npm - @blamejs/exceptd-skills - Versions diffs - 0.15.19 → 0.15.21 - Mend

@blamejs/exceptd-skills 0.15.19 → 0.15.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +5 -5
package/data/_indexes/activity-feed.json +1 -1
package/data/_indexes/catalog-summaries.json +1 -1
package/data/attack-techniques.json +8 -2
package/data/cve-catalog.json +224 -78
package/data/zeroday-lessons.json +605 -147
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +18 -18

package/data/zeroday-lessons.json CHANGED Viewed

@@ -17,7 +17,7 @@
       "rebuild_after_days": 365,
       "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
     },
-    "entry_count": 422
+    "entry_count": 425
   },
   "CVE-2026-31431": {
     "name": "Copy Fail",
@@ -7860,35 +7860,58 @@
   },
   "CVE-2020-9715": {
     "name": "Adobe Acrobat Use-After-Free Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Adobe Acrobat contains a use-after-free vulnerability that allows for code execution",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a use-after-free (CWE-416) in Adobe Acrobat and Reader, exploitable by an attacker-controlled PDF for code execution in the reader process. CISA KEV-listed 2026-04-13 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched/end-of-life estates remain exposed.",
+      "privileges_required": "none (the victim opens the attacker's document or visits the attacker's web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor security update for Adobe Acrobat and Reader; enforce centralized patch management on the long tail; harden the client (Acrobat Protected Mode / Office Protected View, ASR rules) and retire end-of-life software such as Internet Explorer.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail (and continued use of end-of-life browsers) is the failure mode."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for child-process execution from Acrobat/Reader after attacker-content open, exploit telemetry, and inbound-content filtering (mail/web).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or end-of-life estates that cannot be patched promptly."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate (or retire the end-of-life client), isolate exploited endpoints, hunt for follow-on payloads (client-RCE chains drop loaders), and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser/reader RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side browser/reader RCE; legacy KEV re-listings document organizations still running unpatched or end-of-life builds."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy re-listing exists because organizations still run vulnerable browser/reader builds (Internet Explorer is end-of-life and unsupported)."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show long-tail unpatched estates persist; centralized update management, application hardening (Protected View, ASR rules), and retiring end-of-life software (Internet Explorer) are the load-bearing controls."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 52,
+      "basis": "Adobe Acrobat and Reader is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (end-of-life Internet Explorer, old Acrobat/Reader, unpatched browsers) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2026-21643": {
     "name": "Fortinet FortiClient EMS SQL Injection Vulnerability",
@@ -13123,35 +13146,63 @@
   },
   "CVE-2025-64328": {
     "name": "Sangoma FreePBX OS Command Injection Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to potentially obtain remote access to the system as an asterisk user. ",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an OS command-injection flaw (CWE-78) enabling unauthenticated remote command execution on the telephony server. CISA KEV-listed 2026-02-03 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the device's network interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Sangoma FreePBX / module update; hunt for web shells and toll-fraud (anomalous outbound SIP/calls), and rotate SIP and administrative credentials — FreePBX compromise is routinely monetized via telephony fraud.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but, given the device's trust position, an exploited unit must be rebuilt and its secrets rotated — a patch in place does not evict a resident attacker."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring of the FreePBX: exploit-shaped requests, toll-fraud call patterns and new admin objects.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because device compromise is often silent and persists across reboots in firmware/config."
+      },
+      "response": {
+        "what_would_have_worked": "Rebuild the device from a known-good image, rotate all credentials and secrets it held, and review the network behind it for lateral movement; assume the device's trust is fully compromised.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; network-device compromise gives an attacker a durable, trusted position that patching alone does not remove."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network device; SOHO routers and edge appliances are mass-exploited into botnets and operational-relay (ORB) networks within days, and many run end-of-life firmware with no available fix."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited internet-facing device, and unmanaged/EOL devices fall outside most patch programs entirely."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats network devices/appliances as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA and does not address end-of-life devices that can only be replaced, not patched."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network device fronting or bridging the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "Internet-facing Sangoma FreePBX is frequently unmanaged or end-of-life; audited organizations rarely track SOHO/edge-device firmware on a KEV SLA, and the required re-flash/replace and secret rotation are almost never part of a routine patch procedure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2019-19006": {
     "name": " Sangoma FreePBX Improper Authentication Vulnerability",
@@ -14032,35 +14083,63 @@
   },
   "CVE-2025-14733": {
     "name": "WatchGuard Firebox Out of Bounds Write Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "WatchGuard Fireware OS iked process contains an out of bounds write vulnerability in the OS iked process. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code and affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an out-of-bounds write (CWE-787) exploitable by an unauthenticated attacker for memory-corruption remote code execution on the firewall. CISA KEV-listed 2025-12-19 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the device's network interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the WatchGuard Fireware update; treat an exploited firewall as fully compromised — rebuild it and rotate every credential and VPN/IKE secret it held, since the firewall terminates trust for the network behind it.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but, given the device's trust position, an exploited unit must be rebuilt and its secrets rotated — a patch in place does not evict a resident attacker."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring of the Firebox firewall: exploit-shaped requests, device crashes, new processes, and credential/config changes.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because device compromise is often silent and persists across reboots in firmware/config."
