npm - @blamejs/exceptd-skills - Versions diffs - 0.15.20 → 0.15.22 - Mend

@blamejs/exceptd-skills 0.15.20 → 0.15.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +5 -5
package/data/_indexes/activity-feed.json +1 -1
package/data/_indexes/catalog-summaries.json +1 -1
package/data/attack-techniques.json +7 -7
package/data/cve-catalog.json +172 -62
package/data/zeroday-lessons.json +454 -105
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +18 -18

package/data/zeroday-lessons.json CHANGED Viewed

@@ -17,7 +17,7 @@
       "rebuild_after_days": 365,
       "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
     },
-    "entry_count": 422
+    "entry_count": 425
   },
   "CVE-2026-31431": {
     "name": "Copy Fail",
@@ -7860,35 +7860,58 @@
   },
   "CVE-2020-9715": {
     "name": "Adobe Acrobat Use-After-Free Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Adobe Acrobat contains a use-after-free vulnerability that allows for code execution",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a use-after-free (CWE-416) in Adobe Acrobat and Reader, exploitable by an attacker-controlled PDF for code execution in the reader process. CISA KEV-listed 2026-04-13 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched/end-of-life estates remain exposed.",
+      "privileges_required": "none (the victim opens the attacker's document or visits the attacker's web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor security update for Adobe Acrobat and Reader; enforce centralized patch management on the long tail; harden the client (Acrobat Protected Mode / Office Protected View, ASR rules) and retire end-of-life software such as Internet Explorer.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail (and continued use of end-of-life browsers) is the failure mode."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for child-process execution from Acrobat/Reader after attacker-content open, exploit telemetry, and inbound-content filtering (mail/web).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or end-of-life estates that cannot be patched promptly."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate (or retire the end-of-life client), isolate exploited endpoints, hunt for follow-on payloads (client-RCE chains drop loaders), and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser/reader RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side browser/reader RCE; legacy KEV re-listings document organizations still running unpatched or end-of-life builds."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy re-listing exists because organizations still run vulnerable browser/reader builds (Internet Explorer is end-of-life and unsupported)."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show long-tail unpatched estates persist; centralized update management, application hardening (Protected View, ASR rules), and retiring end-of-life software (Internet Explorer) are the load-bearing controls."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 52,
+      "basis": "Adobe Acrobat and Reader is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (end-of-life Internet Explorer, old Acrobat/Reader, unpatched browsers) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2026-21643": {
     "name": "Fortinet FortiClient EMS SQL Injection Vulnerability",
@@ -12903,35 +12926,58 @@
   },
   "CVE-2026-21533": {
     "name": "Microsoft Windows Improper Privilege Management Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows Remote Desktop Services contains an improper privilege management vulnerability that could allow an authorized attacker to elevate privileges locally.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an improper-privilege-management flaw (CWE-269) in Windows, exploited by a local foothold to escalate privileges. CISA KEV-listed 2026-02-10 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
+      "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2026-21519": {
     "name": "Microsoft Windows Type Confusion Vulnerability",
@@ -14460,35 +14506,58 @@
   },
   "CVE-2025-62221": {
     "name": "Microsoft Windows Use After Free Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows Cloud Files Mini Filter Driver contains a use after free vulnerability that can allow an authorized attacker to elevate privileges locally.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a use-after-free (CWE-416) in a Windows kernel-mode component, exploited by a local foothold to escalate privileges to SYSTEM. CISA KEV-listed 2025-12-09 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
+      "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2022-37055": {
     "name": "D-Link Routers Buffer Overflow Vulnerability",
@@ -15916,35 +15985,58 @@
   },
   "CVE-2025-59230": {
     "name": "Microsoft Windows Improper Access Control Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate privileges locally.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an improper-access-control flaw (CWE-284) in a Windows privileged service, exploited by a local foothold to escalate privileges to SYSTEM. CISA KEV-listed 2025-10-14 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
+      "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2016-7836": {
     "name": "SKYSEA Client View Improper Authentication Vulnerability",
@@ -16347,35 +16439,58 @@
   },
   "CVE-2010-3765": {
     "name": "Mozilla Multiple Products Remote Code Execution Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Mozilla Firefox, SeaMonkey, and Thunderbird contain an unspecified vulnerability when JavaScript is enabled. This allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a memory-corruption code-execution flaw (CWE-94) in Mozilla Firefox and related products, exploitable by an attacker-controlled web page for code execution in the browser. CISA KEV-listed 2025-10-06 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched/end-of-life estates remain exposed.",
+      "privileges_required": "none (the victim opens the attacker's document or visits the attacker's web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor security update for Mozilla Firefox and related products; enforce centralized patch management on the long tail; harden the client (Acrobat Protected Mode / Office Protected View, ASR rules) and retire end-of-life software such as Internet Explorer.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail (and continued use of end-of-life browsers) is the failure mode."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for child-process execution from Firefox after attacker-content open, exploit telemetry, and inbound-content filtering (mail/web).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or end-of-life estates that cannot be patched promptly."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate (or retire the end-of-life client), isolate exploited endpoints, hunt for follow-on payloads (client-RCE chains drop loaders), and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser/reader RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side browser/reader RCE; legacy KEV re-listings document organizations still running unpatched or end-of-life builds."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy re-listing exists because organizations still run vulnerable browser/reader builds (Internet Explorer is end-of-life and unsupported)."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show long-tail unpatched estates persist; centralized update management, application hardening (Protected View, ASR rules), and retiring end-of-life software (Internet Explorer) are the load-bearing controls."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 52,
+      "basis": "Mozilla Firefox and related products is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (end-of-life Internet Explorer, old Acrobat/Reader, unpatched browsers) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-61882": {
     "name": "Oracle E-Business Suite Unspecified Vulnerability",
@@ -17642,35 +17757,58 @@
   },
   "CVE-2013-3893": {
     "name": "Microsoft Internet Explorer Resource Management Errors Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Internet Explorer contains a memory corruption vulnerability that allows for remote code execution. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a resource-management memory-corruption use-after-free (CWE-399) in Internet Explorer (the SetMouseCapture flaw used in watering-hole attacks), exploitable by an attacker-controlled web page for code execution in the browser. CISA KEV-listed 2025-08-12 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched/end-of-life estates remain exposed.",
+      "privileges_required": "none (the victim opens the attacker's document or visits the attacker's web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor security update for Microsoft Internet Explorer; enforce centralized patch management on the long tail; harden the client (Acrobat Protected Mode / Office Protected View, ASR rules) and retire end-of-life software such as Internet Explorer.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail (and continued use of end-of-life browsers) is the failure mode."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for child-process execution from Internet Explorer after attacker-content open, exploit telemetry, and inbound-content filtering (mail/web).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or end-of-life estates that cannot be patched promptly."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate (or retire the end-of-life client), isolate exploited endpoints, hunt for follow-on payloads (client-RCE chains drop loaders), and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser/reader RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side browser/reader RCE; legacy KEV re-listings document organizations still running unpatched or end-of-life builds."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy re-listing exists because organizations still run vulnerable browser/reader builds (Internet Explorer is end-of-life and unsupported)."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show long-tail unpatched estates persist; centralized update management, application hardening (Protected View, ASR rules), and retiring end-of-life software (Internet Explorer) are the load-bearing controls."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 52,
+      "basis": "Microsoft Internet Explorer is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (end-of-life Internet Explorer, old Acrobat/Reader, unpatched browsers) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2020-25078": {
     "name": "D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability",
@@ -20142,35 +20280,58 @@
   },
   "CVE-2025-32709": {
     "name": "Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows Ancillary Function Driver for WinSock contains a use-after-free vulnerability that allows an authorized attacker to escalate privileges to administrator.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a use-after-free (CWE-416) in the Windows Ancillary Function Driver for WinSock (afd.sys), exploited by a local foothold to escalate privileges to SYSTEM. CISA KEV-listed 2025-05-13 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
+      "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-30397": {
     "name": "Microsoft Windows Scripting Engine Type Confusion Vulnerability",
@@ -20206,35 +20367,58 @@
   },
   "CVE-2025-32706": {
     "name": "Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows Common Log File System (CLFS) Driver contains a heap-based buffer overflow vulnerability that allows an authorized attacker to elevate privileges locally.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a heap-based buffer overflow (CWE-122) in the Windows Common Log File System (CLFS) driver — a recurring kernel-LPE target — exploited by a local foothold to escalate to SYSTEM. CISA KEV-listed 2025-05-13 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access flaw by ransomware operators.",
+      "privileges_required": "low (any local foothold — an unprivileged process, RDP session, or commodity malware on the endpoint)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft security update; enforce hypervisor-protected code integrity (HVCI) / Virtualization-Based Security (VBS), and enable the Microsoft Vulnerable Driver Blocklist to shrink kernel-LPE attack surface on the long tail.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → SYSTEM) which a patched endpoint shuts down. HVCI/Blocklist backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for the LPE primitive (token swap, process-impersonation, kernel-driver crashes) and for unprivileged-to-SYSTEM transitions without an admin trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched; LPE is typically silent without EDR coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate; for a confirmed exploitation, treat the host as compromised (ransomware kits typically follow within hours), isolate, preserve forensic state, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; SYSTEM-level exploitation makes the host an unreliable platform for further work and requires rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed Windows kernel/driver LPE; ransomware operators pair these with an initial-access flaw and elevate to SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE that is part of every modern ransomware kit."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a Windows LPE, but the load-bearing endpoint controls are hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist — neither of which the framework demands explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 70,
+      "basis": "Windows endpoints are universal; audited organizations gate kernel patches behind change windows or rely on cumulative monthly updates that leave the LPE chain open for ~30 days at a stretch. HVCI/VBS and the Vulnerable Driver Blocklist remain off-by-default in many estates.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-32701": {
     "name": "Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability",
@@ -21491,5 +21675,170 @@
     "ai_discovered_zeroday": false,
     "ai_discovery_source": "vendor_research",
     "ai_assist_factor": "none"
+  },
+  "CVE-2009-3459": {
+    "name": "Adobe Acrobat and Reader Heap-Based Buffer Overflow",
+    "lesson_date": "2026-05-29",
+    "attack_vector": {
+      "description": "a heap-based buffer overflow (CWE-122) in Adobe Acrobat and Reader, exploitable by an attacker-controlled PDF for code execution in the reader process. CISA KEV-listed 2026-05-20 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched/end-of-life estates remain exposed.",
+      "privileges_required": "none (the victim opens the attacker's document or visits the attacker's web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor security update for Adobe Acrobat and Reader; enforce centralized patch management on the long tail; harden the client (Acrobat Protected Mode / Office Protected View, ASR rules) and retire end-of-life software such as Internet Explorer.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail (and continued use of end-of-life browsers) is the failure mode."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for child-process execution from Acrobat/Reader after attacker-content open, exploit telemetry, and inbound-content filtering (mail/web).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or end-of-life estates that cannot be patched promptly."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate (or retire the end-of-life client), isolate exploited endpoints, hunt for follow-on payloads (client-RCE chains drop loaders), and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser/reader RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side browser/reader RCE; legacy KEV re-listings document organizations still running unpatched or end-of-life builds."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy re-listing exists because organizations still run vulnerable browser/reader builds (Internet Explorer is end-of-life and unsupported)."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show long-tail unpatched estates persist; centralized update management, application hardening (Protected View, ASR rules), and retiring end-of-life software (Internet Explorer) are the load-bearing controls."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 52,
+      "basis": "Adobe Acrobat and Reader is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (end-of-life Internet Explorer, old Acrobat/Reader, unpatched browsers) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
+      "theater_pattern": "patch_management"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
+  },
+  "CVE-2010-0249": {
+    "name": "Microsoft Internet Explorer Use-After-Free (Operation Aurora)",
+    "lesson_date": "2026-05-29",
+    "attack_vector": {
+      "description": "a use-after-free (CWE-416) in Internet Explorer (the 'Operation Aurora' zero-day), exploitable by an attacker-controlled web page for code execution in the browser. CISA KEV-listed 2026-05-20 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched/end-of-life estates remain exposed.",
+      "privileges_required": "none (the victim opens the attacker's document or visits the attacker's web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor security update for Microsoft Internet Explorer; enforce centralized patch management on the long tail; harden the client (Acrobat Protected Mode / Office Protected View, ASR rules) and retire end-of-life software such as Internet Explorer.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail (and continued use of end-of-life browsers) is the failure mode."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for child-process execution from Internet Explorer after attacker-content open, exploit telemetry, and inbound-content filtering (mail/web).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or end-of-life estates that cannot be patched promptly."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate (or retire the end-of-life client), isolate exploited endpoints, hunt for follow-on payloads (client-RCE chains drop loaders), and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser/reader RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side browser/reader RCE; legacy KEV re-listings document organizations still running unpatched or end-of-life builds."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy re-listing exists because organizations still run vulnerable browser/reader builds (Internet Explorer is end-of-life and unsupported)."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show long-tail unpatched estates persist; centralized update management, application hardening (Protected View, ASR rules), and retiring end-of-life software (Internet Explorer) are the load-bearing controls."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 52,
+      "basis": "Microsoft Internet Explorer is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (end-of-life Internet Explorer, old Acrobat/Reader, unpatched browsers) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
+      "theater_pattern": "patch_management"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
+  },
+  "CVE-2010-0806": {
+    "name": "Microsoft Internet Explorer Use-After-Free (iepeers)",
+    "lesson_date": "2026-05-29",
+    "attack_vector": {
+      "description": "a use-after-free (CWE-416) in the Internet Explorer iepeers component, exploitable by an attacker-controlled web page for code execution in the browser. CISA KEV-listed 2026-05-20 with confirmed in-the-wild exploitation; the legacy re-listing exists because long-tail unpatched/end-of-life estates remain exposed.",
+      "privileges_required": "none (the victim opens the attacker's document or visits the attacker's web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization (predates the AI-discovered-zeroday era)."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor security update for Microsoft Internet Explorer; enforce centralized patch management on the long tail; harden the client (Acrobat Protected Mode / Office Protected View, ASR rules) and retire end-of-life software such as Internet Explorer.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; legacy KEV re-listings exist because patch hygiene on the long tail (and continued use of end-of-life browsers) is the failure mode."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for child-process execution from Internet Explorer after attacker-content open, exploit telemetry, and inbound-content filtering (mail/web).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched on the long tail; necessary for unmanaged or end-of-life estates that cannot be patched promptly."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch across the estate (or retire the end-of-life client), isolate exploited endpoints, hunt for follow-on payloads (client-RCE chains drop loaders), and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser/reader RCE typically leads to credential harvest and lateral movement, which a bare patch does not remediate."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side browser/reader RCE; legacy KEV re-listings document organizations still running unpatched or end-of-life builds."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client RCE, and the legacy re-listing exists because organizations still run vulnerable browser/reader builds (Internet Explorer is end-of-life and unsupported)."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is closer to the reality for a client RCE than 30 days, but legacy KEV re-listings show long-tail unpatched estates persist; centralized update management, application hardening (Protected View, ASR rules), and retiring end-of-life software (Internet Explorer) are the load-bearing controls."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 52,
+      "basis": "Microsoft Internet Explorer is ubiquitous on endpoints; audited organizations that maintain long-tail legacy estates (end-of-life Internet Explorer, old Acrobat/Reader, unpatched browsers) are exposed even after newer estates are patched, which is why CISA re-lists these older KEV entries.",
+      "theater_pattern": "patch_management"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   }
 }