@blamejs/exceptd-skills 0.15.20 → 0.15.22

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.15.22 — 2026-05-29
+
+Draft-curation pass 20 — Windows kernel/driver LPE. Five CISA KEV-listed Windows local-privilege-escalation CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: an Ancillary Function Driver for WinSock use-after-free (CVE-2025-32709), a Common Log File System driver heap overflow (CVE-2025-32706), a kernel use-after-free (CVE-2025-62221), an improper-privilege-management flaw (CVE-2026-21533), and an improper-access-control elevation in a privileged service (CVE-2025-59230). All map T1068 (Exploitation for Privilege Escalation). The lessons frame these as the escalation half of the ransomware chain (initial access → unpatched LPE → SYSTEM within hours) and name hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist as load-bearing endpoint controls beyond the patch.
+
+## 0.15.21 — 2026-05-29
+
+Draft-curation pass 19 — legacy browser/reader client-side RCEs. Six CISA KEV-listed client-side memory-corruption CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Adobe Acrobat/Reader (CVE-2020-9715 use-after-free, CVE-2009-3459 heap overflow), Internet Explorer (CVE-2010-0249 the Operation Aurora zero-day, CVE-2010-0806 iepeers, CVE-2013-3893 the SetMouseCapture watering-hole flaw), and Mozilla Firefox (CVE-2010-3765). All map T1203 (Exploitation for Client Execution). The lessons frame these as long-tail KEV re-listings — the fixes shipped years ago, but unpatched and end-of-life estates (notably the unsupported Internet Explorer) remain exposed; retiring end-of-life browsers and application hardening (Protected Mode/View, ASR rules) are the load-bearing controls.
+
 ## 0.15.20 — 2026-05-29
 
 Draft-curation pass 18 — internet-facing network devices. Eight CISA KEV-listed unauthenticated CVEs on SOHO routers, a telephony appliance, and a firewall are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: TP-Link routers (CVE-2023-50224 authentication bypass, CVE-2025-9377 and CVE-2023-33538 command injection), DrayTek Vigor command injection (CVE-2024-12987), Sangoma FreePBX (CVE-2025-64328 command injection, CVE-2025-57819 authentication bypass + SQL injection), and WatchGuard Firebox out-of-bounds-write RCE (CVE-2025-14733, CVE-2025-9242). All map T1190, with per-class T1059 (command injection) or T1078 (auth bypass). The lessons account for the realities of edge devices: end-of-life firmware that can only be replaced, recruitment into botnets and operational-relay networks, telephony toll fraud on the PBX, and the requirement to re-flash/rebuild and rotate secrets rather than patch in place.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-29T22:55:20.691Z",
+  "generated_at": "2026-05-29T23:44:49.444Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "7640dcd9f6dc38db1d06746d3c36ef7e0a6b0a45efcd4f9b142fede7f3f2ba2e",
+    "manifest.json": "e5726822ecbdc05881e4d1145cdce3bfbf2e13d872acfbfbef6601ac5fc9084b",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "490dfaf830d6a0f56e63389ef8815ea92aed95a35daf043862ffe56c13577ae5",
-    "data/cve-catalog.json": "b338560dddd999310946c1ee58bf8eb69ef732bd01238f104091745a0a682a95",
+    "data/attack-techniques.json": "bfa065774b88d45c3fca7b69ecd267b0bd36a117a7c2da8178ce0783679d41c9",
+    "data/cve-catalog.json": "44bbe46dd3cbcf8fe836ee3ffb59850a1e63a31afb98ae3557978658cf67c247",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "69c8ac314be428c81c53834d180414f34d3c838c7d09349d1a546742ec305c2f",
+    "data/zeroday-lessons.json": "c9a28986c40ca19b8a54444a6c680c96a4dbdce17119a0e50dd8937035dff07a",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/_indexes/activity-feed.json