+      },
+      "response": {
+        "what_would_have_worked": "Rebuild the device from a known-good image, rotate all credentials and secrets it held, and review the network behind it for lateral movement; assume the device's trust is fully compromised.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; network-device compromise gives an attacker a durable, trusted position that patching alone does not remove."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network device; SOHO routers and edge appliances are mass-exploited into botnets and operational-relay (ORB) networks within days, and many run end-of-life firmware with no available fix."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited internet-facing device, and unmanaged/EOL devices fall outside most patch programs entirely."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats network devices/appliances as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA and does not address end-of-life devices that can only be replaced, not patched."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network device fronting or bridging the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "Internet-facing WatchGuard Firebox is frequently unmanaged or end-of-life; audited organizations rarely track SOHO/edge-device firmware on a KEV SLA, and the required re-flash/replace and secret rotation are almost never part of a routine patch procedure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-59374": {
     "name": "ASUS Live Update Embedded Malicious Code Vulnerability",
@@ -15010,35 +15089,63 @@
   },
   "CVE-2025-9242": {
     "name": "WatchGuard Firebox Out-of-Bounds Write Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "WatchGuard Firebox contains an out-of-bounds write vulnerability in the OS iked process that may allow a remote unauthenticated attacker to execute arbitrary code.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an out-of-bounds write (CWE-787) in the Firebox IKE/VPN handling, exploitable by an unauthenticated attacker for memory-corruption remote code execution on the firewall. CISA KEV-listed 2025-11-12 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the device's network interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the WatchGuard Fireware update; treat an exploited firewall as fully compromised — rebuild it and rotate every credential and VPN/IKE secret it held, since the firewall terminates trust for the network behind it.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but, given the device's trust position, an exploited unit must be rebuilt and its secrets rotated — a patch in place does not evict a resident attacker."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring of the Firebox firewall: exploit-shaped requests, device crashes, new processes, and credential/config changes.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because device compromise is often silent and persists across reboots in firmware/config."
+      },
+      "response": {
+        "what_would_have_worked": "Rebuild the device from a known-good image, rotate all credentials and secrets it held, and review the network behind it for lateral movement; assume the device's trust is fully compromised.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; network-device compromise gives an attacker a durable, trusted position that patching alone does not remove."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network device; SOHO routers and edge appliances are mass-exploited into botnets and operational-relay (ORB) networks within days, and many run end-of-life firmware with no available fix."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited internet-facing device, and unmanaged/EOL devices fall outside most patch programs entirely."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats network devices/appliances as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA and does not address end-of-life devices that can only be replaced, not patched."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network device fronting or bridging the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "Internet-facing WatchGuard Firebox is frequently unmanaged or end-of-life; audited organizations rarely track SOHO/edge-device firmware on a KEV SLA, and the required re-flash/replace and secret rotation are almost never part of a routine patch procedure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-21042": {
     "name": "Samsung Mobile Devices Out-of-Bounds Write Vulnerability",
@@ -16263,35 +16370,58 @@
   },
   "CVE-2010-3765": {
     "name": "Mozilla Multiple Products Remote Code Execution Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Mozilla Firefox, SeaMonkey, and Thunderbird contain an unspecified vulnerability when JavaScript is enabled. This allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a memory-corruption code-execution flaw (CWE-94) in Mozilla Firefox and related products, exploitable by an attacker-controlled web page for code execution in the browser. CISA KEV-listed 2025-10-06 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched/end-of-life estates remain exposed.",
