@blamejs/exceptd-skills 0.15.21 → 0.15.23

package/data/cve-catalog.json

@@ -9388,7 +9388,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1574.001"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -9409,7 +9409,7 @@
     "cwe_refs": [
       "CWE-426"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://learn.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-046",
@@ -9438,11 +9438,21 @@
         "published_date": "2026-04-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-13; due date 2026-04-27. Notes reference: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-046 ; https://nvd.nist.gov/vuln/detail/CVE-2012-1854",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Visual Basic for Applications (VBA) contains an insecure library loading vulnerability that could allow for remote code execution."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Visual Basic for Applications (VBA) contains an insecure library loading vulnerability that could allow for remote code execution.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Office at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "The Office VBA loading a DLL from an unexpected or attacker-writable path (insecure library load / search-order hijack), e.g. a DLL co-located with an opened document.",
+        "Inbound delivery of weaponized content followed by an unexpected DLL loaded by the Office/VBA process from a document directory (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2012-1854, CISA KEV (added 2026-04-13), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1574.001 DLL hijack) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-60710": {
     "name": "Microsoft Windows Link Following Vulnerability",
@@ -20357,7 +20367,7 @@
     "cwe_refs": [
       "CWE-787"
     ],
-    "source_verified": "2026-05-25",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://nvd.nist.gov/vuln/detail/CVE-2009-1537"
@@ -20371,11 +20381,21 @@
         "published_date": "2026-05-20"
       }
     ],
-    "last_updated": "2026-05-25",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Manual KEV-gap-fill: legacy CVE re-listed to CISA KEV 2026-05-20. Draft pending enrichment.",
-    "_auto_imported": true,
-    "_intake_method": "manual-kev-gap-fill-2026-05-20",
-    "_kev_short_description": "Microsoft DirectShow QuickTime parsing memory corruption allowing remote code execution via a crafted media file."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft DirectShow QuickTime parsing memory corruption allowing remote code execution via a crafted media file.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Windows at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Process crashes or memory-corruption signatures consistent with memory-corruption flaw (CWE-787) in the Windows DirectShow QuickTime parser on an affected endpoint, after the victim opens attacker-controlled content.",
+        "Inbound delivery of weaponized content followed by unexpected child-process execution from the opening application (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2009-1537, CISA KEV (added 2026-05-20), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1203 execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2009-3459": {
     "name": "Adobe Acrobat and Reader Heap-Based Buffer Overflow",
@@ -24652,7 +24672,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1211",
+      "T1553.005"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -24673,7 +24694,7 @@
     "cwe_refs": [
       "CWE-693"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/advisory/CVE-2026-21513",
@@ -24702,11 +24723,21 @@
         "published_date": "2026-02-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-10; due date 2026-03-03. Notes reference: https://msrc.microsoft.com/update-guide/advisory/CVE-2026-21513 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21513",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft MSHTML Framework contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft MSHTML Framework contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft MSHTML at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Downloaded files opening via the MSHTML framework without the expected Mark-of-the-Web / SmartScreen warning, and execution of content that should have been blocked or flagged as from-the-internet.",
+        "Inbound delivery of weaponized content followed by follow-on payload execution with no Mark-of-the-Web provenance (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-21513, CISA KEV (added 2026-02-10), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1211 defense-evasion + T1553.005 MoTW bypass) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-21525": {
     "name": "Microsoft Windows NULL Pointer Dereference Vulnerability",
@@ -24844,7 +24875,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1211",
+      "T1553.005"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -24865,7 +24897,7 @@
     "cwe_refs": [
       "CWE-693"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21510",
@@ -24894,11 +24926,21 @@
         "published_date": "2026-02-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-10; due date 2026-03-03. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21510 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21510 ",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Shell contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network. "
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Shell contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network. ",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Windows at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Downloaded files opening via the Windows Shell without the expected Mark-of-the-Web / SmartScreen warning, and execution of content that should have been blocked or flagged as from-the-internet.",
+        "Inbound delivery of weaponized content followed by follow-on payload execution with no Mark-of-the-Web provenance (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-21510, CISA KEV (added 2026-02-10), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1211 defense-evasion + T1553.005 MoTW bypass) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-21533": {
     "name": "Microsoft Windows Improper Privilege Management Vulnerability",
@@ -24940,7 +24982,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -24961,7 +25003,7 @@
     "cwe_refs": [
       "CWE-269"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21533",
@@ -24990,11 +25032,21 @@
         "published_date": "2026-02-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-10; due date 2026-03-03. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21533 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21533",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Remote Desktop Services contains an improper privilege management vulnerability that could allow an authorized attacker to elevate privileges locally."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Remote Desktop Services contains an improper privilege management vulnerability that could allow an authorized attacker to elevate privileges locally.",
+    "iocs": {
+      "behavioral": [
+        "Windows at a build below the fixed version named in the Microsoft advisory on an endpoint with any local foothold (commodity malware, RDP-exposed account, post-phish payload).",
+        "Process or driver crashes consistent with improper-privilege-management flaw (CWE-269) in Windows on an affected endpoint, often shortly after an unprivileged child-process spawn.",
+        "An unprivileged process gaining SYSTEM via the affected component (e.g. a token swap or impersonation) with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation; ransomware kits pair an initial-access flaw with this LPE within hours of foothold)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-21533, CISA KEV (added 2026-02-10), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-21519": {
     "name": "Microsoft Windows Type Confusion Vulnerability",
@@ -25036,7 +25088,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -25057,7 +25109,7 @@
     "cwe_refs": [
       "CWE-843"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21519",
@@ -25086,11 +25138,21 @@
         "published_date": "2026-02-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-10; due date 2026-03-03. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21519 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21519",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Desktop Windows Manager contains a type confusion vulnerability that could allow an authorized attacker to elevate privileges locally."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Desktop Windows Manager contains a type confusion vulnerability that could allow an authorized attacker to elevate privileges locally.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Windows at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Process crashes or memory-corruption signatures consistent with type confusion (CWE-843) in a Windows client component on an affected endpoint, after the victim opens attacker-controlled content.",
+        "Inbound delivery of weaponized content followed by unexpected child-process execution from the opening application (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-21519, CISA KEV (added 2026-02-10), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1203 execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-21514": {
     "name": "Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability",
@@ -25132,7 +25194,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1211"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -25153,7 +25215,7 @@
     "cwe_refs": [
       "CWE-807"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21514",
@@ -25182,11 +25244,21 @@
         "published_date": "2026-02-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-10; due date 2026-03-03. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21514 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21514",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Office Word contains a reliance on untrusted inputs in a security decision vulnerability that could allow an authorized attacker to elevate privileges locally."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Office Word contains a reliance on untrusted inputs in a security decision vulnerability that could allow an authorized attacker to elevate privileges locally.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Office at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Documents opening in the Office Word without the expected Protected View / security prompt, allowing active content from an untrusted source to run.",
+        "Inbound delivery of weaponized content followed by macro/active-content execution that Protected View should have suppressed (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-21514, CISA KEV (added 2026-02-10), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1211 defense-evasion) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-11953": {
     "name": "React Native Community CLI OS Command Injection Vulnerability",
@@ -26471,7 +26543,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1211"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -26492,7 +26564,7 @@
     "cwe_refs": [
       "CWE-807"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509",
@@ -26521,11 +26593,21 @@
         "published_date": "2026-01-26"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-26; due date 2026-02-16. Notes reference: Please adhere to Microsoft’s recommended guidelines to address this vulnerability. Implement all final mitigations provided by the vendor for Office 2021, and apply the interim corresponding mitigatio",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could allow an unauthorized attacker to bypass a security feature locally. Some of the impacted product(s) could be end-of-life (EoL) and/or end-of-service (EoS). Users are advised to discontinue use and/or transition to a supported version."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could allow an unauthorized attacker to bypass a security feature locally. Some of the impacted product(s) could be end-of-life (EoL) and/or end-of-service (EoS). Users are advised to discontinue use and/or transition to a supported version.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Office at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Documents opening in the Office without the expected Protected View / security prompt, allowing active content from an untrusted source to run.",
+        "Inbound delivery of weaponized content followed by macro/active-content execution that Protected View should have suppressed (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-21509, CISA KEV (added 2026-01-26), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1211 defense-evasion) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-37079": {
     "name": "Broadcom VMware vCenter Server Out-of-bounds Write Vulnerability",
@@ -28576,7 +28658,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -28597,7 +28679,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-62221",
@@ -28626,11 +28708,21 @@
         "published_date": "2025-12-09"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-09; due date 2025-12-30. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-62221 ; https://nvd.nist.gov/vuln/detail/CVE-2025-62221",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Cloud Files Mini Filter Driver contains a use after free vulnerability that can allow an authorized attacker to elevate privileges locally."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Cloud Files Mini Filter Driver contains a use after free vulnerability that can allow an authorized attacker to elevate privileges locally.",
+    "iocs": {
+      "behavioral": [
+        "Windows at a build below the fixed version named in the Microsoft advisory on an endpoint with any local foothold (commodity malware, RDP-exposed account, post-phish payload).",
+        "Process or driver crashes consistent with use-after-free (CWE-416) in a Windows kernel-mode component on an affected endpoint, often shortly after an unprivileged child-process spawn.",
+        "An unprivileged process gaining SYSTEM via the affected component (e.g. a token swap or impersonation) with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation; ransomware kits pair an initial-access flaw with this LPE within hours of foothold)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-62221, CISA KEV (added 2025-12-09), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2022-37055": {
     "name": "D-Link Routers Buffer Overflow Vulnerability",
@@ -31905,7 +31997,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -31926,7 +32018,7 @@
     "cwe_refs": [
       "CWE-284"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-59230",
@@ -31955,11 +32047,21 @@
         "published_date": "2025-10-14"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-14; due date 2025-11-04. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-59230 ; https://nvd.nist.gov/vuln/detail/CVE-2025-59230",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate privileges locally."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate privileges locally.",
+    "iocs": {
+      "behavioral": [
+        "Windows at a build below the fixed version named in the Microsoft advisory on an endpoint with any local foothold (commodity malware, RDP-exposed account, post-phish payload).",
+        "Process or driver crashes consistent with improper-access-control flaw (CWE-284) in a Windows privileged service on an affected endpoint, often shortly after an unprivileged child-process spawn.",
+        "An unprivileged process gaining SYSTEM via the affected component (e.g. a token swap or impersonation) with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation; ransomware kits pair an initial-access flaw with this LPE within hours of foothold)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-59230, CISA KEV (added 2025-10-14), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2016-7836": {
     "name": "SKYSEA Client View Improper Authentication Vulnerability",
@@ -41469,7 +41571,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -41490,7 +41592,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-32709",
@@ -41519,11 +41621,21 @@
         "published_date": "2025-05-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-13; due date 2025-06-03. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-32709 ; https://nvd.nist.gov/vuln/detail/CVE-2025-32709",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Ancillary Function Driver for WinSock contains a use-after-free vulnerability that allows an authorized attacker to escalate privileges to administrator."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Ancillary Function Driver for WinSock contains a use-after-free vulnerability that allows an authorized attacker to escalate privileges to administrator.",
+    "iocs": {
+      "behavioral": [
+        "Windows at a build below the fixed version named in the Microsoft advisory on an endpoint with any local foothold (commodity malware, RDP-exposed account, post-phish payload).",
+        "Process or driver crashes consistent with use-after-free (CWE-416) in the Windows Ancillary Function Driver for WinSock (afd.sys) on an affected endpoint, often shortly after an unprivileged child-process spawn.",
+        "An unprivileged process gaining SYSTEM via the affected component (e.g. a token swap or impersonation) with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation; ransomware kits pair an initial-access flaw with this LPE within hours of foothold)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-32709, CISA KEV (added 2025-05-13), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-30397": {
     "name": "Microsoft Windows Scripting Engine Type Confusion Vulnerability",
@@ -41565,7 +41677,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -41586,7 +41698,7 @@
     "cwe_refs": [
       "CWE-843"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-30397",
@@ -41615,11 +41727,21 @@
         "published_date": "2025-05-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-13; due date 2025-06-03. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-30397 ; https://nvd.nist.gov/vuln/detail/CVE-2025-30397",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Scripting Engine contains a type confusion vulnerability that allows an unauthorized attacker to execute code over a network via a specially crafted URL."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Scripting Engine contains a type confusion vulnerability that allows an unauthorized attacker to execute code over a network via a specially crafted URL.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Windows at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Process crashes or memory-corruption signatures consistent with type confusion (CWE-843) in the Windows Scripting Engine on an affected endpoint, after the victim opens attacker-controlled content.",
+        "Inbound delivery of weaponized content followed by unexpected child-process execution from the opening application (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-30397, CISA KEV (added 2025-05-13), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1203 execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-32706": {
     "name": "Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability",
@@ -41661,7 +41783,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -41682,7 +41804,7 @@
     "cwe_refs": [
       "CWE-122"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-32706",
@@ -41711,11 +41833,21 @@
         "published_date": "2025-05-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-13; due date 2025-06-03. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-32706 ; https://nvd.nist.gov/vuln/detail/CVE-2025-32706",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Common Log File System (CLFS) Driver contains a heap-based buffer overflow vulnerability that allows an authorized attacker to elevate privileges locally."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Common Log File System (CLFS) Driver contains a heap-based buffer overflow vulnerability that allows an authorized attacker to elevate privileges locally.",
+    "iocs": {
+      "behavioral": [
+        "Windows at a build below the fixed version named in the Microsoft advisory on an endpoint with any local foothold (commodity malware, RDP-exposed account, post-phish payload).",
+        "Process or driver crashes consistent with heap-based buffer overflow (CWE-122) in the Windows Common Log File System (CLFS) driver — a recurring kernel-LPE target — exploited by a local foothold to escalate to SYSTEM on an affected endpoint, often shortly after an unprivileged child-process spawn.",
+        "An unprivileged process gaining SYSTEM via the affected component (e.g. a token swap or impersonation) with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation; ransomware kits pair an initial-access flaw with this LPE within hours of foothold)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-32706, CISA KEV (added 2025-05-13), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-32701": {
     "name": "Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability",