npm - @blamejs/exceptd-skills - Versions diffs - 0.15.24 → 0.15.27 - Mend

@blamejs/exceptd-skills 0.15.24 → 0.15.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +5 -5
package/data/_indexes/activity-feed.json +1 -1
package/data/_indexes/catalog-summaries.json +1 -1
package/data/attack-techniques.json +8 -2
package/data/cve-catalog.json +148 -52
package/data/zeroday-lessons.json +371 -107
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +18 -18

package/data/zeroday-lessons.json CHANGED Viewed

@@ -17,7 +17,7 @@
       "rebuild_after_days": 365,
       "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
     },
-    "entry_count": 426
+    "entry_count": 427
   },
   "CVE-2026-31431": {
     "name": "Copy Fail",
@@ -6991,35 +6991,63 @@
   },
   "CVE-2024-7399": {
     "name": "Samsung MagicINFO 9 Server Path Traversal Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Samsung MagicINFO 9 Server contains a path traversal vulnerability that could allow an attacker to write arbitrary files as system authority.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a path-traversal plus unrestricted-file-upload flaw (CWE-22/CWE-434), letting an unauthenticated attacker upload a file (e.g. a web shell) and traverse to it for code execution. CISA KEV-listed 2026-04-24 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the service's public interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Samsung MagicINFO 9 Server security update; hunt for web shells under the service's root and rotate service credentials — an upload/injection primitive leaves resident persistence the patch does not remove.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary; the recurring failure is the SLA gap and the lack of web-shell-hunt / rebuild cleanup, plus long-tail unpatched estates (the MS08-067 lesson)."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the MagicINFO Server: exploit-shaped requests, new web-shell files, unexpected process execution, and service crashes consistent with memory corruption.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch exploitation and resident persistence on an internet-facing service."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately; for the upload/injection variants hunt and remove web shells and rotate credentials, for the memory-corruption variants rebuild the host; review for lateral movement.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; an internet-facing RCE typically yields persistence and a pivot, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network service; these are mass-exploited within days, and MS08-067/Conficker is the canonical example of long-tail exposure persisting for years on unpatched estates."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing service, and legacy KEV re-listings show unpatched long-tail estates remain exposed."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing services as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / rebuild cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network service in or adjacent to the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 73,
+      "basis": "Internet-facing Samsung MagicINFO 9 Server is run by audited organizations on a standard patch SLA and is mass-exploited within days of disclosure; the required web-shell hunt / rebuild is rarely part of the documented patch procedure, and long-tail unpatched estates persist (the MS08-067 pattern).",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2024-57728": {
     "name": "SimpleHelp Path Traversal Vulnerability",
@@ -13874,35 +13902,63 @@
   },
   "CVE-2024-37079": {
     "name": "Broadcom VMware vCenter Server Out-of-bounds Write Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Broadcom VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. This could allow a malicious actor with network access to vCenter Server to send specially crafted network packets, potentially leading to remote code execution.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an out-of-bounds write (CWE-787) in the vCenter Server DCE/RPC protocol implementation, exploitable by an unauthenticated attacker for remote code execution. CISA KEV-listed 2026-01-23 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the service's public interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the VMware vCenter Server security update; for a memory-corruption RCE on a network service, treat an exploited host as compromised and rebuild, rotating any credentials it held.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary; the recurring failure is the SLA gap and the lack of web-shell-hunt / rebuild cleanup, plus long-tail unpatched estates (the MS08-067 lesson)."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the vCenter Server: exploit-shaped requests, new web-shell files, unexpected process execution, and service crashes consistent with memory corruption.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch exploitation and resident persistence on an internet-facing service."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately; for the upload/injection variants hunt and remove web shells and rotate credentials, for the memory-corruption variants rebuild the host; review for lateral movement.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; an internet-facing RCE typically yields persistence and a pivot, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network service; these are mass-exploited within days, and MS08-067/Conficker is the canonical example of long-tail exposure persisting for years on unpatched estates."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing service, and legacy KEV re-listings show unpatched long-tail estates remain exposed."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing services as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / rebuild cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network service in or adjacent to the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 73,
