@blamejs/exceptd-skills 0.15.23 → 0.15.26

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.15.26 — 2026-05-29
+
+Draft-curation pass 23 — unauthenticated network-service RCE. Five CISA KEV-listed server-side CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Samsung MagicINFO 9 Server (CVE-2024-7399 path traversal + file upload, CVE-2025-4632 the path-traversal patch-bypass variant), Wing FTP Server remote code execution (CVE-2025-47812, exploitable via anonymous login), VMware vCenter Server DCE/RPC out-of-bounds write (CVE-2024-37079), and the wormable Windows Server Service RPC overflow MS08-067 (CVE-2008-4250, exploited by Conficker). All map T1190, with T1505.003 for the upload-to-web-shell flaw and T1059 for the injection RCE. The lessons carry the long-tail patch-hygiene warning that MS08-067 still exemplifies, and require web-shell hunting or host rebuild beyond the patch.
+
+## 0.15.24 — 2026-05-29
+
+Draft-curation pass 22 — IT-management and enterprise platforms. Eight CISA KEV-listed unauthenticated server-side CVEs on platforms whose compromise reaches the managed estate are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: N-able N-Central RMM (CVE-2025-8876 command injection, CVE-2025-8875 insecure deserialization), SysAid On-Prem ITSM XXE (CVE-2025-2775, CVE-2025-2776), SimpleHelp remote support (CVE-2024-57728 path traversal, CVE-2024-57726 missing authorization), Quest KACE Systems Management Appliance authentication bypass (CVE-2025-32975), and Oracle E-Business Suite remote code execution (CVE-2025-61882). All map T1190, with per-class T1059 (code injection/deserialization) or T1078 (auth bypass). The lessons stress that management-platform compromise is fleet-wide — response must rotate credentials and audit every action pushed to downstream managed systems during the exposure window, not just patch the server.
+
 ## 0.15.23 — 2026-05-29
 
 Draft-curation pass 21 — Microsoft client-side document/web exploitation and protection bypass. Eight CISA KEV-listed CVEs that all begin with a victim opening attacker-controlled content are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons. They are mapped by technique class: memory-corruption code execution (CVE-2025-30397 Scripting Engine type confusion, CVE-2026-21519 type confusion, CVE-2009-1537 DirectShow media parsing) maps T1203; Mark-of-the-Web / SmartScreen protection bypass (CVE-2026-21513 MSHTML, CVE-2026-21510 Windows Shell) maps T1211 with T1553.005; Office security-feature bypass (CVE-2026-21514 Word Protected View, CVE-2026-21509 Office) maps T1211; and VBA insecure library loading (CVE-2012-1854) maps T1574.001. The lessons stress that the protection-bypass flaws prove a single control (SmartScreen, Protected View, Mark-of-the-Web) cannot be the only barrier — layered defenses (ASR rules, application control, content filtering) are required.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-29T23:58:57.226Z",
+  "generated_at": "2026-05-30T00:45:25.785Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "a95058451e83c41c22dc01658efc17d675dc82d520408702a13b39e606c3208b",
+    "manifest.json": "849fdaabfec5a675fbcf41a605ccc272f1b3ad572138b42d11193dfec95a6e92",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "1736dc39e90b994ef3f89ab4ef48f5bdce14fd2d7c068f3d915abf3cbf810687",
-    "data/cve-catalog.json": "f92a1da261e5eeb69148b71c0e572ca52f81c7f65db9fb257db8b427c191e25b",
+    "data/attack-techniques.json": "29be2d4aae35f5a250937b5d5c0e7a3b1e25c13fba9f35e29df7ca368e81ab39",
+    "data/cve-catalog.json": "dcba88e6328b0d366e90c279f539387a6195aae68981683fbe5015c3cdf9ddd8",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "24da511043e4cd3fd9a36f32b45d55abd97e2994608ed700533980338b3f8ce4",
+    "data/zeroday-lessons.json": "2f54885539d6e149e82ab6ca57592c472ccd2645d36ac1f54b1810db4976380a",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/_indexes/activity-feed.json

@@ -165,7 +165,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.1.0",
-      "entry_count": 426
+      "entry_count": 427
     },
     {
       "date": "2026-05-17",

package/data/_indexes/catalog-summaries.json

@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 426,
+      "entry_count": 427,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",

package/data/attack-techniques.json

@@ -323,6 +323,7 @@
       "CVE-2025-3466",
       "CVE-2025-40551",
       "CVE-2025-4428",
+      "CVE-2025-47812",
       "CVE-2025-49113",
       "CVE-2025-49596",
       "CVE-2025-49704",
@@ -333,6 +334,7 @@
       "CVE-2025-55319",
       "CVE-2025-58034",
       "CVE-2025-60455",
+      "CVE-2025-61882",
       "CVE-2025-6204",
       "CVE-2025-64328",
       "CVE-2025-64496",
@@ -341,6 +343,8 @@
       "CVE-2025-68665",
       "CVE-2025-68668",
       "CVE-2025-8747",
+      "CVE-2025-8875",
+      "CVE-2025-8876",
       "CVE-2025-9377",
       "CVE-2026-0766",
       "CVE-2026-1281",
@@ -591,6 +595,7 @@
       "CVE-2024-12776",
       "CVE-2024-1709",
       "CVE-2024-54085",
+      "CVE-2024-57726",
       "CVE-2025-12480",
       "CVE-2025-1796",
       "CVE-2025-21085",
@@ -929,6 +934,7 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2008-0015",
+      "CVE-2008-4250",
       "CVE-2014-6278",
       "CVE-2016-10033",
       "CVE-2016-7836",
@@ -986,7 +992,9 @@
       "CVE-2024-50050",
       "CVE-2024-56145",
       "CVE-2024-57726",
+      "CVE-2024-57728",
       "CVE-2024-6587",
+      "CVE-2024-7399",
       "CVE-2024-7694",
       "CVE-2024-8068",
       "CVE-2024-8069",
@@ -1035,6 +1043,7 @@
       "CVE-2025-32463",
       "CVE-2025-3248",
       "CVE-2025-32756",
+      "CVE-2025-32975",
       "CVE-2025-33053",
       "CVE-2025-33073",
       "CVE-2025-34291",
@@ -1049,6 +1058,7 @@
       "CVE-2025-42999",
       "CVE-2025-4427",
       "CVE-2025-4428",
+      "CVE-2025-4632",
       "CVE-2025-47812",
       "CVE-2025-47827",
       "CVE-2025-48384",
@@ -12097,6 +12107,7 @@
     "_intake_method": "mitre-attack-stix",
     "cve_refs": [
       "CVE-2024-1708",
+      "CVE-2024-7399",
       "CVE-2025-2749",
       "CVE-2025-31324",
       "CVE-2025-49704",