@@ -165,7 +165,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.1.0",
-      "entry_count": 422
+      "entry_count": 425
     },
     {
       "date": "2026-05-17",

package/data/_indexes/catalog-summaries.json

@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 422,
+      "entry_count": 425,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",

package/data/attack-techniques.json

@@ -509,19 +509,24 @@
       "CVE-2025-27038",
       "CVE-2025-31277",
       "CVE-2025-32701",
+      "CVE-2025-32706",
+      "CVE-2025-32709",
       "CVE-2025-38352",
       "CVE-2025-40602",
       "CVE-2025-43300",
       "CVE-2025-48543",
       "CVE-2025-48572",
+      "CVE-2025-59230",
       "CVE-2025-60710",
       "CVE-2025-62215",
+      "CVE-2025-62221",
       "CVE-2025-62849",
       "CVE-2025-6558",
       "CVE-2026-0300",
       "CVE-2026-20122",
       "CVE-2026-20805",
       "CVE-2026-21385",
+      "CVE-2026-21533",
       "CVE-2026-31431",
       "CVE-2026-31635",
       "CVE-2026-33825",
@@ -924,9 +929,7 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2008-0015",
-      "CVE-2010-3765",
       "CVE-2012-1854",
-      "CVE-2013-3893",
       "CVE-2014-6278",
       "CVE-2016-10033",
       "CVE-2016-7836",
@@ -1033,7 +1036,6 @@
       "CVE-2025-32444",
       "CVE-2025-32463",
       "CVE-2025-3248",
-      "CVE-2025-32706",
       "CVE-2025-32756",
       "CVE-2025-33053",
       "CVE-2025-33073",
@@ -1081,7 +1083,6 @@
       "CVE-2025-57819",
       "CVE-2025-58034",
       "CVE-2025-58360",
-      "CVE-2025-59230",
       "CVE-2025-59287",
       "CVE-2025-59374",
       "CVE-2025-59389",
@@ -1091,7 +1092,6 @@
       "CVE-2025-61932",
       "CVE-2025-6204",
       "CVE-2025-6205",
-      "CVE-2025-62221",
       "CVE-2025-62847",
       "CVE-2025-62848",
       "CVE-2025-64328",
@@ -1132,7 +1132,6 @@
       "CVE-2026-21514",
       "CVE-2026-21519",
       "CVE-2026-21525",
-      "CVE-2026-21533",
       "CVE-2026-21643",
       "CVE-2026-21858",
       "CVE-2026-21877",
@@ -1328,8 +1327,10 @@
       "CVE-2009-3459",
       "CVE-2010-0249",
       "CVE-2010-0806",
+      "CVE-2010-3765",
       "CVE-2010-3962",
       "CVE-2011-3402",
+      "CVE-2013-3893",
       "CVE-2013-3918",
       "CVE-2014-3931",
       "CVE-2020-9715",
@@ -1342,7 +1343,6 @@
       "CVE-2025-14174",
       "CVE-2025-24201",
       "CVE-2025-31277",
-      "CVE-2025-32709",
       "CVE-2025-43200",
       "CVE-2025-43300",
       "CVE-2025-43510",

package/data/cve-catalog.json

@@ -9823,7 +9823,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://helpx.adobe.com/security/products/acrobat/apsb20-48.html",
@@ -9852,11 +9852,21 @@
         "published_date": "2026-04-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-13; due date 2026-04-27. Notes reference: https://helpx.adobe.com/security/products/acrobat/apsb20-48.html ; https://nvd.nist.gov/vuln/detail/CVE-2020-9715",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Adobe Acrobat contains a use-after-free vulnerability that allows for code execution"
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Adobe Acrobat contains a use-after-free vulnerability that allows for code execution",
+    "iocs": {
+      "behavioral": [
+        "Adobe Acrobat and Reader at a build below the fixed version named in the vendor advisory on an endpoint exposed to attacker-controlled PDFs.",
+        "Process crashes or memory-corruption signatures consistent with use-after-free (CWE-416) in Adobe Acrobat and Reader on an affected endpoint.",
+        "Inbound delivery of weaponized PDF documents followed by unexpected child-process execution from the Acrobat/Reader process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched/end-of-life estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2020-9715, CISA KEV (added 2026-04-13), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-21643": {
     "name": "Fortinet FortiClient EMS SQL Injection Vulnerability",
@@ -20428,7 +20438,7 @@
     "cwe_refs": [
       "CWE-122"
     ],
-    "source_verified": "2026-05-25",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://nvd.nist.gov/vuln/detail/CVE-2009-3459"
@@ -20442,11 +20452,21 @@
         "published_date": "2026-05-20"
       }
     ],
-    "last_updated": "2026-05-25",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Manual KEV-gap-fill: legacy CVE re-listed to CISA KEV 2026-05-20. Draft pending enrichment.",
-    "_auto_imported": true,
-    "_intake_method": "manual-kev-gap-fill-2026-05-20",
-    "_kev_short_description": "Adobe Acrobat and Reader heap-based buffer overflow allowing remote code execution via a crafted PDF."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Adobe Acrobat and Reader heap-based buffer overflow allowing remote code execution via a crafted PDF.",
+    "iocs": {
+      "behavioral": [
+        "Adobe Acrobat and Reader at a build below the fixed version named in the vendor advisory on an endpoint exposed to attacker-controlled PDFs.",
+        "Process crashes or memory-corruption signatures consistent with heap-based buffer overflow (CWE-122) in Adobe Acrobat and Reader on an affected endpoint.",
+        "Inbound delivery of weaponized PDF documents followed by unexpected child-process execution from the Acrobat/Reader process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched/end-of-life estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2009-3459, CISA KEV (added 2026-05-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2010-0249": {
     "name": "Microsoft Internet Explorer Use-After-Free (Operation Aurora)",
@@ -20509,7 +20529,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-25",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://nvd.nist.gov/vuln/detail/CVE-2010-0249"
@@ -20523,11 +20543,21 @@
         "published_date": "2026-05-20"
       }
     ],
-    "last_updated": "2026-05-25",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Manual KEV-gap-fill: legacy CVE (Operation Aurora) re-listed to CISA KEV 2026-05-20. Draft pending enrichment.",
-    "_auto_imported": true,
-    "_intake_method": "manual-kev-gap-fill-2026-05-20",
-    "_kev_short_description": "Microsoft Internet Explorer use-after-free allowing remote code execution via a crafted web page (Operation Aurora)."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Internet Explorer use-after-free allowing remote code execution via a crafted web page (Operation Aurora).",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Internet Explorer at a build below the fixed version named in the vendor advisory on an endpoint exposed to attacker-controlled web content.",
+        "Process crashes or memory-corruption signatures consistent with use-after-free (CWE-416) in Internet Explorer (the 'Operation Aurora' zero-day) on an affected endpoint.",
+        "Inbound delivery of weaponized web content followed by unexpected child-process execution from the Internet Explorer process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched/end-of-life estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2010-0249, CISA KEV (added 2026-05-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2010-0806": {
     "name": "Microsoft Internet Explorer Use-After-Free (iepeers)",
@@ -20590,7 +20620,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-25",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://nvd.nist.gov/vuln/detail/CVE-2010-0806"
@@ -20604,11 +20634,21 @@
         "published_date": "2026-05-20"
       }
     ],
-    "last_updated": "2026-05-25",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Manual KEV-gap-fill: legacy CVE re-listed to CISA KEV 2026-05-20. Draft pending enrichment.",
-    "_auto_imported": true,
-    "_intake_method": "manual-kev-gap-fill-2026-05-20",
-    "_kev_short_description": "Microsoft Internet Explorer iepeers.dll use-after-free allowing remote code execution via a crafted web page."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Internet Explorer iepeers.dll use-after-free allowing remote code execution via a crafted web page.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Internet Explorer at a build below the fixed version named in the vendor advisory on an endpoint exposed to attacker-controlled web content.",
+        "Process crashes or memory-corruption signatures consistent with use-after-free (CWE-416) in the Internet Explorer iepeers component on an affected endpoint.",