+      "basis": "Internet-facing VMware vCenter Server is run by audited organizations on a standard patch SLA and is mass-exploited within days of disclosure; the required web-shell hunt / rebuild is rarely part of the documented patch procedure, and long-tail unpatched estates persist (the MS08-067 pattern).",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-68645": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability",
@@ -14939,67 +14995,113 @@
   },
   "CVE-2025-48633": {
     "name": "Android Framework Information Disclosure Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Android Framework contains an unspecified vulnerability that allows for information disclosure.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an out-of-bounds read information-disclosure flaw (CWE-125) in the Android Framework, used by a local app as a primitive in a privilege-escalation chain (leaking memory to defeat ASLR for a follow-on exploit). CISA KEV-listed 2025-12-02 with confirmed in-the-wild exploitation; this class forms the local-escalation half of a mobile-spyware chain.",
+      "privileges_required": "low (a local app or the foothold from an initial-access primitive)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Android Security Bulletin OTA update promptly; enforce update SLAs via MDM on managed fleets, deploy mobile-threat-defense, and enable hardened/locked-down configurations for high-risk users.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "The OTA fix is definitive; the gap is OEM/carrier patch reach and managed fleets that defer mobile updates."
+      },
+      "detection": {
+        "what_would_have_worked": "Mobile-threat-defense telemetry for unprivileged-to-elevated transitions and ASLR-defeating memory disclosure; vendor threat notifications for targeted users.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched devices; mobile-spyware chains are stealthy and frequently zero-click."
+      },
+      "response": {
+        "what_would_have_worked": "Force the OTA update; for a confirmed targeted device, preserve forensic state, rotate credentials and tokens stored on the device, and consider device replacement — spyware can persist across reboots.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory for a KEV-listed mobile RCE/LPE; the exposure is every device that processed attacker content pre-patch."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited mobile flaw; commercial-surveillance and spyware chains weaponize these within days, and patch reach depends on OEM/carrier OTA cadence well beyond the vendor's release date."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited mobile OS flaw, and the OEM/carrier OTA chain means many devices receive the fix weeks-to-never after disclosure."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (operating systems) is the right tier, but the load-bearing controls for mobile are vendor OTA cadence (Android Security Bulletin / Samsung SMR), MDM-enforced update SLAs on managed fleets, mobile-threat-defense, and hardened/locked-down configurations for high-risk users — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 71,
+      "basis": "Android update reach depends on OEM/carrier OTA cadence; audited organizations that do not enforce mobile update SLAs via MDM remain exposed for this KEV-listed, actively-exploited flaw long after the fix is published.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-48572": {
     "name": "Android Framework Privilege Escalation Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Android Framework contains an unspecified vulnerability that allows for privilege escalation.",
-      "privileges_required": "unprivileged local user",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a privilege-escalation flaw (CWE-269) in the Android Framework, exploited by a local app to escalate privileges on the device (the local-escalation step after an initial-access primitive). CISA KEV-listed 2025-12-02 with confirmed in-the-wild exploitation; this class forms the local-escalation half of a mobile-spyware chain.",
+      "privileges_required": "low (a local app or the foothold from an initial-access primitive)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Android Security Bulletin OTA update promptly; enforce update SLAs via MDM on managed fleets, deploy mobile-threat-defense, and enable hardened/locked-down configurations for high-risk users.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "The OTA fix is definitive; the gap is OEM/carrier patch reach and managed fleets that defer mobile updates."
+      },
+      "detection": {
+        "what_would_have_worked": "Mobile-threat-defense telemetry for unprivileged-to-elevated transitions and ASLR-defeating memory disclosure; vendor threat notifications for targeted users.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched devices; mobile-spyware chains are stealthy and frequently zero-click."
+      },
+      "response": {
+        "what_would_have_worked": "Force the OTA update; for a confirmed targeted device, preserve forensic state, rotate credentials and tokens stored on the device, and consider device replacement — spyware can persist across reboots.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory for a KEV-listed mobile RCE/LPE; the exposure is every device that processed attacker content pre-patch."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited mobile flaw; commercial-surveillance and spyware chains weaponize these within days, and patch reach depends on OEM/carrier OTA cadence well beyond the vendor's release date."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited mobile OS flaw, and the OEM/carrier OTA chain means many devices receive the fix weeks-to-never after disclosure."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (operating systems) is the right tier, but the load-bearing controls for mobile are vendor OTA cadence (Android Security Bulletin / Samsung SMR), MDM-enforced update SLAs on managed fleets, mobile-threat-defense, and hardened/locked-down configurations for high-risk users — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 71,
+      "basis": "Android update reach depends on OEM/carrier OTA cadence; audited organizations that do not enforce mobile update SLAs via MDM remain exposed for this KEV-listed, actively-exploited flaw long after the fix is published.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2021-26829": {
     "name": "OpenPLC ScadaBR Cross-site Scripting Vulnerability",
@@ -15417,35 +15519,58 @@
   },
   "CVE-2025-21042": {
     "name": "Samsung Mobile Devices Out-of-Bounds Write Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so. This vulnerability could allow remote attackers to execute arbitrary code.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an out-of-bounds write (CWE-787) in the Samsung image-parsing library, exploitable by a malicious image (zero-click, e.g. delivered through a messaging app) for code execution on the device — used in the wild in mobile spyware. CISA KEV-listed 2025-11-10 with confirmed in-the-wild exploitation; this class forms the initial-access half of a mobile-spyware chain.",
+      "privileges_required": "none (the device renders an attacker-supplied image, often zero-click)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Samsung SMR OTA update promptly; enforce update SLAs via MDM on managed fleets, deploy mobile-threat-defense, and enable hardened/locked-down configurations for high-risk users.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "The OTA fix is definitive; the gap is OEM/carrier patch reach and managed fleets that defer mobile updates."
+      },
+      "detection": {
+        "what_would_have_worked": "Mobile-threat-defense telemetry for image-parser crashes after inbound media and post-exploit beaconing; vendor threat notifications for targeted users.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched devices; mobile-spyware chains are stealthy and frequently zero-click."
+      },
+      "response": {
+        "what_would_have_worked": "Force the OTA update; for a confirmed targeted device, preserve forensic state, rotate credentials and tokens stored on the device, and consider device replacement — spyware can persist across reboots.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory for a KEV-listed mobile RCE/LPE; the exposure is every device that processed attacker content pre-patch."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited mobile flaw; commercial-surveillance and spyware chains weaponize these within days, and patch reach depends on OEM/carrier OTA cadence well beyond the vendor's release date."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited mobile OS flaw, and the OEM/carrier OTA chain means many devices receive the fix weeks-to-never after disclosure."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (operating systems) is the right tier, but the load-bearing controls for mobile are vendor OTA cadence (Android Security Bulletin / Samsung SMR), MDM-enforced update SLAs on managed fleets, mobile-threat-defense, and hardened/locked-down configurations for high-risk users — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 71,
+      "basis": "Samsung mobile devices update reach depends on OEM/carrier OTA cadence; audited organizations that do not enforce mobile update SLAs via MDM remain exposed for this KEV-listed, actively-exploited flaw long after the fix is published.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-48703": {
     "name": "CWP Control Web Panel OS Command Injection Vulnerability",
@@ -16871,36 +16996,59 @@
     "_intake_method": "v0.13.17-bulk-cisa-kev-import"
   },
   "CVE-2025-21043": {
-    "name": "Samsung Mobile Devices Out-of-Bounds Write Vulnerability",
-    "lesson_date": "2026-05-18",
+    "name": "Samsung Mobile Devices Out-of-Bounds Write Vulnerability (variant: CVE-2025-21043)",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so which allows remote attackers to execute arbitrary code.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an out-of-bounds write (CWE-787) in the Samsung image-parsing library (a related variant), exploitable by a malicious image for zero-click code execution on the device. CISA KEV-listed 2025-10-02 with confirmed in-the-wild exploitation; this class forms the initial-access half of a mobile-spyware chain.",
+      "privileges_required": "none (the device renders an attacker-supplied image, often zero-click)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Samsung SMR OTA update promptly; enforce update SLAs via MDM on managed fleets, deploy mobile-threat-defense, and enable hardened/locked-down configurations for high-risk users.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "The OTA fix is definitive; the gap is OEM/carrier patch reach and managed fleets that defer mobile updates."
