@blamejs/exceptd-skills 0.15.26 → 0.15.28

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.15.28 — 2026-05-29
+
+Draft-curation pass 25 — web applications and developer tooling. Six CISA KEV-listed unauthenticated server-side CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Laravel Livewire code injection (CVE-2025-54068), n8n dynamic-code execution (CVE-2025-68613), JetBrains TeamCity authentication bypass via path traversal (CVE-2024-27199), and arbitrary file-read path traversals in Grafana (CVE-2021-43798), Gogs (CVE-2025-8110), and the Vite dev server (CVE-2025-31125). All map T1190, with per-class T1059 (code injection), T1078 (auth bypass), or T1552 (file reads that leak configuration/source secrets). The lessons stress that file-disclosure flaws demand rotation of every exposed secret, and that CI/developer-tool compromise (TeamCity) carries software-supply-chain risk to build artifacts beyond the server itself.
+
+## 0.15.27 — 2026-05-29
+
+Draft-curation pass 24 — mobile device exploitation. Four CISA KEV-listed mobile CVEs that together form a mobile-spyware chain are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Samsung image-parsing-library out-of-bounds writes exploited zero-click via a malicious image (CVE-2025-21042, CVE-2025-21043) map T1203, and Android Framework local privilege escalation and an information-disclosure primitive (CVE-2025-48572, CVE-2025-48633) map T1068. The lessons frame these as the initial-access and local-escalation halves of a commercial-surveillance chain, and name OEM/carrier OTA cadence (Samsung SMR, Android Security Bulletin), MDM-enforced update SLAs, and mobile-threat-defense as the load-bearing controls — patch reach, not just patch availability, is the gap.
+
 ## 0.15.26 — 2026-05-29
 
 Draft-curation pass 23 — unauthenticated network-service RCE. Five CISA KEV-listed server-side CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Samsung MagicINFO 9 Server (CVE-2024-7399 path traversal + file upload, CVE-2025-4632 the path-traversal patch-bypass variant), Wing FTP Server remote code execution (CVE-2025-47812, exploitable via anonymous login), VMware vCenter Server DCE/RPC out-of-bounds write (CVE-2024-37079), and the wormable Windows Server Service RPC overflow MS08-067 (CVE-2008-4250, exploited by Conficker). All map T1190, with T1505.003 for the upload-to-web-shell flaw and T1059 for the injection RCE. The lessons carry the long-tail patch-hygiene warning that MS08-067 still exemplifies, and require web-shell hunting or host rebuild beyond the patch.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-30T00:45:25.785Z",
+  "generated_at": "2026-05-30T01:16:22.729Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "849fdaabfec5a675fbcf41a605ccc272f1b3ad572138b42d11193dfec95a6e92",
+    "manifest.json": "3be5985b09e4e142de03abbce27588bc8606a489918b8d7b5a84d457908707c1",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "29be2d4aae35f5a250937b5d5c0e7a3b1e25c13fba9f35e29df7ca368e81ab39",
-    "data/cve-catalog.json": "dcba88e6328b0d366e90c279f539387a6195aae68981683fbe5015c3cdf9ddd8",
+    "data/attack-techniques.json": "85d09671bb4f6f3be0d7cbe70c405b9ebf8a680f1c9c5de8261461c2c4036a76",
+    "data/cve-catalog.json": "9626cd5f0c24b365ae96d39ebc584b41aa63124337f319f7bdd7d22e2052a651",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "2f54885539d6e149e82ab6ca57592c472ccd2645d36ac1f54b1810db4976380a",
+    "data/zeroday-lessons.json": "4b9b2e9080ba9f723461b12e1bff989cb4ad5f794568ec8ae387e2a9a34c1f17",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json

@@ -330,6 +330,7 @@
       "CVE-2025-5086",
       "CVE-2025-51480",
       "CVE-2025-53773",
+      "CVE-2025-54068",
       "CVE-2025-54136",
       "CVE-2025-55319",
       "CVE-2025-58034",
@@ -338,6 +339,7 @@
       "CVE-2025-6204",
       "CVE-2025-64328",
       "CVE-2025-64496",
+      "CVE-2025-68613",
       "CVE-2025-68645",
       "CVE-2025-68664",
       "CVE-2025-68665",
@@ -520,6 +522,7 @@
       "CVE-2025-43300",
       "CVE-2025-48543",
       "CVE-2025-48572",
+      "CVE-2025-48633",
       "CVE-2025-59230",
       "CVE-2025-60710",
       "CVE-2025-62215",
@@ -594,6 +597,7 @@
       "CVE-2023-50224",
       "CVE-2024-12776",
       "CVE-2024-1709",
+      "CVE-2024-27199",
       "CVE-2024-54085",
       "CVE-2024-57726",
       "CVE-2025-12480",
@@ -948,6 +952,7 @@
       "CVE-2020-7796",
       "CVE-2021-22681",
       "CVE-2021-26828",
+      "CVE-2021-43798",
       "CVE-2022-1471",
       "CVE-2022-20775",
       "CVE-2022-36551",
@@ -979,6 +984,7 @@
       "CVE-2024-21575",
       "CVE-2024-21576",
       "CVE-2024-21762",
+      "CVE-2024-27199",
       "CVE-2024-27443",
       "CVE-2024-2912",
       "CVE-2024-31462",
@@ -1016,8 +1022,6 @@
