Live Update Embedded Malicious Code Vulnerability",
|
|
@@ -14220,35 +14304,63 @@
|
|
|
14220
14304
|
},
|
|
14221
14305
|
"CVE-2025-14611": {
|
|
14222
14306
|
"name": "Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability",
|
|
14223
|
-
"lesson_date": "2026-05-
|
|
14307
|
+
"lesson_date": "2026-05-29",
|
|
14224
14308
|
"attack_vector": {
|
|
14225
|
-
"description": "
|
|
14226
|
-
"privileges_required": "
|
|
14227
|
-
"complexity": "
|
|
14228
|
-
"ai_factor": "
|
|
14309
|
+
"description": "a use of hard-coded cryptographic key (CWE-798) letting an attacker forge trusted material to gain unauthorized access and code execution. CISA KEV-listed 2025-12-15 with confirmed in-the-wild exploitation.",
|
|
14310
|
+
"privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
|
|
14311
|
+
"complexity": "low — KEV-listed, actively exploited; treat as weaponized",
|
|
14312
|
+
"ai_factor": "No AI involvement documented in discovery or weaponization."
|
|
14313
|
+
},
|
|
14314
|
+
"defense_chain": {
|
|
14315
|
+
"prevention": {
|
|
14316
|
+
"what_would_have_worked": "Apply the Gladinet CentreStack/Triofox update and confirm the hard-coded key is regenerated, not just patched — stale forged tokens remain valid until the key is rotated.",
|
|
14317
|
+
"was_this_required": true,
|
|
14318
|
+
"framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
|
|
14319
|
+
"adequacy": "Patch is necessary but insufficient alone — forged tokens / leaked keys survive the patch and require explicit key rotation."
|
|
14320
|
+
},
|
|
14321
|
+
"detection": {
|
|
14322
|
+
"what_would_have_worked": "Monitoring on the CentreStack/Triofox: exploit-shaped requests, new web-shell files, unexpected process execution, and authentication/authorization events with no matching legitimate session or with forged key material.",
|
|
14323
|
+
"was_this_required": false,
|
|
14324
|
+
"framework_requiring_it": null,
|
|
14325
|
+
"adequacy": "Necessary to catch resident persistence and key abuse after patching."
|
|
14326
|
+
},
|
|
14327
|
+
"response": {
|
|
14328
|
+
"what_would_have_worked": "Patch immediately, rotate the affected cryptographic/machine keys, rotate application secrets and credentials, and review data and downstream systems reachable from the CentreStack/Triofox; assume compromise of accounts and managed endpoints in its reach.",
|
|
14329
|
+
"was_this_required": true,
|
|
14330
|
+
"framework_requiring_it": "NIST 800-53 IR-4",
|
|
14331
|
+
"adequacy": "Mandatory; patch-in-place without key rotation / web-shell hunting leaves the attacker resident or able to re-authenticate."
|
|
14332
|
+
}
|
|
14229
14333
|
},
|
|
14230
14334
|
"framework_coverage": {
|
|
14231
14335
|
"NIST-800-53-SI-2": {
|
|
14232
14336
|
"covered": true,
|
|
14233
14337
|
"adequate": false,
|
|
14234
|
-
"gap": "30-day SLA
|
|
14338
|
+
"gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated server-side application RCE/auth-bypass; these are mass-exploited within days, and RMM/file-sharing compromise reaches downstream systems."
|
|
14235
14339
|
},
|
|
14236
14340
|
"ISO-27001-2022-A.8.8": {
|
|
14237
14341
|
"covered": true,
|
|
14238
14342
|
"adequate": false,
|
|
14239
|
-
"gap": "
|
|
14343
|
+
"gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing enterprise application."
|
|
14344
|
+
},
|
|
14345
|
+
"NIS2-Art21-network-security": {
|
|
14346
|
+
"covered": true,
|
|
14347
|
+
"adequate": false,
|
|
14348
|
+
"gap": "Treats internet-facing enterprise applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / key-rotation cleanup these RCEs and key-disclosure flaws need."
|
|
14349
|
+
},
|
|
14350
|
+
"PCI-DSS-4.0-6.3.3": {
|
|
14351
|
+
"covered": true,
|
|
14352
|
+
"adequate": false,
|
|
14353
|
+
"gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing enterprise application in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
|
|
14240
14354
|
}
|
|
14241
14355
|
},
|
|
14242
14356
|
"compliance_exposure_score": {
|
|
14243
|
-
"percent_audit_passing_orgs_still_exposed":
|
|
14244
|
-
"basis": "
|
|
14357
|
+
"percent_audit_passing_orgs_still_exposed": 76,
|
|
14358
|
+
"basis": "Internet-facing Gladinet CentreStack and Triofox is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt and key rotation are rarely part of the documented patch procedure, and RMM/file-sharing/MES reach amplifies the blast radius.",
|
|
14245
14359
|
"theater_pattern": "patch_management"
|
|
14246
14360
|
},
|
|
14247
14361
|
"ai_discovered_zeroday": false,
|
|
14248
|
-
"ai_discovery_source": "
|
|
14249
|
-
"ai_assist_factor": "none"
|
|
14250
|
-
"_auto_imported": true,
|
|
14251
|
-
"_intake_method": "v0.13.17-bulk-cisa-kev-import"
|
|
14362
|
+
"ai_discovery_source": "vendor_research",
|
|
14363
|
+
"ai_assist_factor": "none"
|
|
14252
14364
|
},
|
|
14253
14365
|
"CVE-2018-4063": {
|
|
14254
14366
|
"name": "Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability",
|
|
@@ -14839,35 +14951,63 @@
|
|
|
14839
14951
|
},
|
|
14840
14952
|
"CVE-2025-12480": {
|
|
14841
14953
|
"name": "Gladinet Triofox Improper Access Control Vulnerability",
|
|
14842
|
-
"lesson_date": "2026-05-
|
|
14954
|
+
"lesson_date": "2026-05-29",
|
|
14843
14955
|
"attack_vector": {
|
|
14844
|
-
"description": "
|
|
14845
|
-
"privileges_required": "
|
|
14846
|
-
"complexity": "
|
|
14847
|
-
"ai_factor": "
|
|
14956
|
+
"description": "an improper-access-control flaw (CWE-284) letting an unauthenticated attacker reach functionality reserved for authorized users. CISA KEV-listed 2025-11-12 with confirmed in-the-wild exploitation.",
|
|
14957
|
+
"privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
|
|
14958
|
+
"complexity": "low — KEV-listed, actively exploited; treat as weaponized",
|
|
14959
|
+
"ai_factor": "No AI involvement documented in discovery or weaponization."
|
|
14960
|
+
},
|
|
14961
|
+
"defense_chain": {
|
|
14962
|
+
"prevention": {
|
|
14963
|
+
"what_would_have_worked": "Apply the Gladinet Triofox update and review for unauthorized access to shared files during the exposure window.",
|
|
14964
|
+
"was_this_required": true,
|
|
14965
|
+
"framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
|
|
14966
|
+
"adequacy": "Patch is necessary but, for these RCE/auth-bypass flaws, insufficient alone — web shells and stolen credentials survive the patch and require explicit cleanup."
|
|
14967
|
+
},
|
|
14968
|
+
"detection": {
|
|
14969
|
+
"what_would_have_worked": "Monitoring on the Triofox: exploit-shaped requests, new web-shell files, unexpected process execution, and authentication/authorization events with no matching legitimate session or with forged key material.",
|
|
14970
|
+
"was_this_required": false,
|
|
14971
|
+
"framework_requiring_it": null,
|
|
14972
|
+
"adequacy": "Necessary to catch resident persistence and key abuse after patching."
|
|
14973
|
+
},
|
|
14974
|
+
"response": {
|
|
14975
|
+
"what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application secrets and credentials, and review data and downstream systems reachable from the Triofox; assume compromise of accounts and managed endpoints in its reach.",
|
|
14976
|
+
"was_this_required": true,
|
|
14977
|
+
"framework_requiring_it": "NIST 800-53 IR-4",
|
|
14978
|
+
"adequacy": "Mandatory; patch-in-place without key rotation / web-shell hunting leaves the attacker resident or able to re-authenticate."
|
|
14979
|
+
}
|
|
14848
14980
|
},
|
|
14849
14981
|
"framework_coverage": {
|
|
14850
14982
|
"NIST-800-53-SI-2": {
|
|
14851
14983
|
"covered": true,
|
|
14852
14984
|
"adequate": false,
|
|
14853
|
-
"gap": "30-day SLA
|
|
14985
|
+
"gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated server-side application RCE/auth-bypass; these are mass-exploited within days, and RMM/file-sharing compromise reaches downstream systems."
|
|
14854
14986
|
},
|
|
14855
14987
|
"ISO-27001-2022-A.8.8": {
|
|
14856
14988
|
"covered": true,
|
|
14857
14989
|
"adequate": false,
|
|
14858
|
-
"gap": "
|
|
14990
|
+
"gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing enterprise application."
|
|
14991
|
+
},
|
|
14992
|
+
"NIS2-Art21-network-security": {
|
|
14993
|
+
"covered": true,
|
|
14994
|
+
"adequate": false,
|
|
14995
|
+
"gap": "Treats internet-facing enterprise applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / key-rotation cleanup these RCEs and key-disclosure flaws need."
|
|
14996
|
+
},
|
|
14997
|
+
"PCI-DSS-4.0-6.3.3": {
|
|
14998
|
+
"covered": true,
|
|
14999
|
+
"adequate": false,
|
|
15000
|
+
"gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing enterprise application in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
|
|
14859
15001
|
}
|
|
14860
15002
|
},
|
|
14861
15003
|
"compliance_exposure_score": {
|
|
14862
|
-
"percent_audit_passing_orgs_still_exposed":
|
|
14863
|
-
"basis": "
|
|
15004
|
+
"percent_audit_passing_orgs_still_exposed": 76,
|
|
15005
|
+
"basis": "Internet-facing Gladinet Triofox is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt and key rotation are rarely part of the documented patch procedure, and RMM/file-sharing/MES reach amplifies the blast radius.",
|
|
14864
15006
|
"theater_pattern": "patch_management"
|
|
14865
15007
|
},
|
|
14866
15008
|
"ai_discovered_zeroday": false,
|
|
14867
|
-
"ai_discovery_source": "
|
|
14868
|
-
"ai_assist_factor": "none"
|
|
14869
|
-
"_auto_imported": true,
|
|
14870
|
-
"_intake_method": "v0.13.17-bulk-cisa-kev-import"
|
|
15009
|
+
"ai_discovery_source": "vendor_research",
|
|
15010
|
+
"ai_assist_factor": "none"
|
|
14871
15011
|
},
|
|
14872
15012
|
"CVE-2025-62215": {
|
|
14873
15013
|
"name": "Microsoft Windows Race Condition Vulnerability",
|
|
@@ -14926,35 +15066,63 @@
|
|
|
14926
15066
|
},
|
|
14927
15067
|
"CVE-2025-9242": {
|
|
14928
15068
|
"name": "WatchGuard Firebox Out-of-Bounds Write Vulnerability",
|
|
14929
|
-
"lesson_date": "2026-05-
|
|
15069
|
+
"lesson_date": "2026-05-29",
|
|
14930
15070
|
"attack_vector": {
|
|
14931
|
-
"description": "
|
|
14932
|
-
"privileges_required": "
|
|
14933
|
-
"complexity": "
|
|
14934
|
-
"ai_factor": "
|
|
15071
|
+
"description": "an out-of-bounds write (CWE-787) in the Firebox IKE/VPN handling, exploitable by an unauthenticated attacker for memory-corruption remote code execution on the firewall. CISA KEV-listed 2025-11-12 with confirmed in-the-wild exploitation.",
|
|
15072
|
+
"privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the device's network interface)",
|
|
15073
|
+
"complexity": "low — KEV-listed, actively exploited; treat as weaponized",
|
|
15074
|
+
"ai_factor": "No AI involvement documented in discovery or weaponization."
|
|
15075
|
+
},
|
|
15076
|
+
"defense_chain": {
|
|
15077
|
+
"prevention": {
|
|
15078
|
+
"what_would_have_worked": "Apply the WatchGuard Fireware update; treat an exploited firewall as fully compromised — rebuild it and rotate every credential and VPN/IKE secret it held, since the firewall terminates trust for the network behind it.",
|
|
15079
|
+
"was_this_required": true,
|
|
15080
|
+
"framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
|
|
15081
|
+
"adequacy": "Patch is necessary but, given the device's trust position, an exploited unit must be rebuilt and its secrets rotated — a patch in place does not evict a resident attacker."
|
|
15082
|
+
},
|
|
15083
|
+
"detection": {
|
|
15084
|
+
"what_would_have_worked": "Monitoring of the Firebox firewall: exploit-shaped requests, device crashes, new processes, and credential/config changes.",
|
|
15085
|
+
"was_this_required": false,
|
|
15086
|
+
"framework_requiring_it": null,
|
|
15087
|
+
"adequacy": "Necessary because device compromise is often silent and persists across reboots in firmware/config."
|
|
15088
|
+
},
|
|
15089
|
+
"response": {
|
|
15090
|
+
"what_would_have_worked": "Rebuild the device from a known-good image, rotate all credentials and secrets it held, and review the network behind it for lateral movement; assume the device's trust is fully compromised.",
|
|
15091
|
+
"was_this_required": true,
|
|
15092
|
+
"framework_requiring_it": "NIST 800-53 IR-4",
|
|
15093
|
+
"adequacy": "Mandatory; network-device compromise gives an attacker a durable, trusted position that patching alone does not remove."
|
|
15094
|
+
}
|
|
14935
15095
|
},
|
|
14936
15096
|
"framework_coverage": {
|
|
14937
15097
|
"NIST-800-53-SI-2": {
|
|
14938
15098
|
"covered": true,
|
|
14939
15099
|
"adequate": false,
|
|
14940
|
-
"gap": "30-day SLA
|
|
15100
|
+
"gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network device; SOHO routers and edge appliances are mass-exploited into botnets and operational-relay (ORB) networks within days, and many run end-of-life firmware with no available fix."
|
|
14941
15101
|
},
|
|
14942
15102
|
"ISO-27001-2022-A.8.8": {
|
|
14943
15103
|
"covered": true,
|
|
14944
15104
|
"adequate": false,
|
|
14945
|
-
"gap": "
|
|
15105
|
+
"gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited internet-facing device, and unmanaged/EOL devices fall outside most patch programs entirely."
|
|
15106
|
+
},
|
|
15107
|
+
"NIS2-Art21-network-security": {
|
|
15108
|
+
"covered": true,
|
|
15109
|
+
"adequate": false,
|
|
15110
|
+
"gap": "Treats network devices/appliances as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA and does not address end-of-life devices that can only be replaced, not patched."
|
|
15111
|
+
},
|
|
15112
|
+
"PCI-DSS-4.0-6.3.3": {
|
|
15113
|
+
"covered": true,
|
|
15114
|
+
"adequate": false,
|
|
15115
|
+
"gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network device fronting or bridging the CDE."
|
|
14946
15116
|
}
|
|
14947
15117
|
},
|
|
14948
15118
|
"compliance_exposure_score": {
|
|
14949
|
-
"percent_audit_passing_orgs_still_exposed":
|
|
14950
|
-
"basis": "
|
|
15119
|
+
"percent_audit_passing_orgs_still_exposed": 80,
|
|
15120
|
+
"basis": "Internet-facing WatchGuard Firebox is frequently unmanaged or end-of-life; audited organizations rarely track SOHO/edge-device firmware on a KEV SLA, and the required re-flash/replace and secret rotation are almost never part of a routine patch procedure.",
|
|
14951
15121
|
"theater_pattern": "patch_management"
|
|
14952
15122
|
},
|
|
14953
15123
|
"ai_discovered_zeroday": false,
|
|
14954
|
-
"ai_discovery_source": "
|
|
14955
|
-
"ai_assist_factor": "none"
|
|
14956
|
-
"_auto_imported": true,
|
|
14957
|
-
"_intake_method": "v0.13.17-bulk-cisa-kev-import"
|
|
15124
|
+
"ai_discovery_source": "vendor_research",
|
|
15125
|
+
"ai_assist_factor": "none"
|
|
14958
15126
|
},
|
|
14959
15127
|
"CVE-2025-21042": {
|
|
14960
15128
|
"name": "Samsung Mobile Devices Out-of-Bounds Write Vulnerability",
|
|
@@ -15022,35 +15190,63 @@
|
|
|
15022
15190
|
},
|
|
15023
15191
|
"CVE-2025-11371": {
|
|
15024
15192
|
"name": "Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability",
|
|
15025
|
-
"lesson_date": "2026-05-
|
|
15193
|
+
"lesson_date": "2026-05-29",
|
|
15026
15194
|
"attack_vector": {
|
|
15027
|
-
"description": "
|
|
15028
|
-
"privileges_required": "
|
|
15029
|
-
"complexity": "
|
|
15030
|
-
"ai_factor": "
|
|
15195
|
+
"description": "a files-or-directories-accessible-to-external-parties flaw (CWE-552) disclosing server files including the machine key, enabling a follow-on deserialization remote code execution. CISA KEV-listed 2025-11-04 with confirmed in-the-wild exploitation.",
|
|
15196
|
+
"privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
|
|
15197
|
+
"complexity": "low — KEV-listed, actively exploited; treat as weaponized",
|
|
15198
|
+
"ai_factor": "No AI involvement documented in discovery or weaponization."
|
|
15031
15199
|
},
|
|
15032
|
-
"
|
|
15033
|
-
"
|
|
15034
|
-
"
|
|
15035
|
-
"
|
|
15036
|
-
"
|
|
15200
|
+
"defense_chain": {
|
|
15201
|
+
"prevention": {
|
|
15202
|
+
"what_would_have_worked": "Apply the Gladinet CentreStack/Triofox update AND rotate the machine key — the disclosure leaks the key that enables the deserialization RCE, so patching without key rotation leaves the RCE path open.",
|
|
15203
|
+
"was_this_required": true,
|
|
15204
|
+
"framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
|
|
15205
|
+
"adequacy": "Patch is necessary but insufficient alone — forged tokens / leaked keys survive the patch and require explicit key rotation."
|
|
15206
|
+
},
|
|
15207
|
+
"detection": {
|
|
15208
|
+
"what_would_have_worked": "Monitoring on the CentreStack/Triofox: exploit-shaped requests, new web-shell files, unexpected process execution, and authentication/authorization events with no matching legitimate session or with forged key material.",
|
|
15209
|
+
"was_this_required": false,
|
|
15210
|
+
"framework_requiring_it": null,
|
|
15211
|
+
"adequacy": "Necessary to catch resident persistence and key abuse after patching."
|
|
15212
|
+
},
|
|
15213
|
+
"response": {
|
|
15214
|
+
"what_would_have_worked": "Patch immediately, rotate the affected cryptographic/machine keys, rotate application secrets and credentials, and review data and downstream systems reachable from the CentreStack/Triofox; assume compromise of accounts and managed endpoints in its reach.",
|
|
15215
|
+
"was_this_required": true,
|
|
15216
|
+
"framework_requiring_it": "NIST 800-53 IR-4",
|
|
15217
|
+
"adequacy": "Mandatory; patch-in-place without key rotation / web-shell hunting leaves the attacker resident or able to re-authenticate."
|
|
15218
|
+
}
|
|
15219
|
+
},
|
|
15220
|
+
"framework_coverage": {
|
|
15221
|
+
"NIST-800-53-SI-2": {
|
|
15222
|
+
"covered": true,
|
|
15223
|
+
"adequate": false,
|
|
15224
|
+
"gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated server-side application RCE/auth-bypass; these are mass-exploited within days, and RMM/file-sharing compromise reaches downstream systems."
|
|
15037
15225
|
},
|
|
15038
15226
|
"ISO-27001-2022-A.8.8": {
|
|
15039
15227
|
"covered": true,
|
|
15040
15228
|
"adequate": false,
|
|
15041
|
-
"gap": "
|
|
15229
|
+
"gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing enterprise application."
|
|
15230
|
+
},
|
|
15231
|
+
"NIS2-Art21-network-security": {
|
|
15232
|
+
"covered": true,
|
|
15233
|
+
"adequate": false,
|
|
15234
|
+
"gap": "Treats internet-facing enterprise applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / key-rotation cleanup these RCEs and key-disclosure flaws need."
|
|
15235
|
+
},
|
|
15236
|
+
"PCI-DSS-4.0-6.3.3": {
|
|
15237
|
+
"covered": true,
|
|
15238
|
+
"adequate": false,
|
|
15239
|
+
"gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing enterprise application in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
|
|
15042
15240
|
}
|
|
15043
15241
|
},
|
|
15044
15242
|
"compliance_exposure_score": {
|
|
15045
|
-
"percent_audit_passing_orgs_still_exposed":
|
|
15046
|
-
"basis": "
|
|
15243
|
+
"percent_audit_passing_orgs_still_exposed": 76,
|
|
15244
|
+
"basis": "Internet-facing Gladinet CentreStack and Triofox is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt and key rotation are rarely part of the documented patch procedure, and RMM/file-sharing/MES reach amplifies the blast radius.",
|
|
15047
15245
|
"theater_pattern": "patch_management"
|
|
15048
15246
|
},
|
|
15049
15247
|
"ai_discovered_zeroday": false,
|
|
15050
|
-
"ai_discovery_source": "
|
|
15051
|
-
"ai_assist_factor": "none"
|
|
15052
|
-
"_auto_imported": true,
|
|
15053
|
-
"_intake_method": "v0.13.17-bulk-cisa-kev-import"
|
|
15248
|
+
"ai_discovery_source": "vendor_research",
|
|
15249
|
+
"ai_assist_factor": "none"
|
|
15054
15250
|
},
|
|
15055
15251
|
"CVE-2025-41244": {
|
|
15056
15252
|
"name": "Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability",
|
|
@@ -15118,67 +15314,123 @@
|
|
|
15118
15314
|
},
|
|
15119
15315
|
"CVE-2025-6204": {
|
|
15120
15316
|
"name": "Dassault Systèmes DELMIA Apriso Code Injection Vulnerability",
|
|
15121
|
-
"lesson_date": "2026-05-
|
|
15317
|
+
"lesson_date": "2026-05-29",
|
|
15122
15318
|
"attack_vector": {
|
|
15123
|
-
"description": "
|
|
15124
|
-
"privileges_required": "
|
|
15125
|
-
"complexity": "
|
|
15126
|
-
"ai_factor": "
|
|
15319
|
+
"description": "a code-injection flaw (CWE-94) enabling unauthenticated remote code execution on the manufacturing-operations server. CISA KEV-listed 2025-10-28 with confirmed in-the-wild exploitation.",
|
|
15320
|
+
"privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
|
|
15321
|
+
"complexity": "low — KEV-listed, actively exploited; treat as weaponized",
|
|
15322
|
+
"ai_factor": "No AI involvement documented in discovery or weaponization."
|
|
15323
|
+
},
|
|
15324
|
+
"defense_chain": {
|
|
15325
|
+
"prevention": {
|
|
15326
|
+
"what_would_have_worked": "Apply the Dassault DELMIA Apriso update; hunt for web shells and rotate service credentials. DELMIA Apriso sits in the manufacturing-operations layer, so treat compromise as OT-adjacent.",
|
|
15327
|
+
"was_this_required": true,
|
|
15328
|
+
"framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
|
|
15329
|
+
"adequacy": "Patch is necessary but, for these RCE/auth-bypass flaws, insufficient alone — web shells and stolen credentials survive the patch and require explicit cleanup."
|
|
15330
|
+
},
|
|
15331
|
+
"detection": {
|
|
15332
|
+
"what_would_have_worked": "Monitoring on the DELMIA Apriso: exploit-shaped requests, new web-shell files, unexpected process execution, and authentication/authorization events with no matching legitimate session or with forged key material.",
|
|
15333
|
+
"was_this_required": false,
|
|
15334
|
+
"framework_requiring_it": null,
|
|
15335
|
+
"adequacy": "Necessary to catch resident persistence and key abuse after patching."
|
|
15336
|
+
},
|
|
15337
|
+
"response": {
|
|
15338
|
+
"what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application secrets and credentials, and review data and downstream systems reachable from the DELMIA Apriso; assume compromise of accounts and managed endpoints in its reach.",
|
|
15339
|
+
"was_this_required": true,
|
|
15340
|
+
"framework_requiring_it": "NIST 800-53 IR-4",
|
|
15341
|
+
"adequacy": "Mandatory; patch-in-place without key rotation / web-shell hunting leaves the attacker resident or able to re-authenticate."
|
|
15342
|
+
}
|
|
15127
15343
|
},
|
|
15128
15344
|
"framework_coverage": {
|
|
15129
15345
|
"NIST-800-53-SI-2": {
|
|
15130
15346
|
"covered": true,
|
|
15131
15347
|
"adequate": false,
|
|
15132
|
-
"gap": "30-day SLA
|
|
15348
|
+
"gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated server-side application RCE/auth-bypass; these are mass-exploited within days, and RMM/file-sharing compromise reaches downstream systems."
|
|
15133
15349
|
},
|
|
15134
15350
|
"ISO-27001-2022-A.8.8": {
|
|
15135
15351
|
"covered": true,
|
|
15136
15352
|
"adequate": false,
|
|
15137
|
-
"gap": "
|
|
15353
|
+
"gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing enterprise application."
|
|
15354
|
+
},
|
|
15355
|
+
"NIS2-Art21-network-security": {
|
|
15356
|
+
"covered": true,
|
|
15357
|
+
"adequate": false,
|
|
15358
|
+
"gap": "Treats internet-facing enterprise applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / key-rotation cleanup these RCEs and key-disclosure flaws need."
|
|
15359
|
+
},
|
|
15360
|
+
"PCI-DSS-4.0-6.3.3": {
|
|
15361
|
+
"covered": true,
|
|
15362
|
+
"adequate": false,
|
|
15363
|
+
"gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing enterprise application in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
|
|
15138
15364
|
}
|
|
15139
15365
|
},
|
|
15140
15366
|
"compliance_exposure_score": {
|
|
15141
|
-
"percent_audit_passing_orgs_still_exposed":
|
|
15142
|
-
"basis": "
|
|
15367
|
+
"percent_audit_passing_orgs_still_exposed": 76,
|
|
15368
|
+
"basis": "Internet-facing Dassault Systèmes DELMIA Apriso is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt and key rotation are rarely part of the documented patch procedure, and RMM/file-sharing/MES reach amplifies the blast radius.",
|
|
15143
15369
|
"theater_pattern": "patch_management"
|
|
15144
15370
|
},
|
|
15145
15371
|
"ai_discovered_zeroday": false,
|
|
15146
|
-
"ai_discovery_source": "
|
|
15147
|
-
"ai_assist_factor": "none"
|
|
15148
|
-
"_auto_imported": true,
|
|
15149
|
-
"_intake_method": "v0.13.17-bulk-cisa-kev-import"
|
|
15372
|
+
"ai_discovery_source": "vendor_research",
|
|
15373
|
+
"ai_assist_factor": "none"
|
|
15150
15374
|
},
|
|
15151
15375
|
"CVE-2025-6205": {
|
|
15152
15376
|
"name": "Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability",
|
|
15153
|
-
"lesson_date": "2026-05-
|
|
15377
|
+
"lesson_date": "2026-05-29",
|
|
15154
15378
|
"attack_vector": {
|
|
15155
|
-
"description": "
|
|
15156
|
-
"privileges_required": "
|
|
15157
|
-
"complexity": "
|
|
15158
|
-
"ai_factor": "
|
|
15379
|
+
"description": "a missing-authorization flaw (CWE-862) letting an unauthenticated attacker reach privileged functionality. CISA KEV-listed 2025-10-28 with confirmed in-the-wild exploitation.",
|
|
15380
|
+
"privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
|
|
15381
|
+
"complexity": "low — KEV-listed, actively exploited; treat as weaponized",
|
|
15382
|
+
"ai_factor": "No AI involvement documented in discovery or weaponization."
|
|
15383
|
+
},
|
|
15384
|
+
"defense_chain": {
|
|
15385
|
+
"prevention": {
|
|
15386
|
+
"what_would_have_worked": "Apply the Dassault DELMIA Apriso update and review privileged-function access during the exposure window.",
|
|
15387
|
+
"was_this_required": true,
|
|
15388
|
+
"framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
|
|
15389
|
+
"adequacy": "Patch is necessary but, for these RCE/auth-bypass flaws, insufficient alone — web shells and stolen credentials survive the patch and require explicit cleanup."
|
|
15390
|
+
},
|
|
15391
|
+
"detection": {
|
|
15392
|
+
"what_would_have_worked": "Monitoring on the DELMIA Apriso: exploit-shaped requests, new web-shell files, unexpected process execution, and authentication/authorization events with no matching legitimate session or with forged key material.",
|
|
15393
|
+
"was_this_required": false,
|
|
15394
|
+
"framework_requiring_it": null,
|
|
15395
|
+
"adequacy": "Necessary to catch resident persistence and key abuse after patching."
|
|
15396
|
+
},
|
|
15397
|
+
"response": {
|
|
15398
|
+
"what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application secrets and credentials, and review data and downstream systems reachable from the DELMIA Apriso; assume compromise of accounts and managed endpoints in its reach.",
|
|
15399
|
+
"was_this_required": true,
|
|
15400
|
+
"framework_requiring_it": "NIST 800-53 IR-4",
|
|
15401
|
+
"adequacy": "Mandatory; patch-in-place without key rotation / web-shell hunting leaves the attacker resident or able to re-authenticate."
|
|
15402
|
+
}
|
|
15159
15403
|
},
|
|
15160
15404
|
"framework_coverage": {
|
|
15161
15405
|
"NIST-800-53-SI-2": {
|
|
15162
15406
|
"covered": true,
|
|
15163
15407
|
"adequate": false,
|
|
15164
|
-
"gap": "30-day SLA
|
|
15408
|
+
"gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated server-side application RCE/auth-bypass; these are mass-exploited within days, and RMM/file-sharing compromise reaches downstream systems."
|
|
15165
15409
|
},
|
|
15166
15410
|
"ISO-27001-2022-A.8.8": {
|
|
15167
15411
|
"covered": true,
|
|
15168
15412
|
"adequate": false,
|
|
15169
|
-
"gap": "
|
|
15413
|
+
"gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing enterprise application."
|
|
15414
|
+
},
|
|
15415
|
+
"NIS2-Art21-network-security": {
|
|
15416
|
+
"covered": true,
|
|
15417
|
+
"adequate": false,
|
|
15418
|
+
"gap": "Treats internet-facing enterprise applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / key-rotation cleanup these RCEs and key-disclosure flaws need."
|
|
15419
|
+
},
|
|
15420
|
+
"PCI-DSS-4.0-6.3.3": {
|
|
15421
|
+
"covered": true,
|
|
15422
|
+
"adequate": false,
|
|
15423
|
+
"gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing enterprise application in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
|
|
15170
15424
|
}
|
|
15171
15425
|
},
|
|
15172
15426
|
"compliance_exposure_score": {
|
|
15173
|
-
"percent_audit_passing_orgs_still_exposed":
|
|
15174
|
-
"basis": "
|
|
15427
|
+
"percent_audit_passing_orgs_still_exposed": 76,
|
|
15428
|
+
"basis": "Internet-facing Dassault Systèmes DELMIA Apriso is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt and key rotation are rarely part of the documented patch procedure, and RMM/file-sharing/MES reach amplifies the blast radius.",
|
|
15175
15429
|
"theater_pattern": "patch_management"
|
|
15176
15430
|
},
|
|
15177
15431
|
"ai_discovered_zeroday": false,
|
|
15178
|
-
"ai_discovery_source": "
|
|
15179
|
-
"ai_assist_factor": "none"
|
|
15180
|
-
"_auto_imported": true,
|
|
15181
|
-
"_intake_method": "v0.13.17-bulk-cisa-kev-import"
|
|
15432
|
+
"ai_discovery_source": "vendor_research",
|
|
15433
|
+
"ai_assist_factor": "none"
|
|
15182
15434
|
},
|
|
15183
15435
|
"CVE-2025-54236": {
|
|
15184
15436
|
"name": "Adobe Commerce and Magento Improper Input Validation Vulnerability",
|
|
@@ -16627,35 +16879,63 @@
|
|
|
16627
16879
|
},
|
|
16628
16880
|
"CVE-2025-5086": {
|
|
16629
16881
|
"name": "Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability",
|
|
16630
|
-
"lesson_date": "2026-05-
|
|
16882
|
+
"lesson_date": "2026-05-29",
|
|
16631
16883
|
"attack_vector": {
|
|
16632
|
-
"description": "
|
|
16633
|
-
"privileges_required": "
|
|
16634
|
-
"complexity": "
|
|
16635
|
-
"ai_factor": "
|
|
16884
|
+
"description": "a deserialization-of-untrusted-data flaw (CWE-502) enabling unauthenticated remote code execution. CISA KEV-listed 2025-09-11 with confirmed in-the-wild exploitation.",
|
|
16885
|
+
"privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
|
|
16886
|
+
"complexity": "low — KEV-listed, actively exploited; treat as weaponized",
|
|
16887
|
+
"ai_factor": "No AI involvement documented in discovery or weaponization."
|
|
16888
|
+
},
|
|
16889
|
+
"defense_chain": {
|
|
16890
|
+
"prevention": {
|
|
16891
|
+
"what_would_have_worked": "Apply the Dassault DELMIA Apriso update, hunt for web shells, and rotate service credentials; treat the manufacturing-operations server as OT-adjacent on compromise.",
|
|
16892
|
+
"was_this_required": true,
|
|
16893
|
+
"framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
|
|
16894
|
+
"adequacy": "Patch is necessary but, for these RCE/auth-bypass flaws, insufficient alone — web shells and stolen credentials survive the patch and require explicit cleanup."
|
|
16895
|
+
},
|
|
16896
|
+
"detection": {
|
|
16897
|
+
"what_would_have_worked": "Monitoring on the DELMIA Apriso: exploit-shaped requests, new web-shell files, unexpected process execution, and authentication/authorization events with no matching legitimate session or with forged key material.",
|
|
16898
|
+
"was_this_required": false,
|
|
16899
|
+
"framework_requiring_it": null,
|
|
16900
|
+
"adequacy": "Necessary to catch resident persistence and key abuse after patching."
|
|
16901
|
+
},
|
|
16902
|
+
"response": {
|
|
16903
|
+
"what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application secrets and credentials, and review data and downstream systems reachable from the DELMIA Apriso; assume compromise of accounts and managed endpoints in its reach.",
|
|
16904
|
+
"was_this_required": true,
|
|
16905
|
+
"framework_requiring_it": "NIST 800-53 IR-4",
|
|
16906
|
+
"adequacy": "Mandatory; patch-in-place without key rotation / web-shell hunting leaves the attacker resident or able to re-authenticate."
|
|
16907
|
+
}
|
|
16636
16908
|
},
|
|
16637
16909
|
"framework_coverage": {
|
|
16638
16910
|
"NIST-800-53-SI-2": {
|
|
16639
16911
|
"covered": true,
|
|
16640
16912
|
"adequate": false,
|
|
16641
|
-
"gap": "30-day SLA
|
|
16913
|
+
"gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated server-side application RCE/auth-bypass; these are mass-exploited within days, and RMM/file-sharing compromise reaches downstream systems."
|
|
16642
16914
|
},
|
|
16643
16915
|
"ISO-27001-2022-A.8.8": {
|
|
16644
16916
|
"covered": true,
|
|
16645
16917
|
"adequate": false,
|
|
16646
|
-
"gap": "
|
|
16918
|
+
"gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing enterprise application."
|
|
16919
|
+
},
|
|
16920
|
+
"NIS2-Art21-network-security": {
|
|
16921
|
+
"covered": true,
|
|
16922
|
+
"adequate": false,
|
|
16923
|
+
"gap": "Treats internet-facing enterprise applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / key-rotation cleanup these RCEs and key-disclosure flaws need."
|
|
16924
|
+
},
|
|
16925
|
+
"PCI-DSS-4.0-6.3.3": {
|
|
16926
|
+
"covered": true,
|
|
16927
|
+
"adequate": false,
|
|
16928
|
+
"gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing enterprise application in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
|
|
16647
16929
|
}
|
|
16648
16930
|
},
|
|
16649
16931
|
"compliance_exposure_score": {
|
|
16650
|
-
"percent_audit_passing_orgs_still_exposed":
|
|
16651
|
-
"basis": "
|
|
16932
|
+
"percent_audit_passing_orgs_still_exposed": 76,
|
|
16933
|
+
"basis": "Internet-facing Dassault Systèmes DELMIA Apriso is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt and key rotation are rarely part of the documented patch procedure, and RMM/file-sharing/MES reach amplifies the blast radius.",
|
|
16652
16934
|
"theater_pattern": "patch_management"
|
|
16653
16935
|
},
|
|
16654
16936
|
"ai_discovered_zeroday": false,
|
|
16655
|
-
"ai_discovery_source": "
|
|
16656
|
-
"ai_assist_factor": "none"
|
|
16657
|
-
"_auto_imported": true,
|
|
16658
|
-
"_intake_method": "v0.13.17-bulk-cisa-kev-import"
|
|
16937
|
+
"ai_discovery_source": "vendor_research",
|
|
16938
|
+
"ai_assist_factor": "none"
|
|
16659
16939
|
},
|
|
16660
16940
|
"CVE-2025-48543": {
|
|
16661
16941
|
"name": "Android Runtime Use-After-Free Vulnerability",
|
|
@@ -16723,67 +17003,123 @@
|
|
|
16723
17003
|
},
|
|
16724
17004
|
"CVE-2023-50224": {
|
|
16725
17005
|
"name": "TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability",
|
|
16726
|
-
"lesson_date": "2026-05-
|
|
17006
|
+
"lesson_date": "2026-05-29",
|
|
16727
17007
|
"attack_vector": {
|
|
16728
|
-
"description": "
|
|
16729
|
-
"privileges_required": "
|
|
16730
|
-
"complexity": "
|
|
16731
|
-
"ai_factor": "
|
|
17008
|
+
"description": "an authentication-bypass-by-spoofing flaw (CWE-290) letting an unauthenticated attacker bypass authentication on the router. CISA KEV-listed 2025-09-03 with confirmed in-the-wild exploitation.",
|
|
17009
|
+
"privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the device's network interface)",
|
|
17010
|
+
"complexity": "low — KEV-listed, actively exploited; treat as weaponized",
|
|
17011
|
+
"ai_factor": "No AI involvement documented in discovery or weaponization."
|
|
17012
|
+
},
|
|
17013
|
+
"defense_chain": {
|
|
17014
|
+
"prevention": {
|
|
17015
|
+
"what_would_have_worked": "Apply the vendor firmware update; for end-of-life devices with no fix, replace the device. After any suspected compromise, factory-reset and re-flash — router compromise persists in firmware/config, and these devices are recruited into botnets and operational-relay (ORB) infrastructure.",
|
|
17016
|
+
"was_this_required": true,
|
|
17017
|
+
"framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
|
|
17018
|
+
"adequacy": "Patch is necessary but EOL firmware often has no fix, making replacement the only remediation; compromised devices need re-flash, not just patch."
|
|
17019
|
+
},
|
|
17020
|
+
"detection": {
|
|
17021
|
+
"what_would_have_worked": "Monitoring of the TL-WR841N router: exploit-shaped requests, anomalous outbound/botnet traffic and config drift.",
|
|
17022
|
+
"was_this_required": false,
|
|
17023
|
+
"framework_requiring_it": null,
|
|
17024
|
+
"adequacy": "Necessary because device compromise is often silent and persists across reboots in firmware/config."
|
|
17025
|
+
},
|
|
17026
|
+
"response": {
|
|
17027
|
+
"what_would_have_worked": "Factory-reset and re-flash or replace the device, rotate all credentials and secrets it held, and review the network behind it for lateral movement; assume the device's trust is fully compromised.",
|
|
17028
|
+
"was_this_required": true,
|
|
17029
|
+
"framework_requiring_it": "NIST 800-53 IR-4",
|
|
17030
|
+
"adequacy": "Mandatory; network-device compromise gives an attacker a durable, trusted position that patching alone does not remove."
|
|
17031
|
+
}
|
|
16732
17032
|
},
|
|
16733
17033
|
"framework_coverage": {
|
|
16734
17034
|
"NIST-800-53-SI-2": {
|
|
16735
17035
|
"covered": true,
|
|
16736
17036
|
"adequate": false,
|
|
16737
|
-
"gap": "30-day SLA
|
|
17037
|
+
"gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network device; SOHO routers and edge appliances are mass-exploited into botnets and operational-relay (ORB) networks within days, and many run end-of-life firmware with no available fix."
|
|
16738
17038
|
},
|
|
16739
17039
|
"ISO-27001-2022-A.8.8": {
|
|
16740
17040
|
"covered": true,
|
|
16741
17041
|
"adequate": false,
|
|
16742
|
-
"gap": "
|
|
17042
|
+
"gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited internet-facing device, and unmanaged/EOL devices fall outside most patch programs entirely."
|
|
17043
|
+
},
|
|
17044
|
+
"NIS2-Art21-network-security": {
|
|
17045
|
+
"covered": true,
|
|
17046
|
+
"adequate": false,
|
|
17047
|
+
"gap": "Treats network devices/appliances as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA and does not address end-of-life devices that can only be replaced, not patched."
|
|
17048
|
+
},
|
|
17049
|
+
"PCI-DSS-4.0-6.3.3": {
|
|
17050
|
+
"covered": true,
|
|
17051
|
+
"adequate": false,
|
|
17052
|
+
"gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network device fronting or bridging the CDE."
|
|
16743
17053
|
}
|
|
16744
17054
|
},
|
|
16745
17055
|
"compliance_exposure_score": {
|
|
16746
|
-
"percent_audit_passing_orgs_still_exposed":
|
|
16747
|
-
"basis": "
|
|
17056
|
+
"percent_audit_passing_orgs_still_exposed": 80,
|
|
17057
|
+
"basis": "Internet-facing TP-Link TL-WR841N router is frequently unmanaged or end-of-life; audited organizations rarely track SOHO/edge-device firmware on a KEV SLA, and the required re-flash/replace and secret rotation are almost never part of a routine patch procedure.",
|
|
16748
17058
|
"theater_pattern": "patch_management"
|
|
16749
17059
|
},
|
|
16750
17060
|
"ai_discovered_zeroday": false,
|
|
16751
|
-
"ai_discovery_source": "
|
|
16752
|
-
"ai_assist_factor": "none"
|
|
16753
|
-
"_auto_imported": true,
|
|
16754
|
-
"_intake_method": "v0.13.17-bulk-cisa-kev-import"
|
|
17061
|
+
"ai_discovery_source": "vendor_research",
|
|
17062
|
+
"ai_assist_factor": "none"
|
|
16755
17063
|
},
|
|
16756
17064
|
"CVE-2025-9377": {
|
|
16757
17065
|
"name": "TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability",
|
|
16758
|
-
"lesson_date": "2026-05-
|
|
17066
|
+
"lesson_date": "2026-05-29",
|
|
16759
17067
|
"attack_vector": {
|
|
16760
|
-
"description": "
|
|
16761
|
-
"privileges_required": "
|
|
16762
|
-
"complexity": "
|
|
16763
|
-
"ai_factor": "
|
|
17068
|
+
"description": "an OS command-injection flaw (CWE-78) enabling unauthenticated remote command execution on the router. CISA KEV-listed 2025-09-03 with confirmed in-the-wild exploitation.",
|
|
17069
|
+
"privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the device's network interface)",
|
|
17070
|
+
"complexity": "low — KEV-listed, actively exploited; treat as weaponized",
|
|
17071
|
+
"ai_factor": "No AI involvement documented in discovery or weaponization."
|
|
17072
|
+
},
|
|
17073
|
+
"defense_chain": {
|
|
17074
|
+
"prevention": {
|
|
17075
|
+
"what_would_have_worked": "Apply the vendor firmware update; for end-of-life devices with no fix, replace the device. After any suspected compromise, factory-reset and re-flash — router compromise persists in firmware/config, and these devices are recruited into botnets and operational-relay (ORB) infrastructure.",
|
|
17076
|
+
"was_this_required": true,
|
|
17077
|
+
"framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
|
|
17078
|
+
"adequacy": "Patch is necessary but EOL firmware often has no fix, making replacement the only remediation; compromised devices need re-flash, not just patch."
|
|
17079
|
+
},
|
|
17080
|
+
"detection": {
|
|
17081
|
+
"what_would_have_worked": "Monitoring of the TP-Link router: exploit-shaped requests, anomalous outbound/botnet traffic and config drift.",
|
|
17082
|
+
"was_this_required": false,
|
|
17083
|
+
"framework_requiring_it": null,
|
|
17084
|
+
"adequacy": "Necessary because device compromise is often silent and persists across reboots in firmware/config."
|
|
17085
|
+
},
|
|
17086
|
+
"response": {
|
|
17087
|
+
"what_would_have_worked": "Factory-reset and re-flash or replace the device, rotate all credentials and secrets it held, and review the network behind it for lateral movement; assume the device's trust is fully compromised.",
|
|
17088
|
+
"was_this_required": true,
|
|
17089
|
+
"framework_requiring_it": "NIST 800-53 IR-4",
|
|
17090
|
+
"adequacy": "Mandatory; network-device compromise gives an attacker a durable, trusted position that patching alone does not remove."
|
|
17091
|
+
}
|
|
16764
17092
|
},
|
|
16765
17093
|
"framework_coverage": {
|
|
16766
17094
|
"NIST-800-53-SI-2": {
|
|
16767
17095
|
"covered": true,
|
|
16768
17096
|
"adequate": false,
|
|
16769
|
-
"gap": "30-day SLA
|
|
17097
|
+
"gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network device; SOHO routers and edge appliances are mass-exploited into botnets and operational-relay (ORB) networks within days, and many run end-of-life firmware with no available fix."
|
|
16770
17098
|
},
|
|
16771
17099
|
"ISO-27001-2022-A.8.8": {
|
|
16772
17100
|
"covered": true,
|
|
16773
17101
|
"adequate": false,
|
|
16774
|
-
"gap": "
|
|
17102
|
+
"gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited internet-facing device, and unmanaged/EOL devices fall outside most patch programs entirely."
|
|
17103
|
+
},
|
|
17104
|
+
"NIS2-Art21-network-security": {
|
|
17105
|
+
"covered": true,
|
|
17106
|
+
"adequate": false,
|
|
17107
|
+
"gap": "Treats network devices/appliances as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA and does not address end-of-life devices that can only be replaced, not patched."
|
|
17108
|
+
},
|
|
17109
|
+
"PCI-DSS-4.0-6.3.3": {
|
|
17110
|
+
"covered": true,
|
|
17111
|
+
"adequate": false,
|
|
17112
|
+
"gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network device fronting or bridging the CDE."
|
|
16775
17113
|
}
|
|
16776
17114
|
},
|
|
16777
17115
|
"compliance_exposure_score": {
|
|
16778
|
-
"percent_audit_passing_orgs_still_exposed":
|
|
16779
|
-
"basis": "
|
|
17116
|
+
"percent_audit_passing_orgs_still_exposed": 80,
|
|
17117
|
+
"basis": "Internet-facing TP-Link Archer C7 and TL-WR841N/ND routers is frequently unmanaged or end-of-life; audited organizations rarely track SOHO/edge-device firmware on a KEV SLA, and the required re-flash/replace and secret rotation are almost never part of a routine patch procedure.",
|
|
16780
17118
|
"theater_pattern": "patch_management"
|
|
16781
17119
|
},
|
|
16782
17120
|
"ai_discovered_zeroday": false,
|
|
16783
|
-
"ai_discovery_source": "
|
|
16784
|
-
"ai_assist_factor": "none"
|
|
16785
|
-
"_auto_imported": true,
|
|
16786
|
-
"_intake_method": "v0.13.17-bulk-cisa-kev-import"
|
|
17121
|
+
"ai_discovery_source": "vendor_research",
|
|
17122
|
+
"ai_assist_factor": "none"
|
|
16787
17123
|
},
|
|
16788
17124
|
"CVE-2020-24363": {
|
|
16789
17125
|
"name": "TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability",
|
|
@@ -16851,35 +17187,63 @@
|
|
|
16851
17187
|
},
|
|
16852
17188
|
"CVE-2025-57819": {
|
|
16853
17189
|
"name": "Sangoma FreePBX Authentication Bypass Vulnerability",
|
|
16854
|
-
"lesson_date": "2026-05-
|
|
17190
|
+
"lesson_date": "2026-05-29",
|
|
16855
17191
|
"attack_vector": {
|
|
16856
|
-
"description": "
|
|
16857
|
-
"privileges_required": "
|
|
16858
|
-
"complexity": "
|
|
16859
|
-
"ai_factor": "
|
|
17192
|
+
"description": "an authentication bypass combined with SQL injection (CWE-89/CWE-288), letting an unauthenticated attacker reach administrative functionality and the database. CISA KEV-listed 2025-08-29 with confirmed in-the-wild exploitation.",
|
|
17193
|
+
"privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the device's network interface)",
|
|
17194
|
+
"complexity": "low — KEV-listed, actively exploited; treat as weaponized",
|
|
17195
|
+
"ai_factor": "No AI involvement documented in discovery or weaponization."
|
|
17196
|
+
},
|
|
17197
|
+
"defense_chain": {
|
|
17198
|
+
"prevention": {
|
|
17199
|
+
"what_would_have_worked": "Apply the Sangoma FreePBX / module update; hunt for web shells and toll-fraud (anomalous outbound SIP/calls), and rotate SIP and administrative credentials — FreePBX compromise is routinely monetized via telephony fraud.",
|
|
17200
|
+
"was_this_required": true,
|
|
17201
|
+
"framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
|
|
17202
|
+
"adequacy": "Patch is necessary but, given the device's trust position, an exploited unit must be rebuilt and its secrets rotated — a patch in place does not evict a resident attacker."
|
|
17203
|
+
},
|
|
17204
|
+
"detection": {
|
|
17205
|
+
"what_would_have_worked": "Monitoring of the FreePBX: exploit-shaped requests, toll-fraud call patterns and new admin objects.",
|
|
17206
|
+
"was_this_required": false,
|
|
17207
|
+
"framework_requiring_it": null,
|
|
17208
|
+
"adequacy": "Necessary because device compromise is often silent and persists across reboots in firmware/config."
|
|
17209
|
+
},
|
|
17210
|
+
"response": {
|
|
17211
|
+
"what_would_have_worked": "Rebuild the device from a known-good image, rotate all credentials and secrets it held, and review the network behind it for lateral movement; assume the device's trust is fully compromised.",
|
|
17212
|
+
"was_this_required": true,
|
|
17213
|
+
"framework_requiring_it": "NIST 800-53 IR-4",
|
|
17214
|
+
"adequacy": "Mandatory; network-device compromise gives an attacker a durable, trusted position that patching alone does not remove."
|
|
17215
|
+
}
|
|
16860
17216
|
},
|
|
16861
17217
|
"framework_coverage": {
|
|
16862
17218
|
"NIST-800-53-SI-2": {
|
|
16863
17219
|
"covered": true,
|
|
16864
17220
|
"adequate": false,
|
|
16865
|
-
"gap": "30-day SLA
|
|
17221
|
+
"gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network device; SOHO routers and edge appliances are mass-exploited into botnets and operational-relay (ORB) networks within days, and many run end-of-life firmware with no available fix."
|
|
16866
17222
|
},
|
|
16867
17223
|
"ISO-27001-2022-A.8.8": {
|
|
16868
17224
|
"covered": true,
|
|
16869
17225
|
"adequate": false,
|
|
16870
|
-
"gap": "
|
|
17226
|
+
"gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited internet-facing device, and unmanaged/EOL devices fall outside most patch programs entirely."
|
|
17227
|
+
},
|
|
17228
|
+
"NIS2-Art21-network-security": {
|
|
17229
|
+
"covered": true,
|
|
17230
|
+
"adequate": false,
|
|
17231
|
+
"gap": "Treats network devices/appliances as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA and does not address end-of-life devices that can only be replaced, not patched."
|
|
17232
|
+
},
|
|
17233
|
+
"PCI-DSS-4.0-6.3.3": {
|
|
17234
|
+
"covered": true,
|
|
17235
|
+
"adequate": false,
|
|
17236
|
+
"gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network device fronting or bridging the CDE."
|
|
16871
17237
|
}
|
|
16872
17238
|
},
|
|
16873
17239
|
"compliance_exposure_score": {
|
|
16874
|
-
"percent_audit_passing_orgs_still_exposed":
|
|
16875
|
-
"basis": "
|
|
17240
|
+
"percent_audit_passing_orgs_still_exposed": 80,
|
|
17241
|
+
"basis": "Internet-facing Sangoma FreePBX is frequently unmanaged or end-of-life; audited organizations rarely track SOHO/edge-device firmware on a KEV SLA, and the required re-flash/replace and secret rotation are almost never part of a routine patch procedure.",
|
|
16876
17242
|
"theater_pattern": "patch_management"
|
|
16877
17243
|
},
|
|
16878
17244
|
"ai_discovered_zeroday": false,
|
|
16879
|
-
"ai_discovery_source": "
|
|
16880
|
-
"ai_assist_factor": "none"
|
|
16881
|
-
"_auto_imported": true,
|
|
16882
|
-
"_intake_method": "v0.13.17-bulk-cisa-kev-import"
|
|
17245
|
+
"ai_discovery_source": "vendor_research",
|
|
17246
|
+
"ai_assist_factor": "none"
|
|
16883
17247
|
},
|
|
16884
17248
|
"CVE-2025-7775": {
|
|
16885
17249
|
"name": "Citrix NetScaler Memory Overflow Vulnerability",
|
|
@@ -18639,35 +19003,63 @@
|
|
|
18639
19003
|
},
|
|
18640
19004
|
"CVE-2023-33538": {
|
|
18641
19005
|
"name": "TP-Link Multiple Routers Command Injection Vulnerability",
|
|
18642
|
-
"lesson_date": "2026-05-
|
|
19006
|
+
"lesson_date": "2026-05-29",
|
|
18643
19007
|
"attack_vector": {
|
|
18644
|
-
"description": "
|
|
18645
|
-
"privileges_required": "
|
|
18646
|
-
"complexity": "
|
|
18647
|
-
"ai_factor": "
|
|
19008
|
+
"description": "a command-injection flaw (CWE-77) enabling unauthenticated remote command execution on the router. CISA KEV-listed 2025-06-16 with confirmed in-the-wild exploitation.",
|
|
19009
|
+
"privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the device's network interface)",
|
|
19010
|
+
"complexity": "low — KEV-listed, actively exploited; treat as weaponized",
|
|
19011
|
+
"ai_factor": "No AI involvement documented in discovery or weaponization."
|
|
19012
|
+
},
|
|
19013
|
+
"defense_chain": {
|
|
19014
|
+
"prevention": {
|
|
19015
|
+
"what_would_have_worked": "Apply the vendor firmware update; for end-of-life devices with no fix, replace the device. After any suspected compromise, factory-reset and re-flash — router compromise persists in firmware/config, and these devices are recruited into botnets and operational-relay (ORB) infrastructure.",
|
|
19016
|
+
"was_this_required": true,
|
|
19017
|
+
"framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
|
|
19018
|
+
"adequacy": "Patch is necessary but EOL firmware often has no fix, making replacement the only remediation; compromised devices need re-flash, not just patch."
|
|
19019
|
+
},
|
|
19020
|
+
"detection": {
|
|
19021
|
+
"what_would_have_worked": "Monitoring of the TP-Link router: exploit-shaped requests, anomalous outbound/botnet traffic and config drift.",
|
|
19022
|
+
"was_this_required": false,
|
|
19023
|
+
"framework_requiring_it": null,
|
|
19024
|
+
"adequacy": "Necessary because device compromise is often silent and persists across reboots in firmware/config."
|
|
19025
|
+
},
|
|
19026
|
+
"response": {
|
|
19027
|
+
"what_would_have_worked": "Factory-reset and re-flash or replace the device, rotate all credentials and secrets it held, and review the network behind it for lateral movement; assume the device's trust is fully compromised.",
|
|
19028
|
+
"was_this_required": true,
|
|
19029
|
+
"framework_requiring_it": "NIST 800-53 IR-4",
|
|
19030
|
+
"adequacy": "Mandatory; network-device compromise gives an attacker a durable, trusted position that patching alone does not remove."
|
|
19031
|
+
}
|
|
18648
19032
|
},
|
|
18649
19033
|
"framework_coverage": {
|
|
18650
19034
|
"NIST-800-53-SI-2": {
|
|
18651
19035
|
"covered": true,
|
|
18652
19036
|
"adequate": false,
|
|
18653
|
-
"gap": "30-day SLA
|
|
19037
|
+
"gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network device; SOHO routers and edge appliances are mass-exploited into botnets and operational-relay (ORB) networks within days, and many run end-of-life firmware with no available fix."
|
|
18654
19038
|
},
|
|
18655
19039
|
"ISO-27001-2022-A.8.8": {
|
|
18656
19040
|
"covered": true,
|
|
18657
19041
|
"adequate": false,
|
|
18658
|
-
"gap": "
|
|
19042
|
+
"gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited internet-facing device, and unmanaged/EOL devices fall outside most patch programs entirely."
|
|
19043
|
+
},
|
|
19044
|
+
"NIS2-Art21-network-security": {
|
|
19045
|
+
"covered": true,
|
|
19046
|
+
"adequate": false,
|
|
19047
|
+
"gap": "Treats network devices/appliances as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA and does not address end-of-life devices that can only be replaced, not patched."
|
|
19048
|
+
},
|
|
19049
|
+
"PCI-DSS-4.0-6.3.3": {
|
|
19050
|
+
"covered": true,
|
|
19051
|
+
"adequate": false,
|
|
19052
|
+
"gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network device fronting or bridging the CDE."
|
|
18659
19053
|
}
|
|
18660
19054
|
},
|
|
18661
19055
|
"compliance_exposure_score": {
|
|
18662
|
-
"percent_audit_passing_orgs_still_exposed":
|
|
18663
|
-
"basis": "
|
|
19056
|
+
"percent_audit_passing_orgs_still_exposed": 80,
|
|
19057
|
+
"basis": "Internet-facing TP-Link routers (multiple models) is frequently unmanaged or end-of-life; audited organizations rarely track SOHO/edge-device firmware on a KEV SLA, and the required re-flash/replace and secret rotation are almost never part of a routine patch procedure.",
|
|
18664
19058
|
"theater_pattern": "patch_management"
|
|
18665
19059
|
},
|
|
18666
19060
|
"ai_discovered_zeroday": false,
|
|
18667
|
-
"ai_discovery_source": "
|
|
18668
|
-
"ai_assist_factor": "none"
|
|
18669
|
-
"_auto_imported": true,
|
|
18670
|
-
"_intake_method": "v0.13.17-bulk-cisa-kev-import"
|
|
19061
|
+
"ai_discovery_source": "vendor_research",
|
|
19062
|
+
"ai_assist_factor": "none"
|
|
18671
19063
|
},
|
|
18672
19064
|
"CVE-2025-43200": {
|
|
18673
19065
|
"name": "Apple Multiple Products Unspecified Vulnerability (variant: CVE-2025-43200)",
|
|
@@ -19106,35 +19498,63 @@
|
|
|
19106
19498
|
},
|
|
19107
19499
|
"CVE-2025-3935": {
|
|
19108
19500
|
"name": "ConnectWise ScreenConnect Improper Authentication Vulnerability",
|
|
19109
|
-
"lesson_date": "2026-05-
|
|
19501
|
+
"lesson_date": "2026-05-29",
|
|
19110
19502
|
"attack_vector": {
|
|
19111
|
-
"description": "
|
|
19112
|
-
"privileges_required": "
|
|
19113
|
-
"complexity": "
|
|
19114
|
-
"ai_factor": "
|
|
19503
|
+
"description": "an improper-authentication flaw (CWE-287) letting an unauthenticated attacker bypass authentication via ASP.NET ViewState / machine-key abuse. CISA KEV-listed 2025-06-02 with confirmed in-the-wild exploitation.",
|
|
19504
|
+
"privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application's public interface)",
|
|
19505
|
+
"complexity": "low — KEV-listed, actively exploited; treat as weaponized",
|
|
19506
|
+
"ai_factor": "No AI involvement documented in discovery or weaponization."
|
|
19507
|
+
},
|
|
19508
|
+
"defense_chain": {
|
|
19509
|
+
"prevention": {
|
|
19510
|
+
"what_would_have_worked": "Apply the ConnectWise ScreenConnect update and rotate the ASP.NET machine keys — the bypass abuses key material, so rotation is required beyond patching. RMM compromise reaches downstream endpoints.",
|
|
19511
|
+
"was_this_required": true,
|
|
19512
|
+
"framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
|
|
19513
|
+
"adequacy": "Patch is necessary but, for these RCE/auth-bypass flaws, insufficient alone — web shells and stolen credentials survive the patch and require explicit cleanup."
|
|
19514
|
+
},
|
|
19515
|
+
"detection": {
|
|
19516
|
+
"what_would_have_worked": "Monitoring on the ScreenConnect: exploit-shaped requests, new web-shell files, unexpected process execution, and authentication/authorization events with no matching legitimate session or with forged key material.",
|
|
19517
|
+
"was_this_required": false,
|
|
19518
|
+
"framework_requiring_it": null,
|
|
19519
|
+
"adequacy": "Necessary to catch resident persistence and key abuse after patching."
|
|
19520
|
+
},
|
|
19521
|
+
"response": {
|
|
19522
|
+
"what_would_have_worked": "Patch immediately, hunt and remove web shells, rotate application secrets and credentials, and review data and downstream systems reachable from the ScreenConnect; assume compromise of accounts and managed endpoints in its reach.",
|
|
19523
|
+
"was_this_required": true,
|
|
19524
|
+
"framework_requiring_it": "NIST 800-53 IR-4",
|
|
19525
|
+
"adequacy": "Mandatory; patch-in-place without key rotation / web-shell hunting leaves the attacker resident or able to re-authenticate."
|
|
19526
|
+
}
|
|
19115
19527
|
},
|
|
19116
19528
|
"framework_coverage": {
|
|
19117
19529
|
"NIST-800-53-SI-2": {
|
|
19118
19530
|
"covered": true,
|
|
19119
19531
|
"adequate": false,
|
|
19120
|
-
"gap": "30-day SLA
|
|
19532
|
+
"gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated server-side application RCE/auth-bypass; these are mass-exploited within days, and RMM/file-sharing compromise reaches downstream systems."
|
|
19121
19533
|
},
|
|
19122
19534
|
"ISO-27001-2022-A.8.8": {
|
|
19123
19535
|
"covered": true,
|
|
19124
19536
|
"adequate": false,
|
|
19125
|
-
"gap": "
|
|
19537
|
+
"gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing enterprise application."
|
|
19538
|
+
},
|
|
19539
|
+
"NIS2-Art21-network-security": {
|
|
19540
|
+
"covered": true,
|
|
19541
|
+
"adequate": false,
|
|
19542
|
+
"gap": "Treats internet-facing enterprise applications as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / key-rotation cleanup these RCEs and key-disclosure flaws need."
|
|
19543
|
+
},
|
|
19544
|
+
"PCI-DSS-4.0-6.3.3": {
|
|
19545
|
+
"covered": true,
|
|
19546
|
+
"adequate": false,
|
|
19547
|
+
"gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing enterprise application in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
|
|
19126
19548
|
}
|
|
19127
19549
|
},
|
|
19128
19550
|
"compliance_exposure_score": {
|
|
19129
|
-
"percent_audit_passing_orgs_still_exposed":
|
|
19130
|
-
"basis": "
|
|
19551
|
+
"percent_audit_passing_orgs_still_exposed": 76,
|
|
19552
|
+
"basis": "Internet-facing ConnectWise ScreenConnect is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt and key rotation are rarely part of the documented patch procedure, and RMM/file-sharing/MES reach amplifies the blast radius.",
|
|
19131
19553
|
"theater_pattern": "patch_management"
|
|
19132
19554
|
},
|
|
19133
19555
|
"ai_discovered_zeroday": false,
|
|
19134
|
-
"ai_discovery_source": "
|
|
19135
|
-
"ai_assist_factor": "none"
|
|
19136
|
-
"_auto_imported": true,
|
|
19137
|
-
"_intake_method": "v0.13.17-bulk-cisa-kev-import"
|
|
19556
|
+
"ai_discovery_source": "vendor_research",
|
|
19557
|
+
"ai_assist_factor": "none"
|
|
19138
19558
|
},
|
|
19139
19559
|
"CVE-2025-35939": {
|
|
19140
19560
|
"name": "Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability",
|
|
@@ -19602,35 +20022,63 @@
|
|
|
19602
20022
|
},
|
|
19603
20023
|
"CVE-2024-12987": {
|
|
19604
20024
|
"name": "DrayTek Vigor Routers OS Command Injection Vulnerability",
|
|
19605
|
-
"lesson_date": "2026-05-
|
|
20025
|
+
"lesson_date": "2026-05-29",
|
|
19606
20026
|
"attack_vector": {
|
|
19607
|
-
"description": "
|
|
19608
|
-
"privileges_required": "
|
|
19609
|
-
"complexity": "
|
|
19610
|
-
"ai_factor": "
|
|
20027
|
+
"description": "an OS command-injection flaw (CWE-78) enabling unauthenticated remote command execution on the router. CISA KEV-listed 2025-05-15 with confirmed in-the-wild exploitation.",
|
|
20028
|
+
"privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the device's network interface)",
|
|
20029
|
+
"complexity": "low — KEV-listed, actively exploited; treat as weaponized",
|
|
20030
|
+
"ai_factor": "No AI involvement documented in discovery or weaponization."
|
|
20031
|
+
},
|
|
20032
|
+
"defense_chain": {
|
|
20033
|
+
"prevention": {
|
|
20034
|
+
"what_would_have_worked": "Apply the vendor firmware update; for end-of-life devices with no fix, replace the device. After any suspected compromise, factory-reset and re-flash — router compromise persists in firmware/config, and these devices are recruited into botnets and operational-relay (ORB) infrastructure.",
|
|
20035
|
+
"was_this_required": true,
|
|
20036
|
+
"framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
|
|
20037
|
+
"adequacy": "Patch is necessary but EOL firmware often has no fix, making replacement the only remediation; compromised devices need re-flash, not just patch."
|
|
20038
|
+
},
|
|
20039
|
+
"detection": {
|
|
20040
|
+
"what_would_have_worked": "Monitoring of the DrayTek Vigor router: exploit-shaped requests, anomalous outbound/botnet traffic and config drift.",
|
|
20041
|
+
"was_this_required": false,
|
|
20042
|
+
"framework_requiring_it": null,
|
|
20043
|
+
"adequacy": "Necessary because device compromise is often silent and persists across reboots in firmware/config."
|
|
20044
|
+
},
|
|
20045
|
+
"response": {
|
|
20046
|
+
"what_would_have_worked": "Factory-reset and re-flash or replace the device, rotate all credentials and secrets it held, and review the network behind it for lateral movement; assume the device's trust is fully compromised.",
|
|
20047
|
+
"was_this_required": true,
|
|
20048
|
+
"framework_requiring_it": "NIST 800-53 IR-4",
|
|
20049
|
+
"adequacy": "Mandatory; network-device compromise gives an attacker a durable, trusted position that patching alone does not remove."
|
|
20050
|
+
}
|
|
19611
20051
|
},
|
|
19612
20052
|
"framework_coverage": {
|
|
19613
20053
|
"NIST-800-53-SI-2": {
|
|
19614
20054
|
"covered": true,
|
|
19615
20055
|
"adequate": false,
|
|
19616
|
-
"gap": "30-day SLA
|
|
20056
|
+
"gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network device; SOHO routers and edge appliances are mass-exploited into botnets and operational-relay (ORB) networks within days, and many run end-of-life firmware with no available fix."
|
|
19617
20057
|
},
|
|
19618
20058
|
"ISO-27001-2022-A.8.8": {
|
|
19619
20059
|
"covered": true,
|
|
19620
20060
|
"adequate": false,
|
|
19621
|
-
"gap": "
|
|
20061
|
+
"gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited internet-facing device, and unmanaged/EOL devices fall outside most patch programs entirely."
|
|
20062
|
+
},
|
|
20063
|
+
"NIS2-Art21-network-security": {
|
|
20064
|
+
"covered": true,
|
|
20065
|
+
"adequate": false,
|
|
20066
|
+
"gap": "Treats network devices/appliances as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA and does not address end-of-life devices that can only be replaced, not patched."
|
|
20067
|
+
},
|
|
20068
|
+
"PCI-DSS-4.0-6.3.3": {
|
|
20069
|
+
"covered": true,
|
|
20070
|
+
"adequate": false,
|
|
20071
|
+
"gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network device fronting or bridging the CDE."
|
|
19622
20072
|
}
|
|
19623
20073
|
},
|
|
19624
20074
|
"compliance_exposure_score": {
|
|
19625
|
-
"percent_audit_passing_orgs_still_exposed":
|
|
19626
|
-
"basis": "
|
|
20075
|
+
"percent_audit_passing_orgs_still_exposed": 80,
|
|
20076
|
+
"basis": "Internet-facing DrayTek Vigor routers is frequently unmanaged or end-of-life; audited organizations rarely track SOHO/edge-device firmware on a KEV SLA, and the required re-flash/replace and secret rotation are almost never part of a routine patch procedure.",
|
|
19627
20077
|
"theater_pattern": "patch_management"
|
|
19628
20078
|
},
|
|
19629
20079
|
"ai_discovered_zeroday": false,
|
|
19630
|
-
"ai_discovery_source": "
|
|
19631
|
-
"ai_assist_factor": "none"
|
|
19632
|
-
"_auto_imported": true,
|
|
19633
|
-
"_intake_method": "v0.13.17-bulk-cisa-kev-import"
|
|
20080
|
+
"ai_discovery_source": "vendor_research",
|
|
20081
|
+
"ai_assist_factor": "none"
|
|
19634
20082
|
},
|
|
19635
20083
|
"CVE-2025-32756": {
|
|
19636
20084
|
"name": "Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability",
|