@blamejs/exceptd-skills 0.15.19 → 0.15.21

package/data/cve-catalog.json

@@ -9823,7 +9823,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://helpx.adobe.com/security/products/acrobat/apsb20-48.html",
@@ -9852,11 +9852,21 @@
         "published_date": "2026-04-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-13; due date 2026-04-27. Notes reference: https://helpx.adobe.com/security/products/acrobat/apsb20-48.html ; https://nvd.nist.gov/vuln/detail/CVE-2020-9715",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Adobe Acrobat contains a use-after-free vulnerability that allows for code execution"
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Adobe Acrobat contains a use-after-free vulnerability that allows for code execution",
+    "iocs": {
+      "behavioral": [
+        "Adobe Acrobat and Reader at a build below the fixed version named in the vendor advisory on an endpoint exposed to attacker-controlled PDFs.",
+        "Process crashes or memory-corruption signatures consistent with use-after-free (CWE-416) in Adobe Acrobat and Reader on an affected endpoint.",
+        "Inbound delivery of weaponized PDF documents followed by unexpected child-process execution from the Acrobat/Reader process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched/end-of-life estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2020-9715, CISA KEV (added 2026-04-13), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-21643": {
     "name": "Fortinet FortiClient EMS SQL Injection Vulnerability",
@@ -20428,7 +20438,7 @@
     "cwe_refs": [
       "CWE-122"
     ],
-    "source_verified": "2026-05-25",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://nvd.nist.gov/vuln/detail/CVE-2009-3459"
@@ -20442,11 +20452,21 @@
         "published_date": "2026-05-20"
       }
     ],
-    "last_updated": "2026-05-25",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Manual KEV-gap-fill: legacy CVE re-listed to CISA KEV 2026-05-20. Draft pending enrichment.",
-    "_auto_imported": true,
-    "_intake_method": "manual-kev-gap-fill-2026-05-20",
-    "_kev_short_description": "Adobe Acrobat and Reader heap-based buffer overflow allowing remote code execution via a crafted PDF."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Adobe Acrobat and Reader heap-based buffer overflow allowing remote code execution via a crafted PDF.",
+    "iocs": {
+      "behavioral": [
+        "Adobe Acrobat and Reader at a build below the fixed version named in the vendor advisory on an endpoint exposed to attacker-controlled PDFs.",
+        "Process crashes or memory-corruption signatures consistent with heap-based buffer overflow (CWE-122) in Adobe Acrobat and Reader on an affected endpoint.",
+        "Inbound delivery of weaponized PDF documents followed by unexpected child-process execution from the Acrobat/Reader process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched/end-of-life estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2009-3459, CISA KEV (added 2026-05-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2010-0249": {
     "name": "Microsoft Internet Explorer Use-After-Free (Operation Aurora)",
@@ -20509,7 +20529,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-25",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://nvd.nist.gov/vuln/detail/CVE-2010-0249"
@@ -20523,11 +20543,21 @@
         "published_date": "2026-05-20"
       }
     ],
-    "last_updated": "2026-05-25",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Manual KEV-gap-fill: legacy CVE (Operation Aurora) re-listed to CISA KEV 2026-05-20. Draft pending enrichment.",
-    "_auto_imported": true,
-    "_intake_method": "manual-kev-gap-fill-2026-05-20",
-    "_kev_short_description": "Microsoft Internet Explorer use-after-free allowing remote code execution via a crafted web page (Operation Aurora)."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Internet Explorer use-after-free allowing remote code execution via a crafted web page (Operation Aurora).",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Internet Explorer at a build below the fixed version named in the vendor advisory on an endpoint exposed to attacker-controlled web content.",
+        "Process crashes or memory-corruption signatures consistent with use-after-free (CWE-416) in Internet Explorer (the 'Operation Aurora' zero-day) on an affected endpoint.",
+        "Inbound delivery of weaponized web content followed by unexpected child-process execution from the Internet Explorer process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched/end-of-life estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2010-0249, CISA KEV (added 2026-05-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2010-0806": {
     "name": "Microsoft Internet Explorer Use-After-Free (iepeers)",
@@ -20590,7 +20620,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-25",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://nvd.nist.gov/vuln/detail/CVE-2010-0806"
@@ -20604,11 +20634,21 @@
         "published_date": "2026-05-20"
       }
     ],
-    "last_updated": "2026-05-25",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Manual KEV-gap-fill: legacy CVE re-listed to CISA KEV 2026-05-20. Draft pending enrichment.",
-    "_auto_imported": true,
-    "_intake_method": "manual-kev-gap-fill-2026-05-20",