       "CVE-2025-20352",
       "CVE-2025-20362",
       "CVE-2025-20393",
-      "CVE-2025-21042",
-      "CVE-2025-21043",
       "CVE-2025-22457",
       "CVE-2025-24016",
       "CVE-2025-24893",
@@ -1116,6 +1120,7 @@
       "CVE-2025-69286",
       "CVE-2025-6965",
       "CVE-2025-7775",
+      "CVE-2025-8110",
       "CVE-2025-8875",
       "CVE-2025-8876",
       "CVE-2025-9242",
@@ -1344,6 +1349,8 @@
       "CVE-2025-10585",
       "CVE-2025-13223",
       "CVE-2025-14174",
+      "CVE-2025-21042",
+      "CVE-2025-21043",
       "CVE-2025-24201",
       "CVE-2025-30397",
       "CVE-2025-31277",
@@ -1686,12 +1693,14 @@
     "name": "Unsecured Credentials",
     "version": "v19",
     "cve_refs": [
+      "CVE-2021-43798",
       "CVE-2023-47117",
       "CVE-2024-12450",
       "CVE-2025-11371",
       "CVE-2025-14611",
       "CVE-2025-30066",
       "CVE-2025-30154",
+      "CVE-2025-31125",
       "CVE-2025-5777",
       "CVE-2025-68664",
       "CVE-2025-68665",

package/data/cve-catalog.json

@@ -9016,7 +9016,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -9037,7 +9039,7 @@
     "cwe_refs": [
       "CWE-23"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.jetbrains.com/privacy-security/issues-fixed/",
@@ -9067,11 +9069,21 @@
         "published_date": "2026-04-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-20; due date 2026-05-04. Notes reference: https://www.jetbrains.com/privacy-security/issues-fixed/ ; https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.",
+    "iocs": {
+      "behavioral": [
+        "JetBrains TeamCity reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the TeamCity consistent with relative path-traversal flaw.",
+        "Post-exploitation indicators on the TeamCity — web shells, unexpected process execution, or administrative/CI actions without a matching login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-27199, CISA KEV (added 2026-04-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-34197": {
     "name": "Apache ActiveMQ Improper Input Validation Vulnerability",
@@ -20874,7 +20886,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -20895,7 +20908,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/livewire/livewire/security/advisories/GHSA-29cq-5w36-x7w3",
@@ -20925,11 +20938,21 @@
         "published_date": "2026-03-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-20; due date 2026-04-03. Notes reference: https://github.com/livewire/livewire/security/advisories/GHSA-29cq-5w36-x7w3 ; https://github.com/livewire/livewire/commit/ef04be759da41b14d2d129e670533180a44987dc ; https://nvd.nist.gov/vuln/detail/C",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Laravel Livewire contain a code injection vulnerability that could allow unauthenticated attackers to achieve remote command execution in specific scenarios."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Laravel Livewire contain a code injection vulnerability that could allow unauthenticated attackers to achieve remote command execution in specific scenarios.",
+    "iocs": {
+      "behavioral": [
+        "Laravel Livewire reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Livewire consistent with code-injection flaw.",
+        "Post-exploitation indicators on the Livewire — web shells, unexpected process execution, or administrative/CI actions without a matching login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-54068, CISA KEV (added 2026-03-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-43510": {
     "name": "Apple Multiple Products Improper Locking Vulnerability",
@@ -21934,7 +21957,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -21955,7 +21979,7 @@
     "cwe_refs": [
       "CWE-913"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp",
@@ -21984,11 +22008,21 @@
         "published_date": "2026-03-11"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-11; due date 2026-03-25. Notes reference: https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp ; https://nvd.nist.gov/vuln/detail/CVE-2025-68613",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "n8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "n8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution.",
+    "iocs": {
+      "behavioral": [
+        "n8n reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the n8n consistent with improper-control-of-dynamically-managed-code flaw.",
+        "Post-exploitation indicators on the n8n — web shells, unexpected process execution, or administrative/CI actions without a matching login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-68613, CISA KEV (added 2026-03-11), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-22054": {
     "name": "Omnissa Workspace ONE Server-Side Request Forgery",
@@ -27014,7 +27048,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -27036,7 +27071,7 @@
       "CWE-200",
       "CWE-284"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949",
@@ -27065,11 +27100,21 @@
         "published_date": "2026-01-22"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-22; due date 2026-02-12. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Vite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Vite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.",
+    "iocs": {
+      "behavioral": [
+        "Vite reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Vite dev server consistent with improper-access-control flaw.",
+        "Requests reading files outside the intended root (configuration, secrets, source, .env) on the Vite dev server, followed by use of the disclosed credentials elsewhere (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-31125, CISA KEV (added 2026-01-22), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-54313": {
     "name": "Prettier eslint-config-prettier Embedded Malicious Code Vulnerability",
@@ -27420,7 +27465,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -27441,7 +27487,7 @@
     "cwe_refs": [
       "CWE-22"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/gogs/gogs/commit/553707f3fd5f68f47f531cfcff56aa3ec294c6f6",
@@ -27470,11 +27516,21 @@
         "published_date": "2026-01-12"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-12; due date 2026-02-02. Notes reference: https://github.com/gogs/gogs/commit/553707f3fd5f68f47f531cfcff56aa3ec294c6f6 ; https://nvd.nist.gov/vuln/detail/CVE-2025-8110",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution.",
+    "iocs": {
+      "behavioral": [
+        "Gogs reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Gogs consistent with path-traversal flaw.",
+        "Post-exploitation indicators on the Gogs — web shells, unexpected process execution, or administrative/CI actions without a matching login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-8110, CISA KEV (added 2026-01-12), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2009-0556": {
     "name": "Microsoft Office PowerPoint Code Injection Vulnerability",
@@ -29227,7 +29283,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1005"
+      "T1005",
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -29248,7 +29305,7 @@
     "cwe_refs": [
       "CWE-125"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://source.android.com/docs/security/bulletin/2025-12-01",
@@ -29277,11 +29334,21 @@
         "published_date": "2025-12-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-02; due date 2025-12-23. Notes reference: https://source.android.com/docs/security/bulletin/2025-12-01 ; https://nvd.nist.gov/vuln/detail/CVE-2025-48633",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Android Framework contains an unspecified vulnerability that allows for information disclosure."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Android Framework contains an unspecified vulnerability that allows for information disclosure.",
+    "iocs": {
+      "behavioral": [
+        "Android at a patch level below the fixed build named in the Android Security Bulletin advisory.",
+        "An unprivileged app gaining elevated privileges via the Android Framework, or memory-disclosure behavior consistent with an ASLR-defeating primitive, with no legitimate cause.",
+        "Indicators of a mobile-spyware / multi-stage exploit chain on a high-risk-user device (KEV-confirmed in-the-wild exploitation; this class is used in commercial-surveillance chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-48633, CISA KEV (added 2025-12-02), and the Android security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-48572": {
     "name": "Android Framework Privilege Escalation Vulnerability",
@@ -29343,7 +29410,7 @@
     "cwe_refs": [
       "CWE-269"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://source.android.com/docs/security/bulletin/2025-12-01",
@@ -29372,11 +29439,21 @@
         "published_date": "2025-12-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-02; due date 2025-12-23. Notes reference: https://source.android.com/docs/security/bulletin/2025-12-01 ; https://nvd.nist.gov/vuln/detail/CVE-2025-48572",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Android Framework contains an unspecified vulnerability that allows for privilege escalation."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Android Framework contains an unspecified vulnerability that allows for privilege escalation.",
+    "iocs": {
+      "behavioral": [
+        "Android at a patch level below the fixed build named in the Android Security Bulletin advisory.",
+        "An unprivileged app gaining elevated privileges via the Android Framework, or memory-disclosure behavior consistent with an ASLR-defeating primitive, with no legitimate cause.",
+        "Indicators of a mobile-spyware / multi-stage exploit chain on a high-risk-user device (KEV-confirmed in-the-wild exploitation; this class is used in commercial-surveillance chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-48572, CISA KEV (added 2025-12-02), and the Android security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-26829": {
     "name": "OpenPLC ScadaBR Cross-site Scripting Vulnerability",
@@ -30246,7 +30323,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -30267,7 +30344,7 @@
     "cwe_refs": [
       "CWE-787"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04",
@@ -30296,11 +30373,21 @@
         "published_date": "2025-11-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-10; due date 2025-12-01. Notes reference: https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04 ; https://nvd.nist.gov/vuln/detail/CVE-2025-21042",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so. This vulnerability could allow remote attackers to execute arbitrary code."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so. This vulnerability could allow remote attackers to execute arbitrary code.",
+    "iocs": {
+      "behavioral": [
+        "Samsung mobile devices at a patch level below the fixed build named in the Samsung SMR advisory.",
+        "Crashes or memory-corruption signatures in the Samsung image parser after an inbound image (often delivered to a messaging app without user interaction).",
+        "Indicators of a mobile-spyware / multi-stage exploit chain on a high-risk-user device (KEV-confirmed in-the-wild exploitation; this class is used in commercial-surveillance chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-21042, CISA KEV (added 2025-11-10), and the Samsung security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-48703": {
     "name": "CWP Control Web Panel OS Command Injection Vulnerability",
@@ -32264,7 +32351,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -32285,7 +32374,7 @@
     "cwe_refs": [
       "CWE-22"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/",
@@ -32314,11 +32403,21 @@
         "published_date": "2025-10-09"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-09; due date 2025-10-30. Notes reference: https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ ; https://nvd.nist.gov/vuln/detail/CVE-2021-43798",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Grafana contains a path traversal vulnerability that could allow access to local files."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Grafana contains a path traversal vulnerability that could allow access to local files.",
+    "iocs": {
+      "behavioral": [
+        "Grafana reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Grafana consistent with path-traversal flaw.",
+        "Requests reading files outside the intended root (configuration, secrets, source, .env) on the Grafana, followed by use of the disclosed credentials elsewhere (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2021-43798, CISA KEV (added 2025-10-09), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-27915": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability (variant: CVE-2025-27915)",
@@ -33503,7 +33602,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -33524,7 +33623,7 @@
     "cwe_refs": [
       "CWE-787"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=09",
@@ -33553,11 +33652,21 @@
         "published_date": "2025-10-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-02; due date 2025-10-23. Notes reference: https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=09 ; https://nvd.nist.gov/vuln/detail/CVE-2025-21043",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so which allows remote attackers to execute arbitrary code."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so which allows remote attackers to execute arbitrary code.",
+    "iocs": {
+      "behavioral": [
+        "Samsung mobile devices at a patch level below the fixed build named in the Samsung SMR advisory.",
+        "Crashes or memory-corruption signatures in the Samsung image parser after an inbound image (often delivered to a messaging app without user interaction).",
+        "Indicators of a mobile-spyware / multi-stage exploit chain on a high-risk-user device (KEV-confirmed in-the-wild exploitation; this class is used in commercial-surveillance chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-21043, CISA KEV (added 2025-10-02), and the Samsung security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-4008": {
     "name": "Smartbedded Meteobridge Command Injection Vulnerability",