@blamejs/exceptd-skills 0.15.2 → 0.15.3

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.15.3 — 2026-05-29
+
+Draft-curation pass (1 of an ongoing series). Eight CISA KEV-listed CVE entries that were carried as auto-imported drafts are promoted to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Apache ActiveMQ (CVE-2026-34197), Microsoft SharePoint deserialization (CVE-2026-20963), BeyondTrust RS/PRA command injection (CVE-2026-1731), Fortinet FortiClient EMS SQL injection (CVE-2026-21643), Ivanti EPMM code injection (CVE-2026-1340), Cisco Secure Firewall Management Center deserialization (CVE-2026-20131), Broadcom VMware Aria Operations command injection (CVE-2026-22719), and Soliton FileZen command injection (CVE-2026-25108). The CVSS, KEV status, and vendor advisories were retained from the verified import; curation adds detection and response guidance.
+
 ## 0.15.2 — 2026-05-29
 
 Every curated catalog entry now carries detection IOCs. The 51 operator-curated CVE/MAL entries that previously lacked an `iocs` block — spanning the actively-exploited perimeter and supply-chain entries (runc, xz-utils, SolarWinds, Citrix, ConnectWise, Cisco SD-WAN, FortiOS), the AI-ecosystem cluster (MLflow, vLLM, Ollama, LangChain, the MCP SDK, Big Sleep AI-discovered bugs), the malicious-package supply-chain worms (Shai-Hulud, ultralytics, the RubyGems/PyPI stealers), and the Pwn2Own appliance chains — now ship behavioral detection indicators derived from each entry's documented vulnerability mechanics, with the indicator provenance recorded per entry. Detection coverage for the curated catalog is now complete.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-29T11:48:11.885Z",
+  "generated_at": "2026-05-29T15:42:14.664Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "76306d3fd8fd5ce3ec74389a4aeb7d864698cdaddacb1e3fa62a1a85d85df7b1",
+    "manifest.json": "e8e97bbe842dcab1f5fcde056ec1afc32a3c2ce6b9ddd7ee29a0fee8c606b9b1",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "57b8a1b4e1c3f524a76b4bded09b3082b36b783db3df116f863892072e0f65e9",
-    "data/cve-catalog.json": "5b7b9a5d5e51174970ca44e64515d7de4479caece49dd4ac462411649837854a",
+    "data/attack-techniques.json": "a55232127999ce6aed914016e7a8eab5104cb1142fe2196c9e6d4daf975a41c0",
+    "data/cve-catalog.json": "3dcdbf16b8c33352526399070142a65a077d1d8d39ce8283bda1d7fb5aa39852",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "e8202ffa99ed7c7d40b89ee5eedbea33839048cbff482e09329292e6700a5157",
+    "data/zeroday-lessons.json": "3ae4273d8d79b787bc5053da3de1aedab043ef97e1098e39be19975114f12ff9",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json

@@ -322,13 +322,17 @@
       "CVE-2025-68668",
       "CVE-2025-8747",
       "CVE-2026-0766",
+      "CVE-2026-1340",
+      "CVE-2026-1731",
       "CVE-2026-21858",
       "CVE-2026-21877",
       "CVE-2026-22252",
       "CVE-2026-22688",
+      "CVE-2026-22719",
       "CVE-2026-22778",
       "CVE-2026-24213",
       "CVE-2026-24214",
+      "CVE-2026-25108",
       "CVE-2026-25592",
       "CVE-2026-26015",
       "CVE-2026-26190",
@@ -345,6 +349,7 @@
       "CVE-2026-32202",
       "CVE-2026-33017",
       "CVE-2026-34159",
+      "CVE-2026-34197",
       "CVE-2026-39884",
       "CVE-2026-39987",
       "CVE-2026-40933",

package/data/cve-catalog.json

@@ -8978,7 +8978,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -9000,7 +9001,7 @@
       "CWE-20",
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt",
@@ -9029,11 +9030,21 @@
         "published_date": "2026-04-16"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-16; due date 2026-04-30. Notes reference: https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt ; https://nvd.nist.gov/vuln/detail/CVE-2026-34197",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Apache ActiveMQ contains an improper input validation vulnerability that allows for code injection."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Apache ActiveMQ contains an improper input validation vulnerability that allows for code injection.",
+    "iocs": {
+      "behavioral": [
+        "Apache ActiveMQ reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the broker consistent with improper input validation leading to code execution (CWE-20/CWE-94) reachable by an unauthenticated network attacker against the message broker.",
+        "Unexpected command/code execution, child-process spawning, or web shells on the broker with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-34197, CISA KEV (added 2026-04-16), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2009-0238": {
     "name": "Microsoft Office Remote Code Execution",
@@ -9767,7 +9778,7 @@
     "cwe_refs": [
       "CWE-89"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://fortiguard.fortinet.com/psirt/FG-IR-25-1142",
@@ -9796,11 +9807,21 @@
         "published_date": "2026-04-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-13; due date 2026-04-16. Notes reference: https://fortiguard.fortinet.com/psirt/FG-IR-25-1142 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21643",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiClient EMS contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Fortinet FortiClient EMS contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.",
+    "iocs": {
+      "behavioral": [
+        "Fortinet FortiClient EMS reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the EMS management server consistent with SQL injection (CWE-89) on the FortiClient EMS management surface escalating to remote code execution.",
+        "Unexpected command/code execution, child-process spawning, or web shells on the EMS management server with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-21643, CISA KEV (added 2026-04-13), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-34621": {
     "name": "Adobe Acrobat and Reader Prototype Pollution Vulnerability",
@@ -9938,7 +9959,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -9959,7 +9981,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US",
@@ -9990,11 +10012,21 @@
         "published_date": "2026-04-08"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-08; due date 2026-04-11. Notes reference: Please adhere to Ivanti's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Ivanti products affected by this vulnerability. Apply any",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.",
+    "iocs": {
+      "behavioral": [
+        "Ivanti Endpoint Manager Mobile (EPMM) reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the EPMM server consistent with code injection (CWE-94) yielding unauthenticated remote code execution on the EPMM management surface.",
+        "Unexpected command/code execution, child-process spawning, or web shells on the EPMM server with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-1340, CISA KEV (added 2026-04-08), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-35616": {
     "name": "Fortinet FortiClient EMS Improper Access Control Vulnerability",
@@ -20957,7 +20989,7 @@
     "cwe_refs": [
       "CWE-502"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh",
@@ -20986,11 +21018,21 @@
         "published_date": "2026-03-19"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-19; due date 2026-03-22. Notes reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh ; https://nvd.nist.gov/vuln/detail/CVE-2026-20131",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management contain a deserialization of untrusted data vulnerability in the web-based management interface that could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management contain a deserialization of untrusted data vulnerability in the web-based management interface that could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.",
+    "iocs": {
+      "behavioral": [
+        "Cisco Secure Firewall Management Center (FMC) reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the FMC management plane consistent with deserialization of untrusted data (CWE-502) yielding unauthenticated remote code execution on the firewall management plane.",
+        "Unexpected command/code execution, child-process spawning, or web shells on the FMC management plane with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-20131, CISA KEV (added 2026-03-19), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-66376": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability",
@@ -21148,7 +21190,7 @@
     "cwe_refs": [
       "CWE-502"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963",
@@ -21177,11 +21219,21 @@
         "published_date": "2026-03-18"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-18; due date 2026-03-21. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963 ; https://nvd.nist.gov/vuln/detail/CVE-2026-20963",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft SharePoint contains a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft SharePoint contains a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft SharePoint reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the SharePoint server consistent with deserialization of untrusted data (CWE-502) yielding unauthenticated remote code execution on the SharePoint web surface.",
+        "Unexpected command/code execution, child-process spawning, or web shells on the SharePoint server with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-20963, CISA KEV (added 2026-03-18), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-47813": {
     "name": "Wing FTP Server Information Disclosure Vulnerability",
@@ -22379,7 +22431,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -22400,7 +22453,7 @@
     "cwe_refs": [
       "CWE-77"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947",
@@ -22430,11 +22483,21 @@
         "published_date": "2026-03-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-03; due date 2026-03-24. Notes reference: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ; https://knowledge.broadcom.com/external/article/430349 ; https://nvd.nist.gov/vuln/det",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Broadcom VMware Aria Operations formerly known as vRealize Operations (vROps) contains a command injection vulnerability that allows an unauthenticated attacker to execute arbitrary commands, potentially leading to remote code execution during support‑assisted product migration."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Broadcom VMware Aria Operations formerly known as vRealize Operations (vROps) contains a command injection vulnerability that allows an unauthenticated attacker to execute arbitrary commands, potentially leading to remote code execution during support‑assisted product migration.",
+    "iocs": {
+      "behavioral": [
+        "Broadcom VMware Aria Operations reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the Aria Operations consistent with command injection (CWE-77) giving command execution on the Aria Operations management surface.",
+        "Unexpected command/code execution, child-process spawning, or web shells on the Aria Operations with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-22719, CISA KEV (added 2026-03-03), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-21385": {
     "name": "Qualcomm Multiple Chipsets Memory Corruption Vulnerability",
@@ -22767,7 +22830,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -22788,7 +22852,7 @@
     "cwe_refs": [
       "CWE-78"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://jvn.jp/en/jp/JVN84622767/",
@@ -22817,11 +22881,21 @@
         "published_date": "2026-02-24"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-24; due date 2026-03-17. Notes reference: https://jvn.jp/en/jp/JVN84622767/ ; https://nvd.nist.gov/vuln/detail/CVE-2026-25108",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Soliton Systems K.K FileZen contains an OS command injection vulnerability when an user logs-in to the affected product and sends a specially crafted HTTP request."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Soliton Systems K.K FileZen contains an OS command injection vulnerability when an user logs-in to the affected product and sends a specially crafted HTTP request.",
+    "iocs": {
+      "behavioral": [
+        "Soliton FileZen reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the FileZen file-transfer appliance consistent with OS command injection (CWE-78) giving an unauthenticated attacker command execution on the managed-file-transfer appliance.",
+        "Unexpected command/code execution, child-process spawning, or web shells on the FileZen file-transfer appliance with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-25108, CISA KEV (added 2026-02-24), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-49113": {
     "name": "RoundCube Webmail Deserialization of Untrusted Data Vulnerability",
@@ -23635,7 +23709,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -23656,7 +23731,7 @@
     "cwe_refs": [
       "CWE-78"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.beyondtrust.com/trust-center/security-advisories/bt26-02",
@@ -23685,11 +23760,21 @@
         "published_date": "2026-02-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-13; due date 2026-02-16. Notes reference: Please adhere to the vendor's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible BeyondTrust products affected by this vulnerability. ",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user. Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user. Successful exploitation requires no authentication or user interaction and may lead to system compromise, including unauthorized access, data exfiltration, and service disruption.",
+    "iocs": {
+      "behavioral": [
+        "BeyondTrust Remote Support (RS) / Privileged Remote Access (PRA) reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the remote-support appliance consistent with OS command injection (CWE-78) giving an unauthenticated attacker command execution on the remote-support/PRA appliance.",
+        "Unexpected command/code execution, child-process spawning, or web shells on the remote-support appliance with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-1731, CISA KEV (added 2026-02-13), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-20700": {
     "name": "Apple Multiple Buffer Overflow Vulnerability",