+      },
+      "detection": {
+        "what_would_have_worked": "Mobile-threat-defense telemetry for image-parser crashes after inbound media and post-exploit beaconing; vendor threat notifications for targeted users.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched devices; mobile-spyware chains are stealthy and frequently zero-click."
+      },
+      "response": {
+        "what_would_have_worked": "Force the OTA update; for a confirmed targeted device, preserve forensic state, rotate credentials and tokens stored on the device, and consider device replacement — spyware can persist across reboots.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory for a KEV-listed mobile RCE/LPE; the exposure is every device that processed attacker content pre-patch."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited mobile flaw; commercial-surveillance and spyware chains weaponize these within days, and patch reach depends on OEM/carrier OTA cadence well beyond the vendor's release date."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited mobile OS flaw, and the OEM/carrier OTA chain means many devices receive the fix weeks-to-never after disclosure."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (operating systems) is the right tier, but the load-bearing controls for mobile are vendor OTA cadence (Android Security Bulletin / Samsung SMR), MDM-enforced update SLAs on managed fleets, mobile-threat-defense, and hardened/locked-down configurations for high-risk users — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 71,
+      "basis": "Samsung mobile devices update reach depends on OEM/carrier OTA cadence; audited organizations that do not enforce mobile update SLAs via MDM remain exposed for this KEV-listed, actively-exploited flaw long after the fix is published.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-4008": {
     "name": "Smartbedded Meteobridge Command Injection Vulnerability",
@@ -18897,35 +19045,63 @@
   },
   "CVE-2025-47812": {
     "name": "Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an improper-neutralization null-byte flaw (CWE-158) letting an unauthenticated attacker inject Lua/commands for remote code execution (exploitable even via anonymous login). CISA KEV-listed 2025-07-14 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the service's public interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Wing FTP Server security update; hunt for web shells under the service's root and rotate service credentials — an upload/injection primitive leaves resident persistence the patch does not remove.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary; the recurring failure is the SLA gap and the lack of web-shell-hunt / rebuild cleanup, plus long-tail unpatched estates (the MS08-067 lesson)."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Wing FTP Server: exploit-shaped requests, new web-shell files, unexpected process execution, and service crashes consistent with memory corruption.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch exploitation and resident persistence on an internet-facing service."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately; for the upload/injection variants hunt and remove web shells and rotate credentials, for the memory-corruption variants rebuild the host; review for lateral movement.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; an internet-facing RCE typically yields persistence and a pivot, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network service; these are mass-exploited within days, and MS08-067/Conficker is the canonical example of long-tail exposure persisting for years on unpatched estates."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing service, and legacy KEV re-listings show unpatched long-tail estates remain exposed."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing services as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / rebuild cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network service in or adjacent to the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 73,
+      "basis": "Internet-facing Wing FTP Server is run by audited organizations on a standard patch SLA and is mass-exploited within days of disclosure; the required web-shell hunt / rebuild is rarely part of the documented patch procedure, and long-tail unpatched estates persist (the MS08-067 pattern).",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-5777": {
     "name": "Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability",
@@ -20181,36 +20357,64 @@
     "_intake_method": "v0.13.17-bulk-cisa-kev-import"
   },
   "CVE-2025-4632": {
-    "name": "Samsung MagicINFO 9 Server Path Traversal Vulnerability",
-    "lesson_date": "2026-05-18",
+    "name": "Samsung MagicINFO 9 Server Path Traversal Vulnerability (variant: CVE-2025-4632)",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Samsung MagicINFO 9 Server contains a path traversal vulnerability that allows an attacker to write arbitrary file as system authority.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a path-traversal flaw (CWE-22, a patch-bypass variant) letting an unauthenticated attacker write or read files outside the intended directory for code execution. CISA KEV-listed 2025-05-22 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the service's public interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Samsung MagicINFO 9 Server security update; for a memory-corruption RCE on a network service, treat an exploited host as compromised and rebuild, rotating any credentials it held.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary; the recurring failure is the SLA gap and the lack of web-shell-hunt / rebuild cleanup, plus long-tail unpatched estates (the MS08-067 lesson)."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the MagicINFO Server: exploit-shaped requests, new web-shell files, unexpected process execution, and service crashes consistent with memory corruption.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch exploitation and resident persistence on an internet-facing service."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately; for the upload/injection variants hunt and remove web shells and rotate credentials, for the memory-corruption variants rebuild the host; review for lateral movement.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; an internet-facing RCE typically yields persistence and a pivot, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network service; these are mass-exploited within days, and MS08-067/Conficker is the canonical example of long-tail exposure persisting for years on unpatched estates."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing service, and legacy KEV re-listings show unpatched long-tail estates remain exposed."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing services as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / rebuild cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network service in or adjacent to the CDE."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 73,
+      "basis": "Internet-facing Samsung MagicINFO 9 Server is run by audited organizations on a standard patch SLA and is mass-exploited within days of disclosure; the required web-shell hunt / rebuild is rarely part of the documented patch procedure, and long-tail unpatched estates persist (the MS08-067 pattern).",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2023-38950": {
     "name": "ZKTeco BioTime Path Traversal Vulnerability",
@@ -22280,5 +22484,65 @@
     "ai_discovered_zeroday": false,
     "ai_discovery_source": "vendor_research",
     "ai_assist_factor": "none"
+  },
+  "CVE-2008-4250": {
+    "name": "Microsoft Windows Server Service RPC Buffer Overflow (MS08-067)",
+    "lesson_date": "2026-05-29",
+    "attack_vector": {
+      "description": "a buffer overflow (CWE-119) in the Windows Server Service RPC handling, exploitable by an unauthenticated attacker for wormable remote code execution (the MS08-067 flaw exploited by Conficker). CISA KEV-listed 2026-05-20 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the service's public interface)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft Windows security update; for a memory-corruption RCE on a network service, treat an exploited host as compromised and rebuild, rotating any credentials it held.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary; the recurring failure is the SLA gap and the lack of web-shell-hunt / rebuild cleanup, plus long-tail unpatched estates (the MS08-067 lesson)."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Windows Server Service (RPC): exploit-shaped requests, new web-shell files, unexpected process execution, and service crashes consistent with memory corruption.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch exploitation and resident persistence on an internet-facing service."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately; for the upload/injection variants hunt and remove web shells and rotate credentials, for the memory-corruption variants rebuild the host; review for lateral movement.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; an internet-facing RCE typically yields persistence and a pivot, which a bare patch does not remediate."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed unauthenticated flaw on an internet-facing network service; these are mass-exploited within days, and MS08-067/Conficker is the canonical example of long-tail exposure persisting for years on unpatched estates."
+      },
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing service, and legacy KEV re-listings show unpatched long-tail estates remain exposed."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing services as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / rebuild cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing network service in or adjacent to the CDE."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 73,
+      "basis": "Internet-facing Microsoft Windows is run by audited organizations on a standard patch SLA and is mass-exploited within days of disclosure; the required web-shell hunt / rebuild is rarely part of the documented patch procedure, and long-tail unpatched estates persist (the MS08-067 pattern).",
+      "theater_pattern": "patch_management"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   }
 }