-    "_kev_short_description": "Microsoft Internet Explorer iepeers.dll use-after-free allowing remote code execution via a crafted web page."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Internet Explorer iepeers.dll use-after-free allowing remote code execution via a crafted web page.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Internet Explorer at a build below the fixed version named in the vendor advisory on an endpoint exposed to attacker-controlled web content.",
+        "Process crashes or memory-corruption signatures consistent with use-after-free (CWE-416) in the Internet Explorer iepeers component on an affected endpoint.",
+        "Inbound delivery of weaponized web content followed by unexpected child-process execution from the Internet Explorer process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched/end-of-life estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2010-0806, CISA KEV (added 2026-05-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-32432": {
     "name": "Craft CMS Code Injection Vulnerability",
@@ -25490,7 +25530,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -25511,7 +25552,7 @@
     "cwe_refs": [
       "CWE-78"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvw",
@@ -25540,11 +25581,21 @@
         "published_date": "2026-02-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-03; due date 2026-02-24. Notes reference: https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvw ; https://nvd.nist.gov/vuln/detail/CVE-2025-64328",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to potentially obtain remote access to the system as an asterisk user. "
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to potentially obtain remote access to the system as an asterisk user. ",
+    "iocs": {
+      "behavioral": [
+        "Sangoma FreePBX reachable on the network at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the FreePBX consistent with OS command-injection flaw (CWE-78) enabling unauthenticated remote command execution on the telephony server.",
+        "Post-exploitation indicators on the FreePBX — web shells, toll-fraud call patterns, or new admin extensions — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-64328, CISA KEV (added 2026-02-03), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2019-19006": {
     "name": " Sangoma FreePBX Improper Authentication Vulnerability",
@@ -27636,7 +27687,7 @@
     "cwe_refs": [
       "CWE-787"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027",
@@ -27665,11 +27716,21 @@
         "published_date": "2025-12-19"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-19; due date 2025-12-26. Notes reference: Check for signs of potential compromise on all internet accessible instances after applying mitigations. For more information please see: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "WatchGuard Fireware OS iked process contains an out of bounds write vulnerability in the OS iked process. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code and affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "WatchGuard Fireware OS iked process contains an out of bounds write vulnerability in the OS iked process. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code and affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.",
+    "iocs": {
+      "behavioral": [
+        "WatchGuard Firebox reachable on the network at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Firebox firewall consistent with out-of-bounds write (CWE-787) exploitable by an unauthenticated attacker for memory-corruption remote code execution on the firewall.",
+        "Post-exploitation indicators on the Firebox firewall — crashes consistent with memory corruption, new processes, or config/credential changes — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-14733, CISA KEV (added 2025-12-19), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-59374": {
     "name": "ASUS Live Update Embedded Malicious Code Vulnerability",
@@ -29942,7 +30003,7 @@
     "cwe_refs": [
       "CWE-787"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015",
@@ -29971,11 +30032,21 @@
         "published_date": "2025-11-12"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-12; due date 2025-12-03. Notes reference: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015 ; https://nvd.nist.gov/vuln/detail/CVE-2025-9242",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "WatchGuard Firebox contains an out-of-bounds write vulnerability in the OS iked process that may allow a remote unauthenticated attacker to execute arbitrary code."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "WatchGuard Firebox contains an out-of-bounds write vulnerability in the OS iked process that may allow a remote unauthenticated attacker to execute arbitrary code.",
+    "iocs": {
+      "behavioral": [
+        "WatchGuard Firebox reachable on the network at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Firebox firewall consistent with out-of-bounds write (CWE-787) in the Firebox IKE/VPN handling.",
+        "Post-exploitation indicators on the Firebox firewall — crashes consistent with memory corruption, new processes, or config/credential changes — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-9242, CISA KEV (added 2025-11-12), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-21042": {
     "name": "Samsung Mobile Devices Out-of-Bounds Write Vulnerability",
@@ -32758,7 +32829,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -32779,7 +32850,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.mozilla.org/en-US/security/advisories/mfsa2010-73",
@@ -32808,11 +32879,21 @@
         "published_date": "2025-10-06"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-06; due date 2025-10-27. Notes reference: https://www.mozilla.org/en-US/security/advisories/mfsa2010-73 ; https://nvd.nist.gov/vuln/detail/CVE-2010-3765",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Mozilla Firefox, SeaMonkey, and Thunderbird contain an unspecified vulnerability when JavaScript is enabled. This allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Mozilla Firefox, SeaMonkey, and Thunderbird contain an unspecified vulnerability when JavaScript is enabled. This allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption.",
+    "iocs": {
+      "behavioral": [
+        "Mozilla Firefox and related products at a build below the fixed version named in the vendor advisory on an endpoint exposed to attacker-controlled web content.",
+        "Process crashes or memory-corruption signatures consistent with memory-corruption code-execution flaw (CWE-94) in Mozilla Firefox and related products on an affected endpoint.",
+        "Inbound delivery of weaponized web content followed by unexpected child-process execution from the Firefox process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched/end-of-life estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2010-3765, CISA KEV (added 2025-10-06), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-61882": {
     "name": "Oracle E-Business Suite Unspecified Vulnerability",
@@ -34449,7 +34530,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -34470,7 +34552,7 @@
     "cwe_refs": [
       "CWE-290"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.tp-link.com/us/support/faq/4308/",
@@ -34499,11 +34581,21 @@
         "published_date": "2025-09-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-03; due date 2025-09-24. Notes reference: https://www.tp-link.com/us/support/faq/4308/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-50224",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "TP-Link TL-WR841N contains an authentication bypass by spoofing vulnerability within the httpd service, which listens on TCP port 80 by default, leading to the disclose of stored credentials. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "TP-Link TL-WR841N contains an authentication bypass by spoofing vulnerability within the httpd service, which listens on TCP port 80 by default, leading to the disclose of stored credentials. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "TP-Link TL-WR841N router reachable on the network at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the TL-WR841N router consistent with authentication-bypass-by-spoofing flaw (CWE-290) letting an unauthenticated attacker bypass authentication on the router.",
+        "Post-exploitation indicators on the TL-WR841N router — botnet/ORB beaconing, unexpected outbound traffic, or altered DNS/routing config — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2023-50224, CISA KEV (added 2025-09-03), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-9377": {
     "name": "TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability",
@@ -34545,7 +34637,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -34566,7 +34659,7 @@
     "cwe_refs": [
       "CWE-78"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.tp-link.com/us/support/faq/4308/",
@@ -34595,11 +34688,21 @@
         "published_date": "2025-09-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-03; due date 2025-09-24. Notes reference: https://www.tp-link.com/us/support/faq/4308/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-9377",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "TP-Link Archer C7(EU) and TL-WR841N/ND(MS) contain an OS command injection vulnerability that exists in the Parental Control page. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "TP-Link Archer C7(EU) and TL-WR841N/ND(MS) contain an OS command injection vulnerability that exists in the Parental Control page. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "TP-Link Archer C7 and TL-WR841N/ND routers reachable on the network at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the TP-Link router consistent with OS command-injection flaw (CWE-78) enabling unauthenticated remote command execution on the router.",
+        "Post-exploitation indicators on the TP-Link router — botnet/ORB beaconing, unexpected outbound traffic, or altered DNS/routing config — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-9377, CISA KEV (added 2025-09-03), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2020-24363": {
     "name": "TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability",
@@ -34834,7 +34937,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -34856,7 +34960,7 @@
       "CWE-89",
       "CWE-288"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h",
@@ -34885,11 +34989,21 @@
         "published_date": "2025-08-29"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-29; due date 2025-09-19. Notes reference: https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h ; https://nvd.nist.gov/vuln/detail/CVE-2025-57819",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Sangoma FreePBX contains an authentication bypass vulnerability due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Sangoma FreePBX contains an authentication bypass vulnerability due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution.",
+    "iocs": {
+      "behavioral": [
+        "Sangoma FreePBX reachable on the network at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the FreePBX consistent with authentication bypass combined with SQL injection (CWE-89/CWE-288).",
+        "Post-exploitation indicators on the FreePBX — web shells, toll-fraud call patterns, or new admin extensions — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-57819, CISA KEV (added 2025-08-29), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-7775": {
     "name": "Citrix NetScaler Memory Overflow Vulnerability",
@@ -35840,7 +35954,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -35861,7 +35975,7 @@
     "cwe_refs": [
       "CWE-399"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://learn.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-080",
@@ -35890,11 +36004,21 @@
         "published_date": "2025-08-12"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-12; due date 2025-09-02. Notes reference: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-080 ; https://nvd.nist.gov/vuln/detail/CVE-2013-3893",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Internet Explorer contains a memory corruption vulnerability that allows for remote code execution. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Internet Explorer contains a memory corruption vulnerability that allows for remote code execution. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Internet Explorer at a build below the fixed version named in the vendor advisory on an endpoint exposed to attacker-controlled web content.",
+        "Process crashes or memory-corruption signatures consistent with resource-management memory-corruption use-after-free (CWE-399) in Internet Explorer (the SetMouseCapture flaw used in watering-hole attacks) on an affected endpoint.",
+        "Inbound delivery of weaponized web content followed by unexpected child-process execution from the Internet Explorer process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched/end-of-life estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2013-3893, CISA KEV (added 2025-08-12), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2020-25078": {
     "name": "D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability",
@@ -38802,7 +38926,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -38823,7 +38948,7 @@
     "cwe_refs": [
       "CWE-77"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.tp-link.com/nordic/support/faq/3562/",
@@ -38852,11 +38977,21 @@
         "published_date": "2025-06-16"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-16; due date 2025-07-07. Notes reference: https://www.tp-link.com/nordic/support/faq/3562/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-33538",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "TP-Link routers (multiple models) reachable on the network at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the TP-Link router consistent with command-injection flaw (CWE-77) enabling unauthenticated remote command execution on the router.",
+        "Post-exploitation indicators on the TP-Link router — botnet/ORB beaconing, unexpected outbound traffic, or altered DNS/routing config — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2023-33538, CISA KEV (added 2025-06-16), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-43200": {
     "name": "Apple Multiple Products Unspecified Vulnerability (variant: CVE-2025-43200)",
@@ -41120,7 +41255,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -41141,7 +41277,7 @@
     "cwe_refs": [
       "CWE-78"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://fw.draytek.com.tw/Vigor2960/Firmware/v1.5.1.5/DrayTek_Vigor2960_V1.5.1.5_01release-note.pdf",
@@ -41172,11 +41308,21 @@
         "published_date": "2025-05-15"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-15; due date 2025-06-05. Notes reference: https://fw.draytek.com.tw/Vigor2960/Firmware/v1.5.1.5/DrayTek_Vigor2960_V1.5.1.5_01release-note.pdf ; https://fw.draytek.com.tw/Vigor300B/Firmware/v1.5.1.5/DrayTek_Vigor300B_V1.5.1.5_01release-note.pd",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "DrayTek Vigor2960, Vigor300B, and Vigor3900 routers contain an OS command injection vulnerability due to an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component web management interface."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "DrayTek Vigor2960, Vigor300B, and Vigor3900 routers contain an OS command injection vulnerability due to an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component web management interface.",
+    "iocs": {
+      "behavioral": [
+        "DrayTek Vigor routers reachable on the network at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the DrayTek Vigor router consistent with OS command-injection flaw (CWE-78) enabling unauthenticated remote command execution on the router.",
+        "Post-exploitation indicators on the DrayTek Vigor router — botnet/ORB beaconing, unexpected outbound traffic, or altered DNS/routing config — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-12987, CISA KEV (added 2025-05-15), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-32756": {
     "name": "Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability",