@blamejs/exceptd-skills 0.15.24 → 0.15.27

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.15.27 — 2026-05-29
+
+Draft-curation pass 24 — mobile device exploitation. Four CISA KEV-listed mobile CVEs that together form a mobile-spyware chain are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Samsung image-parsing-library out-of-bounds writes exploited zero-click via a malicious image (CVE-2025-21042, CVE-2025-21043) map T1203, and Android Framework local privilege escalation and an information-disclosure primitive (CVE-2025-48572, CVE-2025-48633) map T1068. The lessons frame these as the initial-access and local-escalation halves of a commercial-surveillance chain, and name OEM/carrier OTA cadence (Samsung SMR, Android Security Bulletin), MDM-enforced update SLAs, and mobile-threat-defense as the load-bearing controls — patch reach, not just patch availability, is the gap.
+
+## 0.15.26 — 2026-05-29
+
+Draft-curation pass 23 — unauthenticated network-service RCE. Five CISA KEV-listed server-side CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Samsung MagicINFO 9 Server (CVE-2024-7399 path traversal + file upload, CVE-2025-4632 the path-traversal patch-bypass variant), Wing FTP Server remote code execution (CVE-2025-47812, exploitable via anonymous login), VMware vCenter Server DCE/RPC out-of-bounds write (CVE-2024-37079), and the wormable Windows Server Service RPC overflow MS08-067 (CVE-2008-4250, exploited by Conficker). All map T1190, with T1505.003 for the upload-to-web-shell flaw and T1059 for the injection RCE. The lessons carry the long-tail patch-hygiene warning that MS08-067 still exemplifies, and require web-shell hunting or host rebuild beyond the patch.
+
 ## 0.15.24 — 2026-05-29
 
 Draft-curation pass 22 — IT-management and enterprise platforms. Eight CISA KEV-listed unauthenticated server-side CVEs on platforms whose compromise reaches the managed estate are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: N-able N-Central RMM (CVE-2025-8876 command injection, CVE-2025-8875 insecure deserialization), SysAid On-Prem ITSM XXE (CVE-2025-2775, CVE-2025-2776), SimpleHelp remote support (CVE-2024-57728 path traversal, CVE-2024-57726 missing authorization), Quest KACE Systems Management Appliance authentication bypass (CVE-2025-32975), and Oracle E-Business Suite remote code execution (CVE-2025-61882). All map T1190, with per-class T1059 (code injection/deserialization) or T1078 (auth bypass). The lessons stress that management-platform compromise is fleet-wide — response must rotate credentials and audit every action pushed to downstream managed systems during the exposure window, not just patch the server.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-30T00:14:30.380Z",
+  "generated_at": "2026-05-30T01:00:01.558Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "bdfa62ec546c293e03f8ed60adb72c09d72413efe313e20407ca7f19bd607d28",
+    "manifest.json": "95c5ef9c2d7776441891168bae391cdb8e176ac717c32df58ca1e3211453c91b",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "c882080eff805eb5a2b35940d85c60919605ef9754cbf448291be053498040c3",
-    "data/cve-catalog.json": "177f37585b11bb848b62c4598f3fcb565003a1e3289ac8144932d57d7e45bc39",
+    "data/attack-techniques.json": "34974c3918d0e3124dd879ddbf1c3e7e14c13bc184e5e076bb82e53e01c27807",
+    "data/cve-catalog.json": "3369f074abef9a09778b3ae8e724990c699c696c6c1efcd1d39c1b518148e8d7",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "895bdef8ae63d68a8497df0b374b846d34fee139a7b84d11d5bc719e4f6af66e",
+    "data/zeroday-lessons.json": "ae57f32d861af6058796566c3cf71cfc564a0fa9c1b6966b7fa079122cb8c9c7",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/_indexes/activity-feed.json

@@ -165,7 +165,7 @@
       "artifact": "data/zeroday-lessons.json",
       "path": "data/zeroday-lessons.json",
       "schema_version": "1.1.0",
-      "entry_count": 426
+      "entry_count": 427
     },
     {
       "date": "2026-05-17",

package/data/_indexes/catalog-summaries.json

@@ -238,7 +238,7 @@
         "rebuild_after_days": 365,
         "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
       },
-      "entry_count": 426,
+      "entry_count": 427,
       "sample_keys": [
         "CVE-2026-31431",
         "CVE-2025-53773",

package/data/attack-techniques.json

@@ -323,6 +323,7 @@
       "CVE-2025-3466",
       "CVE-2025-40551",
       "CVE-2025-4428",
+      "CVE-2025-47812",
       "CVE-2025-49113",
       "CVE-2025-49596",
       "CVE-2025-49704",
@@ -519,6 +520,7 @@
       "CVE-2025-43300",
       "CVE-2025-48543",
       "CVE-2025-48572",
+      "CVE-2025-48633",
       "CVE-2025-59230",
       "CVE-2025-60710",
       "CVE-2025-62215",
@@ -933,6 +935,7 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2008-0015",
+      "CVE-2008-4250",
       "CVE-2014-6278",
       "CVE-2016-10033",
       "CVE-2016-7836",
@@ -992,6 +995,7 @@
       "CVE-2024-57726",
       "CVE-2024-57728",
       "CVE-2024-6587",
+      "CVE-2024-7399",
       "CVE-2024-7694",
       "CVE-2024-8068",
       "CVE-2024-8069",
@@ -1013,8 +1017,6 @@
       "CVE-2025-20352",
       "CVE-2025-20362",
       "CVE-2025-20393",
-      "CVE-2025-21042",
-      "CVE-2025-21043",
       "CVE-2025-22457",
       "CVE-2025-24016",
       "CVE-2025-24893",
@@ -1055,6 +1057,7 @@
       "CVE-2025-42999",
       "CVE-2025-4427",
       "CVE-2025-4428",
+      "CVE-2025-4632",
       "CVE-2025-47812",
       "CVE-2025-47827",
       "CVE-2025-48384",
@@ -1340,6 +1343,8 @@
       "CVE-2025-10585",
       "CVE-2025-13223",
       "CVE-2025-14174",
+      "CVE-2025-21042",
+      "CVE-2025-21043",
       "CVE-2025-24201",
       "CVE-2025-30397",
       "CVE-2025-31277",
@@ -12103,6 +12108,7 @@
     "_intake_method": "mitre-attack-stix",
     "cve_refs": [
       "CVE-2024-1708",
+      "CVE-2024-7399",
       "CVE-2025-2749",
       "CVE-2025-31324",
       "CVE-2025-49704",