+        "Inbound delivery of weaponized web content followed by unexpected child-process execution from the Internet Explorer process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched/end-of-life estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2010-0806, CISA KEV (added 2026-05-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-32432": {
     "name": "Craft CMS Code Injection Vulnerability",
@@ -24900,7 +24940,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -24921,7 +24961,7 @@
     "cwe_refs": [
       "CWE-269"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21533",
@@ -24950,11 +24990,21 @@
         "published_date": "2026-02-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-10; due date 2026-03-03. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21533 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21533",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Remote Desktop Services contains an improper privilege management vulnerability that could allow an authorized attacker to elevate privileges locally."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Remote Desktop Services contains an improper privilege management vulnerability that could allow an authorized attacker to elevate privileges locally.",
+    "iocs": {
+      "behavioral": [
+        "Windows at a build below the fixed version named in the Microsoft advisory on an endpoint with any local foothold (commodity malware, RDP-exposed account, post-phish payload).",
+        "Process or driver crashes consistent with improper-privilege-management flaw (CWE-269) in Windows on an affected endpoint, often shortly after an unprivileged child-process spawn.",
+        "An unprivileged process gaining SYSTEM via the affected component (e.g. a token swap or impersonation) with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation; ransomware kits pair an initial-access flaw with this LPE within hours of foothold)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-21533, CISA KEV (added 2026-02-10), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-21519": {
     "name": "Microsoft Windows Type Confusion Vulnerability",
@@ -28536,7 +28586,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -28557,7 +28607,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-62221",
@@ -28586,11 +28636,21 @@
         "published_date": "2025-12-09"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-09; due date 2025-12-30. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-62221 ; https://nvd.nist.gov/vuln/detail/CVE-2025-62221",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Cloud Files Mini Filter Driver contains a use after free vulnerability that can allow an authorized attacker to elevate privileges locally."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Cloud Files Mini Filter Driver contains a use after free vulnerability that can allow an authorized attacker to elevate privileges locally.",
+    "iocs": {
+      "behavioral": [
+        "Windows at a build below the fixed version named in the Microsoft advisory on an endpoint with any local foothold (commodity malware, RDP-exposed account, post-phish payload).",
+        "Process or driver crashes consistent with use-after-free (CWE-416) in a Windows kernel-mode component on an affected endpoint, often shortly after an unprivileged child-process spawn.",
+        "An unprivileged process gaining SYSTEM via the affected component (e.g. a token swap or impersonation) with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation; ransomware kits pair an initial-access flaw with this LPE within hours of foothold)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-62221, CISA KEV (added 2025-12-09), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2022-37055": {
     "name": "D-Link Routers Buffer Overflow Vulnerability",
@@ -31865,7 +31925,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -31886,7 +31946,7 @@
     "cwe_refs": [
       "CWE-284"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-59230",
@@ -31915,11 +31975,21 @@
         "published_date": "2025-10-14"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-14; due date 2025-11-04. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-59230 ; https://nvd.nist.gov/vuln/detail/CVE-2025-59230",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate privileges locally."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate privileges locally.",
+    "iocs": {
+      "behavioral": [
+        "Windows at a build below the fixed version named in the Microsoft advisory on an endpoint with any local foothold (commodity malware, RDP-exposed account, post-phish payload).",
+        "Process or driver crashes consistent with improper-access-control flaw (CWE-284) in a Windows privileged service on an affected endpoint, often shortly after an unprivileged child-process spawn.",
+        "An unprivileged process gaining SYSTEM via the affected component (e.g. a token swap or impersonation) with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation; ransomware kits pair an initial-access flaw with this LPE within hours of foothold)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-59230, CISA KEV (added 2025-10-14), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2016-7836": {
     "name": "SKYSEA Client View Improper Authentication Vulnerability",
@@ -32789,7 +32859,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -32810,7 +32880,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.mozilla.org/en-US/security/advisories/mfsa2010-73",
@@ -32839,11 +32909,21 @@
         "published_date": "2025-10-06"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-06; due date 2025-10-27. Notes reference: https://www.mozilla.org/en-US/security/advisories/mfsa2010-73 ; https://nvd.nist.gov/vuln/detail/CVE-2010-3765",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Mozilla Firefox, SeaMonkey, and Thunderbird contain an unspecified vulnerability when JavaScript is enabled. This allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Mozilla Firefox, SeaMonkey, and Thunderbird contain an unspecified vulnerability when JavaScript is enabled. This allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption.",
+    "iocs": {
+      "behavioral": [
+        "Mozilla Firefox and related products at a build below the fixed version named in the vendor advisory on an endpoint exposed to attacker-controlled web content.",
+        "Process crashes or memory-corruption signatures consistent with memory-corruption code-execution flaw (CWE-94) in Mozilla Firefox and related products on an affected endpoint.",
+        "Inbound delivery of weaponized web content followed by unexpected child-process execution from the Firefox process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched/end-of-life estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2010-3765, CISA KEV (added 2025-10-06), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-61882": {
     "name": "Oracle E-Business Suite Unspecified Vulnerability",
@@ -35904,7 +35984,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -35925,7 +36005,7 @@
     "cwe_refs": [
       "CWE-399"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://learn.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-080",
@@ -35954,11 +36034,21 @@
         "published_date": "2025-08-12"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-12; due date 2025-09-02. Notes reference: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-080 ; https://nvd.nist.gov/vuln/detail/CVE-2013-3893",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Internet Explorer contains a memory corruption vulnerability that allows for remote code execution. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Internet Explorer contains a memory corruption vulnerability that allows for remote code execution. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Internet Explorer at a build below the fixed version named in the vendor advisory on an endpoint exposed to attacker-controlled web content.",
+        "Process crashes or memory-corruption signatures consistent with resource-management memory-corruption use-after-free (CWE-399) in Internet Explorer (the SetMouseCapture flaw used in watering-hole attacks) on an affected endpoint.",
+        "Inbound delivery of weaponized web content followed by unexpected child-process execution from the Internet Explorer process (KEV-confirmed in-the-wild exploitation; legacy re-listing means long-tail unpatched/end-of-life estates remain exposed)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2013-3893, CISA KEV (added 2025-08-12), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2020-25078": {
     "name": "D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability",
@@ -41409,7 +41499,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -41430,7 +41520,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-32709",
@@ -41459,11 +41549,21 @@
         "published_date": "2025-05-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-13; due date 2025-06-03. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-32709 ; https://nvd.nist.gov/vuln/detail/CVE-2025-32709",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Ancillary Function Driver for WinSock contains a use-after-free vulnerability that allows an authorized attacker to escalate privileges to administrator."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Ancillary Function Driver for WinSock contains a use-after-free vulnerability that allows an authorized attacker to escalate privileges to administrator.",
+    "iocs": {
+      "behavioral": [
+        "Windows at a build below the fixed version named in the Microsoft advisory on an endpoint with any local foothold (commodity malware, RDP-exposed account, post-phish payload).",
+        "Process or driver crashes consistent with use-after-free (CWE-416) in the Windows Ancillary Function Driver for WinSock (afd.sys) on an affected endpoint, often shortly after an unprivileged child-process spawn.",
+        "An unprivileged process gaining SYSTEM via the affected component (e.g. a token swap or impersonation) with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation; ransomware kits pair an initial-access flaw with this LPE within hours of foothold)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-32709, CISA KEV (added 2025-05-13), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-30397": {
     "name": "Microsoft Windows Scripting Engine Type Confusion Vulnerability",
@@ -41601,7 +41701,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -41622,7 +41722,7 @@
     "cwe_refs": [
       "CWE-122"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-32706",
@@ -41651,11 +41751,21 @@
         "published_date": "2025-05-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-13; due date 2025-06-03. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-32706 ; https://nvd.nist.gov/vuln/detail/CVE-2025-32706",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Common Log File System (CLFS) Driver contains a heap-based buffer overflow vulnerability that allows an authorized attacker to elevate privileges locally."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Common Log File System (CLFS) Driver contains a heap-based buffer overflow vulnerability that allows an authorized attacker to elevate privileges locally.",
+    "iocs": {
+      "behavioral": [
+        "Windows at a build below the fixed version named in the Microsoft advisory on an endpoint with any local foothold (commodity malware, RDP-exposed account, post-phish payload).",
+        "Process or driver crashes consistent with heap-based buffer overflow (CWE-122) in the Windows Common Log File System (CLFS) driver — a recurring kernel-LPE target — exploited by a local foothold to escalate to SYSTEM on an affected endpoint, often shortly after an unprivileged child-process spawn.",
+        "An unprivileged process gaining SYSTEM via the affected component (e.g. a token swap or impersonation) with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation; ransomware kits pair an initial-access flaw with this LPE within hours of foothold)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-32706, CISA KEV (added 2025-05-13), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-32701": {
     "name": "Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability",