@blamejs/exceptd-skills 0.15.19 → 0.15.21

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.15.21 — 2026-05-29
+
+Draft-curation pass 19 — legacy browser/reader client-side RCEs. Six CISA KEV-listed client-side memory-corruption CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Adobe Acrobat/Reader (CVE-2020-9715 use-after-free, CVE-2009-3459 heap overflow), Internet Explorer (CVE-2010-0249 the Operation Aurora zero-day, CVE-2010-0806 iepeers, CVE-2013-3893 the SetMouseCapture watering-hole flaw), and Mozilla Firefox (CVE-2010-3765). All map T1203 (Exploitation for Client Execution). The lessons frame these as long-tail KEV re-listings — the fixes shipped years ago, but unpatched and end-of-life estates (notably the unsupported Internet Explorer) remain exposed; retiring end-of-life browsers and application hardening (Protected Mode/View, ASR rules) are the load-bearing controls.
+
+## 0.15.20 — 2026-05-29
+
+Draft-curation pass 18 — internet-facing network devices. Eight CISA KEV-listed unauthenticated CVEs on SOHO routers, a telephony appliance, and a firewall are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: TP-Link routers (CVE-2023-50224 authentication bypass, CVE-2025-9377 and CVE-2023-33538 command injection), DrayTek Vigor command injection (CVE-2024-12987), Sangoma FreePBX (CVE-2025-64328 command injection, CVE-2025-57819 authentication bypass + SQL injection), and WatchGuard Firebox out-of-bounds-write RCE (CVE-2025-14733, CVE-2025-9242). All map T1190, with per-class T1059 (command injection) or T1078 (auth bypass). The lessons account for the realities of edge devices: end-of-life firmware that can only be replaced, recruitment into botnets and operational-relay networks, telephony toll fraud on the PBX, and the requirement to re-flash/rebuild and rotate secrets rather than patch in place.
+
 ## 0.15.19 — 2026-05-29
 
 Draft-curation pass 17 — enterprise server-side applications. Eight CISA KEV-listed unauthenticated CVEs across manufacturing-operations, file-sharing, and remote-management software are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Dassault Systèmes DELMIA Apriso (CVE-2025-6204 code injection, CVE-2025-5086 deserialization, CVE-2025-6205 missing authorization), Gladinet CentreStack/Triofox (CVE-2025-14611 hard-coded cryptographic key, CVE-2025-11371 file disclosure leaking the machine key, CVE-2025-12480 improper access control), and ConnectWise ScreenConnect (CVE-2024-1708 path traversal, CVE-2025-3935 authentication bypass). All map T1190, with per-class T1059, T1078, T1552 (key disclosure/forgery), or T1505.003. The lessons stress that key-disclosure and authentication-bypass flaws require cryptographic-key rotation — not just patching — and that RMM/file-sharing/MES compromise extends the blast radius to downstream and OT-adjacent systems.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-29T22:34:17.490Z",
+  "generated_at": "2026-05-29T23:31:13.024Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "f4ca112722a595daef5938c0815358502506f83f15c035e3c7be3298d5d3badb",
+    "manifest.json": "5bb0e383ababb4b8232b7bc77737fb09f11f0aebf8fd3f6b06949aa13603fcbc",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "abb27bf3358a35d4e955bd133244bccdf64f633681b62f0714ec8ecfe1595261",
-    "data/cve-catalog.json": "9b096af370a99c08ddbfe79285793a8d5d86b995c453361dd89e15511ec9feeb",
+    "data/attack-techniques.json": "10d21befa5e9e9f56594d93227d4c8621dcbf6deebe2a10018b8d054aaf51fa3",
+    "data/cve-catalog.json": "c336e8c05685ae3a32c6760d559bc03949c0d1a0a2d8465c0a4cfe5b0dabee5b",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "99bb6d869f97f52f726ebc50e3fa8c787824212b129e4903fb18a9c46a57b017",
+    "data/zeroday-lessons.json": "d76a7223bc4d9d613a397120ae1f3edb7c6640adfdac69100d34c2d5fa18a4fe",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/_indexes/activity-feed.json

@@ -165,7 +165,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.1.0",
-      "entry_count": 422
+      "entry_count": 425
     },
     {
       "date": "2026-05-17",

package/data/_indexes/catalog-summaries.json

@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 422,
+      "entry_count": 425,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",

package/data/attack-techniques.json

@@ -275,6 +275,7 @@
       "CVE-2020-25078",
       "CVE-2020-25079",
       "CVE-2022-1471",
+      "CVE-2023-33538",
       "CVE-2023-43654",
       "CVE-2023-44467",
       "CVE-2023-48022",
@@ -285,6 +286,7 @@
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-12366",
+      "CVE-2024-12987",
       "CVE-2024-13059",
       "CVE-2024-21513",
       "CVE-2024-21575",
@@ -332,12 +334,14 @@
       "CVE-2025-58034",
       "CVE-2025-60455",
       "CVE-2025-6204",
+      "CVE-2025-64328",
       "CVE-2025-64496",
       "CVE-2025-68645",
       "CVE-2025-68664",
       "CVE-2025-68665",
       "CVE-2025-68668",
       "CVE-2025-8747",
+      "CVE-2025-9377",
       "CVE-2026-0766",
       "CVE-2026-1281",
       "CVE-2026-1340",
@@ -593,6 +597,7 @@
       "CVE-2025-3935",
       "CVE-2025-4427",
       "CVE-2025-49706",
+      "CVE-2025-57819",
       "CVE-2025-61757",
       "CVE-2025-6205",
       "CVE-2025-64513",
@@ -919,9 +924,7 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2008-0015",
-      "CVE-2010-3765",
       "CVE-2012-1854",
-      "CVE-2013-3893",
       "CVE-2014-6278",
       "CVE-2016-10033",
       "CVE-2016-7836",
@@ -949,6 +952,7 @@
       "CVE-2023-43791",
       "CVE-2023-47117",
       "CVE-2023-48022",
+      "CVE-2023-50224",
       "CVE-2023-51449",
       "CVE-2023-52163",
       "CVE-2023-6016",
@@ -1322,8 +1326,10 @@
       "CVE-2009-3459",
       "CVE-2010-0249",
       "CVE-2010-0806",
+      "CVE-2010-3765",
       "CVE-2010-3962",
       "CVE-2011-3402",
+      "CVE-2013-3893",
       "CVE-2013-3918",
       "CVE-2014-3931",
       "CVE-2020-9715",