+      "privileges_required": "none (the victim opens the attacker's document or visits the attacker's web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor security update for Mozilla Firefox and related products; enforce centralized patch management on the long tail; harden the client (Acrobat Protected Mode / Office Protected View, ASR rules) and retire end-of-life software such as Internet Explorer.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail (and continued use of end-of-life browsers) is the failure mode."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for child-process execution from Firefox after attacker-content open, exploit telemetry, and inbound-content filtering (mail/web).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or end-of-life estates that cannot be patched promptly."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate (or retire the end-of-life client), isolate exploited endpoints, hunt for follow-on payloads (client-RCE chains drop loaders), and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser/reader RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side browser/reader RCE; legacy KEV re-listings document organizations still running unpatched or end-of-life builds."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy re-listing exists because organizations still run vulnerable browser/reader builds (Internet Explorer is end-of-life and unsupported)."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show long-tail unpatched estates persist; centralized update management, application hardening (Protected View, ASR rules), and retiring end-of-life software (Internet Explorer) are the load-bearing controls."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 52,
+      "basis": "Mozilla Firefox and related products is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (end-of-life Internet Explorer, old Acrobat/Reader, unpatched browsers) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-61882": {
     "name": "Oracle E-Business Suite Unspecified Vulnerability",
@@ -16919,67 +17049,123 @@
   },
   "CVE-2023-50224": {
     "name": "TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "TP-Link TL-WR841N contains an authentication bypass by spoofing vulnerability within the httpd service, which listens on TCP port 80 by default, leading to the disclose of stored credentials. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an authentication-bypass-by-spoofing flaw (CWE-290) letting an unauthenticated attacker bypass authentication on the router. CISA KEV-listed 2025-09-03 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the device's network interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor firmware update; for end-of-life devices with no fix, replace the device. After any suspected compromise, factory-reset and re-flash — router compromise persists in firmware/config, and these devices are recruited into botnets and operational-relay (ORB) infrastructure.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but EOL firmware often has no fix, making replacement the only remediation; compromised devices need re-flash, not just patch."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring of the TL-WR841N router: exploit-shaped requests, anomalous outbound/botnet traffic and config drift.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because device compromise is often silent and persists across reboots in firmware/config."
+      },
+      "response": {
+        "what_would_have_worked": "Factory-reset and re-flash or replace the device, rotate all credentials and secrets it held, and review the network behind it for lateral movement; assume the device's trust is fully compromised.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; network-device compromise gives an attacker a durable, trusted position that patching alone does not remove."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network device; SOHO routers and edge appliances are mass-exploited into botnets and operational-relay (ORB) networks within days, and many run end-of-life firmware with no available fix."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited internet-facing device, and unmanaged/EOL devices fall outside most patch programs entirely."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats network devices/appliances as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA and does not address end-of-life devices that can only be replaced, not patched."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network device fronting or bridging the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "Internet-facing TP-Link TL-WR841N router is frequently unmanaged or end-of-life; audited organizations rarely track SOHO/edge-device firmware on a KEV SLA, and the required re-flash/replace and secret rotation are almost never part of a routine patch procedure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-9377": {
     "name": "TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "TP-Link Archer C7(EU) and TL-WR841N/ND(MS) contain an OS command injection vulnerability that exists in the Parental Control page. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an OS command-injection flaw (CWE-78) enabling unauthenticated remote command execution on the router. CISA KEV-listed 2025-09-03 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the device's network interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor firmware update; for end-of-life devices with no fix, replace the device. After any suspected compromise, factory-reset and re-flash — router compromise persists in firmware/config, and these devices are recruited into botnets and operational-relay (ORB) infrastructure.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but EOL firmware often has no fix, making replacement the only remediation; compromised devices need re-flash, not just patch."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring of the TP-Link router: exploit-shaped requests, anomalous outbound/botnet traffic and config drift.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because device compromise is often silent and persists across reboots in firmware/config."
+      },
+      "response": {
+        "what_would_have_worked": "Factory-reset and re-flash or replace the device, rotate all credentials and secrets it held, and review the network behind it for lateral movement; assume the device's trust is fully compromised.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; network-device compromise gives an attacker a durable, trusted position that patching alone does not remove."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network device; SOHO routers and edge appliances are mass-exploited into botnets and operational-relay (ORB) networks within days, and many run end-of-life firmware with no available fix."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
-      }
-    },
-    "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited internet-facing device, and unmanaged/EOL devices fall outside most patch programs entirely."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats network devices/appliances as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA and does not address end-of-life devices that can only be replaced, not patched."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network device fronting or bridging the CDE."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "Internet-facing TP-Link Archer C7 and TL-WR841N/ND routers is frequently unmanaged or end-of-life; audited organizations rarely track SOHO/edge-device firmware on a KEV SLA, and the required re-flash/replace and secret rotation are almost never part of a routine patch procedure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2020-24363": {
     "name": "TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability",
@@ -17047,35 +17233,63 @@
   },
   "CVE-2025-57819": {
     "name": "Sangoma FreePBX Authentication Bypass Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Sangoma FreePBX contains an authentication bypass vulnerability due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an authentication bypass combined with SQL injection (CWE-89/CWE-288), letting an unauthenticated attacker reach administrative functionality and the database. CISA KEV-listed 2025-08-29 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the device's network interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Sangoma FreePBX / module update; hunt for web shells and toll-fraud (anomalous outbound SIP/calls), and rotate SIP and administrative credentials — FreePBX compromise is routinely monetized via telephony fraud.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but, given the device's trust position, an exploited unit must be rebuilt and its secrets rotated — a patch in place does not evict a resident attacker."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring of the FreePBX: exploit-shaped requests, toll-fraud call patterns and new admin objects.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because device compromise is often silent and persists across reboots in firmware/config."
+      },
+      "response": {
+        "what_would_have_worked": "Rebuild the device from a known-good image, rotate all credentials and secrets it held, and review the network behind it for lateral movement; assume the device's trust is fully compromised.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; network-device compromise gives an attacker a durable, trusted position that patching alone does not remove."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network device; SOHO routers and edge appliances are mass-exploited into botnets and operational-relay (ORB) networks within days, and many run end-of-life firmware with no available fix."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited internet-facing device, and unmanaged/EOL devices fall outside most patch programs entirely."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats network devices/appliances as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA and does not address end-of-life devices that can only be replaced, not patched."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network device fronting or bridging the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "Internet-facing Sangoma FreePBX is frequently unmanaged or end-of-life; audited organizations rarely track SOHO/edge-device firmware on a KEV SLA, and the required re-flash/replace and secret rotation are almost never part of a routine patch procedure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-7775": {
     "name": "Citrix NetScaler Memory Overflow Vulnerability",
@@ -17474,35 +17688,58 @@
   },
   "CVE-2013-3893": {
     "name": "Microsoft Internet Explorer Resource Management Errors Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Internet Explorer contains a memory corruption vulnerability that allows for remote code execution. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a resource-management memory-corruption use-after-free (CWE-399) in Internet Explorer (the SetMouseCapture flaw used in watering-hole attacks), exploitable by an attacker-controlled web page for code execution in the browser. CISA KEV-listed 2025-08-12 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched/end-of-life estates remain exposed.",
+      "privileges_required": "none (the victim opens the attacker's document or visits the attacker's web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor security update for Microsoft Internet Explorer; enforce centralized patch management on the long tail; harden the client (Acrobat Protected Mode / Office Protected View, ASR rules) and retire end-of-life software such as Internet Explorer.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail (and continued use of end-of-life browsers) is the failure mode."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for child-process execution from Internet Explorer after attacker-content open, exploit telemetry, and inbound-content filtering (mail/web).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or end-of-life estates that cannot be patched promptly."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate (or retire the end-of-life client), isolate exploited endpoints, hunt for follow-on payloads (client-RCE chains drop loaders), and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser/reader RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side browser/reader RCE; legacy KEV re-listings document organizations still running unpatched or end-of-life builds."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy re-listing exists because organizations still run vulnerable browser/reader builds (Internet Explorer is end-of-life and unsupported)."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show long-tail unpatched estates persist; centralized update management, application hardening (Protected View, ASR rules), and retiring end-of-life software (Internet Explorer) are the load-bearing controls."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 52,
+      "basis": "Microsoft Internet Explorer is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (end-of-life Internet Explorer, old Acrobat/Reader, unpatched browsers) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2020-25078": {
     "name": "D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability",
@@ -18835,35 +19072,63 @@
   },
   "CVE-2023-33538": {
     "name": "TP-Link Multiple Routers Command Injection Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a command-injection flaw (CWE-77) enabling unauthenticated remote command execution on the router. CISA KEV-listed 2025-06-16 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the device's network interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor firmware update; for end-of-life devices with no fix, replace the device. After any suspected compromise, factory-reset and re-flash — router compromise persists in firmware/config, and these devices are recruited into botnets and operational-relay (ORB) infrastructure.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but EOL firmware often has no fix, making replacement the only remediation; compromised devices need re-flash, not just patch."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring of the TP-Link router: exploit-shaped requests, anomalous outbound/botnet traffic and config drift.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because device compromise is often silent and persists across reboots in firmware/config."
+      },
+      "response": {
+        "what_would_have_worked": "Factory-reset and re-flash or replace the device, rotate all credentials and secrets it held, and review the network behind it for lateral movement; assume the device's trust is fully compromised.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; network-device compromise gives an attacker a durable, trusted position that patching alone does not remove."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network device; SOHO routers and edge appliances are mass-exploited into botnets and operational-relay (ORB) networks within days, and many run end-of-life firmware with no available fix."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited internet-facing device, and unmanaged/EOL devices fall outside most patch programs entirely."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats network devices/appliances as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA and does not address end-of-life devices that can only be replaced, not patched."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network device fronting or bridging the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "Internet-facing TP-Link routers (multiple models) is frequently unmanaged or end-of-life; audited organizations rarely track SOHO/edge-device firmware on a KEV SLA, and the required re-flash/replace and secret rotation are almost never part of a routine patch procedure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-43200": {
     "name": "Apple Multiple Products Unspecified Vulnerability (variant: CVE-2025-43200)",
@@ -19826,35 +20091,63 @@
   },
   "CVE-2024-12987": {
     "name": "DrayTek Vigor Routers OS Command Injection Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "DrayTek Vigor2960, Vigor300B, and Vigor3900 routers contain an OS command injection vulnerability due to an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component web management interface.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an OS command-injection flaw (CWE-78) enabling unauthenticated remote command execution on the router. CISA KEV-listed 2025-05-15 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the device's network interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor firmware update; for end-of-life devices with no fix, replace the device. After any suspected compromise, factory-reset and re-flash — router compromise persists in firmware/config, and these devices are recruited into botnets and operational-relay (ORB) infrastructure.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but EOL firmware often has no fix, making replacement the only remediation; compromised devices need re-flash, not just patch."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring of the DrayTek Vigor router: exploit-shaped requests, anomalous outbound/botnet traffic and config drift.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because device compromise is often silent and persists across reboots in firmware/config."
+      },
+      "response": {
+        "what_would_have_worked": "Factory-reset and re-flash or replace the device, rotate all credentials and secrets it held, and review the network behind it for lateral movement; assume the device's trust is fully compromised.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; network-device compromise gives an attacker a durable, trusted position that patching alone does not remove."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network device; SOHO routers and edge appliances are mass-exploited into botnets and operational-relay (ORB) networks within days, and many run end-of-life firmware with no available fix."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited internet-facing device, and unmanaged/EOL devices fall outside most patch programs entirely."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats network devices/appliances as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA and does not address end-of-life devices that can only be replaced, not patched."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network device fronting or bridging the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "Internet-facing DrayTek Vigor routers is frequently unmanaged or end-of-life; audited organizations rarely track SOHO/edge-device firmware on a KEV SLA, and the required re-flash/replace and secret rotation are almost never part of a routine patch procedure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-32756": {
     "name": "Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability",
@@ -21267,5 +21560,170 @@
     "ai_discovered_zeroday": false,
     "ai_discovery_source": "vendor_research",
     "ai_assist_factor": "none"
+  },
+  "CVE-2009-3459": {
+    "name": "Adobe Acrobat and Reader Heap-Based Buffer Overflow",
+    "lesson_date": "2026-05-29",
+    "attack_vector": {
+      "description": "a heap-based buffer overflow (CWE-122) in Adobe Acrobat and Reader, exploitable by an attacker-controlled PDF for code execution in the reader process. CISA KEV-listed 2026-05-20 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched/end-of-life estates remain exposed.",
+      "privileges_required": "none (the victim opens the attacker's document or visits the attacker's web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor security update for Adobe Acrobat and Reader; enforce centralized patch management on the long tail; harden the client (Acrobat Protected Mode / Office Protected View, ASR rules) and retire end-of-life software such as Internet Explorer.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail (and continued use of end-of-life browsers) is the failure mode."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for child-process execution from Acrobat/Reader after attacker-content open, exploit telemetry, and inbound-content filtering (mail/web).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or end-of-life estates that cannot be patched promptly."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate (or retire the end-of-life client), isolate exploited endpoints, hunt for follow-on payloads (client-RCE chains drop loaders), and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser/reader RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side browser/reader RCE; legacy KEV re-listings document organizations still running unpatched or end-of-life builds."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy re-listing exists because organizations still run vulnerable browser/reader builds (Internet Explorer is end-of-life and unsupported)."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show long-tail unpatched estates persist; centralized update management, application hardening (Protected View, ASR rules), and retiring end-of-life software (Internet Explorer) are the load-bearing controls."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 52,
+      "basis": "Adobe Acrobat and Reader is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (end-of-life Internet Explorer, old Acrobat/Reader, unpatched browsers) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
+      "theater_pattern": "patch_management"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
+  },
+  "CVE-2010-0249": {
+    "name": "Microsoft Internet Explorer Use-After-Free (Operation Aurora)",
+    "lesson_date": "2026-05-29",
+    "attack_vector": {
+      "description": "a use-after-free (CWE-416) in Internet Explorer (the 'Operation Aurora' zero-day), exploitable by an attacker-controlled web page for code execution in the browser. CISA KEV-listed 2026-05-20 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched/end-of-life estates remain exposed.",
+      "privileges_required": "none (the victim opens the attacker's document or visits the attacker's web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor security update for Microsoft Internet Explorer; enforce centralized patch management on the long tail; harden the client (Acrobat Protected Mode / Office Protected View, ASR rules) and retire end-of-life software such as Internet Explorer.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail (and continued use of end-of-life browsers) is the failure mode."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for child-process execution from Internet Explorer after attacker-content open, exploit telemetry, and inbound-content filtering (mail/web).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or end-of-life estates that cannot be patched promptly."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate (or retire the end-of-life client), isolate exploited endpoints, hunt for follow-on payloads (client-RCE chains drop loaders), and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser/reader RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side browser/reader RCE; legacy KEV re-listings document organizations still running unpatched or end-of-life builds."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy re-listing exists because organizations still run vulnerable browser/reader builds (Internet Explorer is end-of-life and unsupported)."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show long-tail unpatched estates persist; centralized update management, application hardening (Protected View, ASR rules), and retiring end-of-life software (Internet Explorer) are the load-bearing controls."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 52,
+      "basis": "Microsoft Internet Explorer is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (end-of-life Internet Explorer, old Acrobat/Reader, unpatched browsers) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
+      "theater_pattern": "patch_management"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
+  },
+  "CVE-2010-0806": {
+    "name": "Microsoft Internet Explorer Use-After-Free (iepeers)",
+    "lesson_date": "2026-05-29",
+    "attack_vector": {
+      "description": "a use-after-free (CWE-416) in the Internet Explorer iepeers component, exploitable by an attacker-controlled web page for code execution in the browser. CISA KEV-listed 2026-05-20 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched/end-of-life estates remain exposed.",
+      "privileges_required": "none (the victim opens the attacker's document or visits the attacker's web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor security update for Microsoft Internet Explorer; enforce centralized patch management on the long tail; harden the client (Acrobat Protected Mode / Office Protected View, ASR rules) and retire end-of-life software such as Internet Explorer.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail (and continued use of end-of-life browsers) is the failure mode."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for child-process execution from Internet Explorer after attacker-content open, exploit telemetry, and inbound-content filtering (mail/web).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or end-of-life estates that cannot be patched promptly."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate (or retire the end-of-life client), isolate exploited endpoints, hunt for follow-on payloads (client-RCE chains drop loaders), and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser/reader RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side browser/reader RCE; legacy KEV re-listings document organizations still running unpatched or end-of-life builds."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy re-listing exists because organizations still run vulnerable browser/reader builds (Internet Explorer is end-of-life and unsupported)."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show long-tail unpatched estates persist; centralized update management, application hardening (Protected View, ASR rules), and retiring end-of-life software (Internet Explorer) are the load-bearing controls."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 52,
+      "basis": "Microsoft Internet Explorer is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (end-of-life Internet Explorer, old Acrobat/Reader, unpatched browsers) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
+      "theater_pattern": "patch_management"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   }
 }