package/data/cve-catalog.json

@@ -7943,7 +7943,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190",
+      "T1505.003"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -7965,7 +7967,7 @@
       "CWE-22",
       "CWE-434"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://security.samsungtv.com/securityUpdates",
@@ -7994,11 +7996,21 @@
         "published_date": "2026-04-24"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-24; due date 2026-05-08. Notes reference: https://security.samsungtv.com/securityUpdates ; https://nvd.nist.gov/vuln/detail/CVE-2024-7399",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Samsung MagicINFO 9 Server contains a path traversal vulnerability that could allow an attacker to write arbitrary files as system authority."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Samsung MagicINFO 9 Server contains a path traversal vulnerability that could allow an attacker to write arbitrary files as system authority.",
+    "iocs": {
+      "behavioral": [
+        "Samsung MagicINFO 9 Server reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the MagicINFO Server consistent with path-traversal plus unrestricted-file-upload flaw.",
+        "Post-exploitation indicators on the MagicINFO Server — web shells, unexpected process execution, or service crashes consistent with memory corruption — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-7399, CISA KEV (added 2026-04-24), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-57728": {
     "name": "SimpleHelp Path Traversal Vulnerability",
@@ -20298,7 +20310,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1210"
+      "T1210",
+      "T1190"
     ],
     "rwep_score": 70,
     "rwep_factors": {
@@ -20319,7 +20332,7 @@
     "cwe_refs": [
       "CWE-119"
     ],
-    "source_verified": "2026-05-25",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://nvd.nist.gov/vuln/detail/CVE-2008-4250"
@@ -20333,11 +20346,21 @@
         "published_date": "2026-05-20"
       }
     ],
-    "last_updated": "2026-05-25",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Manual KEV-gap-fill: legacy CVE re-listed to CISA KEV 2026-05-20 (renewed exploitation against unpatched / legacy Windows). Draft pending enrichment; postdates the v0.13.17 bulk intake (KEV catalog 2026.05.15).",
-    "_auto_imported": true,
-    "_intake_method": "manual-kev-gap-fill-2026-05-20",
-    "_kev_short_description": "Microsoft Windows Server service contains a buffer overflow allowing unauthenticated wormable remote code execution (MS08-067)."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Server service contains a buffer overflow allowing unauthenticated wormable remote code execution (MS08-067).",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Windows reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Windows Server Service (RPC) consistent with buffer overflow.",
+        "Post-exploitation indicators on the Windows Server Service (RPC) — web shells, unexpected process execution, or service crashes consistent with memory corruption — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2008-4250, CISA KEV (added 2026-05-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2009-1537": {
     "name": "Microsoft DirectShow QuickTime Parsing Memory Corruption",
@@ -26703,7 +26726,7 @@
     "cwe_refs": [
       "CWE-787"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453",
@@ -26732,11 +26755,21 @@
         "published_date": "2026-01-23"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-23; due date 2026-02-13. Notes reference: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453 ; https://nvd.nist.gov/vuln/detail/CVE-2024-37079",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Broadcom VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. This could allow a malicious actor with network access to vCenter Server to send specially crafted network packets, potentially leading to remote code execution."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Broadcom VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. This could allow a malicious actor with network access to vCenter Server to send specially crafted network packets, potentially leading to remote code execution.",
+    "iocs": {
+      "behavioral": [
+        "VMware vCenter Server reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the vCenter Server consistent with out-of-bounds write.",
+        "Post-exploitation indicators on the vCenter Server — web shells, unexpected process execution, or service crashes consistent with memory corruption — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-37079, CISA KEV (added 2026-01-23), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-68645": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability",
@@ -29194,7 +29227,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1005"
+      "T1005",
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -29215,7 +29249,7 @@
     "cwe_refs": [
       "CWE-125"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://source.android.com/docs/security/bulletin/2025-12-01",
@@ -29244,11 +29278,21 @@
         "published_date": "2025-12-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-02; due date 2025-12-23. Notes reference: https://source.android.com/docs/security/bulletin/2025-12-01 ; https://nvd.nist.gov/vuln/detail/CVE-2025-48633",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Android Framework contains an unspecified vulnerability that allows for information disclosure."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Android Framework contains an unspecified vulnerability that allows for information disclosure.",
+    "iocs": {
+      "behavioral": [
+        "Android at a patch level below the fixed build named in the Android Security Bulletin advisory.",
+        "An unprivileged app gaining elevated privileges via the Android Framework, or memory-disclosure behavior consistent with an ASLR-defeating primitive, with no legitimate cause.",
+        "Indicators of a mobile-spyware / multi-stage exploit chain on a high-risk-user device (KEV-confirmed in-the-wild exploitation; this class is used in commercial-surveillance chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-48633, CISA KEV (added 2025-12-02), and the Android security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-48572": {
     "name": "Android Framework Privilege Escalation Vulnerability",
@@ -29310,7 +29354,7 @@
     "cwe_refs": [
       "CWE-269"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://source.android.com/docs/security/bulletin/2025-12-01",
@@ -29339,11 +29383,21 @@
         "published_date": "2025-12-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-02; due date 2025-12-23. Notes reference: https://source.android.com/docs/security/bulletin/2025-12-01 ; https://nvd.nist.gov/vuln/detail/CVE-2025-48572",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Android Framework contains an unspecified vulnerability that allows for privilege escalation."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Android Framework contains an unspecified vulnerability that allows for privilege escalation.",
+    "iocs": {
+      "behavioral": [
+        "Android at a patch level below the fixed build named in the Android Security Bulletin advisory.",
+        "An unprivileged app gaining elevated privileges via the Android Framework, or memory-disclosure behavior consistent with an ASLR-defeating primitive, with no legitimate cause.",
+        "Indicators of a mobile-spyware / multi-stage exploit chain on a high-risk-user device (KEV-confirmed in-the-wild exploitation; this class is used in commercial-surveillance chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-48572, CISA KEV (added 2025-12-02), and the Android security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-26829": {
     "name": "OpenPLC ScadaBR Cross-site Scripting Vulnerability",
@@ -30213,7 +30267,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -30234,7 +30288,7 @@
     "cwe_refs": [
       "CWE-787"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04",
@@ -30263,11 +30317,21 @@
         "published_date": "2025-11-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-10; due date 2025-12-01. Notes reference: https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04 ; https://nvd.nist.gov/vuln/detail/CVE-2025-21042",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so. This vulnerability could allow remote attackers to execute arbitrary code."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so. This vulnerability could allow remote attackers to execute arbitrary code.",
+    "iocs": {
+      "behavioral": [
+        "Samsung mobile devices at a patch level below the fixed build named in the Samsung SMR advisory.",
+        "Crashes or memory-corruption signatures in the Samsung image parser after an inbound image (often delivered to a messaging app without user interaction).",
+        "Indicators of a mobile-spyware / multi-stage exploit chain on a high-risk-user device (KEV-confirmed in-the-wild exploitation; this class is used in commercial-surveillance chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-21042, CISA KEV (added 2025-11-10), and the Samsung security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-48703": {
     "name": "CWP Control Web Panel OS Command Injection Vulnerability",
@@ -33470,7 +33534,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -33491,7 +33555,7 @@
     "cwe_refs": [
       "CWE-787"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=09",
@@ -33520,11 +33584,21 @@
         "published_date": "2025-10-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-02; due date 2025-10-23. Notes reference: https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=09 ; https://nvd.nist.gov/vuln/detail/CVE-2025-21043",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so which allows remote attackers to execute arbitrary code."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so which allows remote attackers to execute arbitrary code.",
+    "iocs": {
+      "behavioral": [
+        "Samsung mobile devices at a patch level below the fixed build named in the Samsung SMR advisory.",
+        "Crashes or memory-corruption signatures in the Samsung image parser after an inbound image (often delivered to a messaging app without user interaction).",
+        "Indicators of a mobile-spyware / multi-stage exploit chain on a high-risk-user device (KEV-confirmed in-the-wild exploitation; this class is used in commercial-surveillance chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-21043, CISA KEV (added 2025-10-02), and the Samsung security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-4008": {
     "name": "Smartbedded Meteobridge Command Injection Vulnerability",
@@ -37715,7 +37789,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -37736,7 +37811,7 @@
     "cwe_refs": [
       "CWE-158"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.wftpserver.com/serverhistory.htm",
@@ -37765,11 +37840,21 @@
         "published_date": "2025-07-14"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-14; due date 2025-08-04. Notes reference: https://www.wftpserver.com/serverhistory.htm ; https://nvd.nist.gov/vuln/detail/CVE-2025-47812",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default)."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).",
+    "iocs": {
+      "behavioral": [
+        "Wing FTP Server reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Wing FTP Server consistent with improper-neutralization null-byte flaw.",
+        "Post-exploitation indicators on the Wing FTP Server — web shells, unexpected process execution, or service crashes consistent with memory corruption — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-47812, CISA KEV (added 2025-07-14), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-5777": {
     "name": "Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability",
@@ -40643,7 +40728,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -40664,7 +40750,7 @@
     "cwe_refs": [
       "CWE-22"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://security.samsungtv.com/securityUpdates#SVP-MAY-2025",
@@ -40693,11 +40779,21 @@
         "published_date": "2025-05-22"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-22; due date 2025-06-12. Notes reference: https://security.samsungtv.com/securityUpdates#SVP-MAY-2025 ; https://nvd.nist.gov/vuln/detail/CVE-2025-4632",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Samsung MagicINFO 9 Server contains a path traversal vulnerability that allows an attacker to write arbitrary file as system authority."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Samsung MagicINFO 9 Server contains a path traversal vulnerability that allows an attacker to write arbitrary file as system authority.",
+    "iocs": {
+      "behavioral": [
+        "Samsung MagicINFO 9 Server reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the MagicINFO Server consistent with path-traversal flaw.",
+        "Post-exploitation indicators on the MagicINFO Server — web shells, unexpected process execution, or service crashes consistent with memory corruption — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-4632, CISA KEV (added 2025-05-22), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2023-38950": {
     "name": "ZKTeco BioTime Path Traversal Vulnerability",