@blamejs/exceptd-skills 0.15.22 → 0.15.23

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.15.23 — 2026-05-29
+
+Draft-curation pass 21 — Microsoft client-side document/web exploitation and protection bypass. Eight CISA KEV-listed CVEs that all begin with a victim opening attacker-controlled content are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons. They are mapped by technique class: memory-corruption code execution (CVE-2025-30397 Scripting Engine type confusion, CVE-2026-21519 type confusion, CVE-2009-1537 DirectShow media parsing) maps T1203; Mark-of-the-Web / SmartScreen protection bypass (CVE-2026-21513 MSHTML, CVE-2026-21510 Windows Shell) maps T1211 with T1553.005; Office security-feature bypass (CVE-2026-21514 Word Protected View, CVE-2026-21509 Office) maps T1211; and VBA insecure library loading (CVE-2012-1854) maps T1574.001. The lessons stress that the protection-bypass flaws prove a single control (SmartScreen, Protected View, Mark-of-the-Web) cannot be the only barrier — layered defenses (ASR rules, application control, content filtering) are required.
+
 ## 0.15.22 — 2026-05-29
 
 Draft-curation pass 20 — Windows kernel/driver LPE. Five CISA KEV-listed Windows local-privilege-escalation CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: an Ancillary Function Driver for WinSock use-after-free (CVE-2025-32709), a Common Log File System driver heap overflow (CVE-2025-32706), a kernel use-after-free (CVE-2025-62221), an improper-privilege-management flaw (CVE-2026-21533), and an improper-access-control elevation in a privileged service (CVE-2025-59230). All map T1068 (Exploitation for Privilege Escalation). The lessons frame these as the escalation half of the ransomware chain (initial access → unpatched LPE → SYSTEM within hours) and name hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist as load-bearing endpoint controls beyond the patch.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-29T23:44:49.444Z",
+  "generated_at": "2026-05-29T23:58:57.226Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "e5726822ecbdc05881e4d1145cdce3bfbf2e13d872acfbfbef6601ac5fc9084b",
+    "manifest.json": "a95058451e83c41c22dc01658efc17d675dc82d520408702a13b39e606c3208b",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "bfa065774b88d45c3fca7b69ecd267b0bd36a117a7c2da8178ce0783679d41c9",
-    "data/cve-catalog.json": "44bbe46dd3cbcf8fe836ee3ffb59850a1e63a31afb98ae3557978658cf67c247",
+    "data/attack-techniques.json": "1736dc39e90b994ef3f89ab4ef48f5bdce14fd2d7c068f3d915abf3cbf810687",
+    "data/cve-catalog.json": "f92a1da261e5eeb69148b71c0e572ca52f81c7f65db9fb257db8b427c191e25b",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "c9a28986c40ca19b8a54444a6c680c96a4dbdce17119a0e50dd8937035dff07a",
+    "data/zeroday-lessons.json": "24da511043e4cd3fd9a36f32b45d55abd97e2994608ed700533980338b3f8ce4",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/_indexes/activity-feed.json

@@ -165,7 +165,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.1.0",
-      "entry_count": 425
+      "entry_count": 426
     },
     {
       "date": "2026-05-17",

package/data/_indexes/catalog-summaries.json

@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 425,
+      "entry_count": 426,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",

package/data/attack-techniques.json

@@ -929,7 +929,6 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2008-0015",
-      "CVE-2012-1854",
       "CVE-2014-6278",
       "CVE-2016-10033",
       "CVE-2016-7836",
@@ -1027,7 +1026,6 @@
       "CVE-2025-29635",
       "CVE-2025-30165",
       "CVE-2025-30202",
-      "CVE-2025-30397",
       "CVE-2025-31125",
       "CVE-2025-31161",
       "CVE-2025-31324",
@@ -1126,11 +1124,6 @@
       "CVE-2026-20133",
       "CVE-2026-20182",
       "CVE-2026-20963",
-      "CVE-2026-21509",
-      "CVE-2026-21510",
-      "CVE-2026-21513",
-      "CVE-2026-21514",
-      "CVE-2026-21519",
       "CVE-2026-21525",
       "CVE-2026-21643",
       "CVE-2026-21858",
@@ -1342,6 +1335,7 @@
       "CVE-2025-13223",
       "CVE-2025-14174",
       "CVE-2025-24201",
+      "CVE-2025-30397",
       "CVE-2025-31277",
       "CVE-2025-43200",
       "CVE-2025-43300",
@@ -1353,6 +1347,7 @@
       "CVE-2025-6554",
       "CVE-2025-6558",
       "CVE-2026-20700",
+      "CVE-2026-21519",
       "CVE-2026-2441",
       "CVE-2026-25592",
       "CVE-2026-34621",
@@ -4610,7 +4605,13 @@
       "IaaS"
     ],
     "stix_id": "attack-pattern--fe926152-f431-4baf-956c-4ad3cb0bf23b",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2026-21509",
+      "CVE-2026-21510",
+      "CVE-2026-21513",
+      "CVE-2026-21514"
+    ]
   },
   "T1216": {
     "id": "T1216",
@@ -13772,7 +13773,11 @@
     "stix_id": "attack-pattern--7e7c2fba-7cca-486c-9582-4c1bb2851961",
     "last_verified": "2026-05-19",
     "_auto_imported": true,
-    "_intake_method": "mitre-attack-stix"
+    "_intake_method": "mitre-attack-stix",
+    "cve_refs": [
+      "CVE-2026-21510",
+      "CVE-2026-21513"
+    ]
   },
   "T1553.006": {
     "id": "T1553.006",
@@ -15514,7 +15519,10 @@
     "stix_id": "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34",
     "last_verified": "2026-05-19",
     "_auto_imported": true,
-    "_intake_method": "mitre-attack-stix"
+    "_intake_method": "mitre-attack-stix",
+    "cve_refs": [
+      "CVE-2012-1854"
+    ]
   },
   "T1574.004": {
     "id": "T1574.004",

package/data/cve-catalog.json

@@ -9388,7 +9388,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1574.001"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -9409,7 +9409,7 @@
     "cwe_refs": [
       "CWE-426"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://learn.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-046",
@@ -9438,11 +9438,21 @@
         "published_date": "2026-04-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-13; due date 2026-04-27. Notes reference: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-046 ; https://nvd.nist.gov/vuln/detail/CVE-2012-1854",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Visual Basic for Applications (VBA) contains an insecure library loading vulnerability that could allow for remote code execution."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Visual Basic for Applications (VBA) contains an insecure library loading vulnerability that could allow for remote code execution.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Office at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "The Office VBA loading a DLL from an unexpected or attacker-writable path (insecure library load / search-order hijack), e.g. a DLL co-located with an opened document.",
+        "Inbound delivery of weaponized content followed by an unexpected DLL loaded by the Office/VBA process from a document directory (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2012-1854, CISA KEV (added 2026-04-13), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1574.001 DLL hijack) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-60710": {
     "name": "Microsoft Windows Link Following Vulnerability",
@@ -20357,7 +20367,7 @@
     "cwe_refs": [
       "CWE-787"
     ],
-    "source_verified": "2026-05-25",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://nvd.nist.gov/vuln/detail/CVE-2009-1537"
@@ -20371,11 +20381,21 @@
         "published_date": "2026-05-20"
       }
     ],
-    "last_updated": "2026-05-25",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Manual KEV-gap-fill: legacy CVE re-listed to CISA KEV 2026-05-20. Draft pending enrichment.",
-    "_auto_imported": true,
-    "_intake_method": "manual-kev-gap-fill-2026-05-20",
-    "_kev_short_description": "Microsoft DirectShow QuickTime parsing memory corruption allowing remote code execution via a crafted media file."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft DirectShow QuickTime parsing memory corruption allowing remote code execution via a crafted media file.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Windows at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Process crashes or memory-corruption signatures consistent with memory-corruption flaw (CWE-787) in the Windows DirectShow QuickTime parser on an affected endpoint, after the victim opens attacker-controlled content.",
+        "Inbound delivery of weaponized content followed by unexpected child-process execution from the opening application (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2009-1537, CISA KEV (added 2026-05-20), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1203 execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2009-3459": {
     "name": "Adobe Acrobat and Reader Heap-Based Buffer Overflow",
@@ -24652,7 +24672,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1211",
+      "T1553.005"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -24673,7 +24694,7 @@
     "cwe_refs": [
       "CWE-693"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/advisory/CVE-2026-21513",
@@ -24702,11 +24723,21 @@
         "published_date": "2026-02-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-10; due date 2026-03-03. Notes reference: https://msrc.microsoft.com/update-guide/advisory/CVE-2026-21513 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21513",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft MSHTML Framework contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft MSHTML Framework contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft MSHTML at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Downloaded files opening via the MSHTML framework without the expected Mark-of-the-Web / SmartScreen warning, and execution of content that should have been blocked or flagged as from-the-internet.",
+        "Inbound delivery of weaponized content followed by follow-on payload execution with no Mark-of-the-Web provenance (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-21513, CISA KEV (added 2026-02-10), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1211 defense-evasion + T1553.005 MoTW bypass) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-21525": {
     "name": "Microsoft Windows NULL Pointer Dereference Vulnerability",
@@ -24844,7 +24875,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1211",
+      "T1553.005"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -24865,7 +24897,7 @@
     "cwe_refs": [
       "CWE-693"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21510",
@@ -24894,11 +24926,21 @@
         "published_date": "2026-02-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-10; due date 2026-03-03. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21510 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21510 ",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Shell contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network. "
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Shell contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network. ",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Windows at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Downloaded files opening via the Windows Shell without the expected Mark-of-the-Web / SmartScreen warning, and execution of content that should have been blocked or flagged as from-the-internet.",
+        "Inbound delivery of weaponized content followed by follow-on payload execution with no Mark-of-the-Web provenance (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-21510, CISA KEV (added 2026-02-10), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1211 defense-evasion + T1553.005 MoTW bypass) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-21533": {
     "name": "Microsoft Windows Improper Privilege Management Vulnerability",
@@ -25046,7 +25088,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -25067,7 +25109,7 @@
     "cwe_refs": [
       "CWE-843"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21519",
@@ -25096,11 +25138,21 @@
         "published_date": "2026-02-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-10; due date 2026-03-03. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21519 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21519",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Desktop Windows Manager contains a type confusion vulnerability that could allow an authorized attacker to elevate privileges locally."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Desktop Windows Manager contains a type confusion vulnerability that could allow an authorized attacker to elevate privileges locally.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Windows at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Process crashes or memory-corruption signatures consistent with type confusion (CWE-843) in a Windows client component on an affected endpoint, after the victim opens attacker-controlled content.",
+        "Inbound delivery of weaponized content followed by unexpected child-process execution from the opening application (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-21519, CISA KEV (added 2026-02-10), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1203 execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-21514": {
     "name": "Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability",
@@ -25142,7 +25194,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1211"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -25163,7 +25215,7 @@
     "cwe_refs": [
       "CWE-807"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21514",
@@ -25192,11 +25244,21 @@
         "published_date": "2026-02-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-10; due date 2026-03-03. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21514 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21514",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Office Word contains a reliance on untrusted inputs in a security decision vulnerability that could allow an authorized attacker to elevate privileges locally."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Office Word contains a reliance on untrusted inputs in a security decision vulnerability that could allow an authorized attacker to elevate privileges locally.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Office at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Documents opening in the Office Word without the expected Protected View / security prompt, allowing active content from an untrusted source to run.",
+        "Inbound delivery of weaponized content followed by macro/active-content execution that Protected View should have suppressed (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-21514, CISA KEV (added 2026-02-10), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1211 defense-evasion) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-11953": {
     "name": "React Native Community CLI OS Command Injection Vulnerability",
@@ -26481,7 +26543,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1211"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -26502,7 +26564,7 @@
     "cwe_refs": [
       "CWE-807"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509",
@@ -26531,11 +26593,21 @@
         "published_date": "2026-01-26"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-26; due date 2026-02-16. Notes reference: Please adhere to Microsoft’s recommended guidelines to address this vulnerability. Implement all final mitigations provided by the vendor for Office 2021, and apply the interim corresponding mitigatio",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could allow an unauthorized attacker to bypass a security feature locally. Some of the impacted product(s) could be end-of-life (EoL) and/or end-of-service (EoS). Users are advised to discontinue use and/or transition to a supported version."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could allow an unauthorized attacker to bypass a security feature locally. Some of the impacted product(s) could be end-of-life (EoL) and/or end-of-service (EoS). Users are advised to discontinue use and/or transition to a supported version.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Office at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Documents opening in the Office without the expected Protected View / security prompt, allowing active content from an untrusted source to run.",
+        "Inbound delivery of weaponized content followed by macro/active-content execution that Protected View should have suppressed (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-21509, CISA KEV (added 2026-01-26), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1211 defense-evasion) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-37079": {
     "name": "Broadcom VMware vCenter Server Out-of-bounds Write Vulnerability",
@@ -41605,7 +41677,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -41626,7 +41698,7 @@
     "cwe_refs": [
       "CWE-843"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-30397",
@@ -41655,11 +41727,21 @@
         "published_date": "2025-05-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-13; due date 2025-06-03. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-30397 ; https://nvd.nist.gov/vuln/detail/CVE-2025-30397",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Scripting Engine contains a type confusion vulnerability that allows an unauthorized attacker to execute code over a network via a specially crafted URL."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Scripting Engine contains a type confusion vulnerability that allows an unauthorized attacker to execute code over a network via a specially crafted URL.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Windows at a build below the fixed version named in the Microsoft advisory on an endpoint exposed to attacker-controlled documents or web content.",
+        "Process crashes or memory-corruption signatures consistent with type confusion (CWE-843) in the Windows Scripting Engine on an affected endpoint, after the victim opens attacker-controlled content.",
+        "Inbound delivery of weaponized content followed by unexpected child-process execution from the opening application (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-30397, CISA KEV (added 2025-05-13), and the Microsoft security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1203 execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-32706": {
     "name": "Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability",