@blamejs/exceptd-skills 0.15.28 → 0.15.30

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.15.30 — 2026-05-29
+
+Draft-curation pass 27 — software supply-chain code integrity. Three CISA KEV-listed CVEs where code is trusted without integrity verification are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the TrueConf client and Notepad++ download code/updates without an integrity check (CVE-2026-3502, CVE-2025-15556), and a Trivy distribution shipped embedded malicious code that runs in the trusted context of the vulnerability scanner (CVE-2026-33634). All map T1195.002 (Compromise Software Supply Chain). The lessons frame the defense as enforced signature and provenance verification — code signing, Sigstore/in-toto, SLSA build provenance, TLS-pinned update channels — rather than patching, and note that response is environment-wide because a compromised updater or scanner reaches every host it runs on.
+
+## 0.15.29 — 2026-05-29
+
+Draft-curation pass 26 — ICS/OT devices. Four CISA KEV-listed industrial-control and operational-technology CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: OpenPLC ScadaBR SCADA/HMI (CVE-2021-26828 unrestricted file upload, CVE-2021-26829 cross-site scripting), Hikvision IP camera authentication bypass (CVE-2017-7921), and the Rockwell Automation Logix protected-credential weakness (CVE-2021-22681). All map T1190, with per-class T1505.003, T1078, or T1552. The lessons carry an OT-specific framing: these devices frequently cannot be patched on an IT cadence, so the load-bearing controls are IEC 62443 zones-and-conduits segmentation, removal of IT/internet reachability, and OT-network monitoring — and response must validate process/control-logic integrity, not just perform IT cleanup, because compromise can have physical and safety consequences.
+
 ## 0.15.28 — 2026-05-29
 
 Draft-curation pass 25 — web applications and developer tooling. Six CISA KEV-listed unauthenticated server-side CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Laravel Livewire code injection (CVE-2025-54068), n8n dynamic-code execution (CVE-2025-68613), JetBrains TeamCity authentication bypass via path traversal (CVE-2024-27199), and arbitrary file-read path traversals in Grafana (CVE-2021-43798), Gogs (CVE-2025-8110), and the Vite dev server (CVE-2025-31125). All map T1190, with per-class T1059 (code injection), T1078 (auth bypass), or T1552 (file reads that leak configuration/source secrets). The lessons stress that file-disclosure flaws demand rotation of every exposed secret, and that CI/developer-tool compromise (TeamCity) carries software-supply-chain risk to build artifacts beyond the server itself.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-30T01:16:22.729Z",
+  "generated_at": "2026-05-30T02:06:48.147Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "3be5985b09e4e142de03abbce27588bc8606a489918b8d7b5a84d457908707c1",
+    "manifest.json": "9d7de7196220da889a9ebb3ef9cec5e01eb13a67df6295a75570b3af0a2e08ec",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "85d09671bb4f6f3be0d7cbe70c405b9ebf8a680f1c9c5de8261461c2c4036a76",
-    "data/cve-catalog.json": "9626cd5f0c24b365ae96d39ebc584b41aa63124337f319f7bdd7d22e2052a651",
+    "data/attack-techniques.json": "0e1ecaf5f99fbe0a71a3bc95bd7b82fbcdbb0052b61a5a376a0c84aa9e12b29e",
+    "data/cve-catalog.json": "90f39afaa73551b6b747cf24e626265c5b876d7daf97e33783b746e6631cead2",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "4b9b2e9080ba9f723461b12e1bff989cb4ad5f794568ec8ae387e2a9a34c1f17",
+    "data/zeroday-lessons.json": "6fd07b3518e34880b2ca2b60eb151c673571e68a274ecde7b31b3b3c4b58ab74",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json

@@ -943,6 +943,7 @@
       "CVE-2016-10033",
       "CVE-2016-7836",
       "CVE-2017-1000353",
+      "CVE-2017-7921",
       "CVE-2018-4063",
       "CVE-2019-6693",
       "CVE-2019-9621",
@@ -952,6 +953,7 @@
       "CVE-2020-7796",
       "CVE-2021-22681",
       "CVE-2021-26828",
+      "CVE-2021-26829",
       "CVE-2021-43798",
       "CVE-2022-1471",
       "CVE-2022-20775",
@@ -1014,7 +1016,6 @@
       "CVE-2025-14611",
       "CVE-2025-14733",
       "CVE-2025-14847",
-      "CVE-2025-15556",
       "CVE-2025-1796",
       "CVE-2025-20281",
       "CVE-2025-20333",
@@ -1171,10 +1172,8 @@
       "CVE-2026-32201",
       "CVE-2026-32202",
       "CVE-2026-33017",
-      "CVE-2026-33634",
       "CVE-2026-34159",
       "CVE-2026-34197",
-      "CVE-2026-3502",
       "CVE-2026-35616",
       "CVE-2026-39987",
       "CVE-2026-40933",
@@ -1273,11 +1272,14 @@
       "CVE-2024-37060",
       "CVE-2025-10164",
       "CVE-2025-1550",
+      "CVE-2025-15556",
       "CVE-2025-32434",
       "CVE-2025-33236",
       "CVE-2025-51480",
       "CVE-2025-8747",
       "CVE-2026-31229",
+      "CVE-2026-33634",
+      "CVE-2026-3502",
       "CVE-2026-45321",
       "CVE-2026-5760",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
@@ -1693,6 +1695,7 @@
     "name": "Unsecured Credentials",
     "version": "v19",
     "cve_refs": [
+      "CVE-2021-22681",
       "CVE-2021-43798",
       "CVE-2023-47117",
       "CVE-2024-12450",
@@ -12115,6 +12118,7 @@
     "_auto_imported": true,
     "_intake_method": "mitre-attack-stix",
     "cve_refs": [
+      "CVE-2021-26828",
       "CVE-2024-1708",
       "CVE-2024-7399",
       "CVE-2025-2749",

package/data/cve-catalog.json

@@ -10402,7 +10402,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1195.002"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -10423,7 +10423,7 @@
     "cwe_refs": [
       "CWE-494"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://trueconf.com/blog/update/trueconf-8-5",
@@ -10453,11 +10453,21 @@
         "published_date": "2026-04-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-02; due date 2026-04-16. Notes reference: https://trueconf.com/blog/update/trueconf-8-5 ; https://trueconf.com/downloads/windows.html ; https://nvd.nist.gov/vuln/detail/CVE-2026-3502",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "TrueConf Client contains a download of code without integrity check vulnerability. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "TrueConf Client contains a download of code without integrity check vulnerability. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.",
+    "iocs": {
+      "behavioral": [
+        "TrueConf Client at a version below the fixed release named in the vendor advisory (for the embedded-malicious-code case, any affected build is suspect regardless of reachability).",
+        "Code or updates fetched by the TrueConf client over an unauthenticated or unverified channel, or unexpected binaries/DLLs loaded by it.",
+        "Anomalous behavior from the TrueConf client — unexpected outbound connections, unexpected process execution, or access beyond its normal scope — consistent with substituted or embedded malicious code (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-3502, CISA KEV (added 2026-04-02), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1195.002 software supply-chain compromise) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-5281": {
     "name": "Google Dawn Use-After-Free Vulnerability",
@@ -10809,7 +10819,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1195.002"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -10830,7 +10840,7 @@
     "cwe_refs": [
       "CWE-506"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/advisories/GHSA-69fq-xp46-6x23",
@@ -10859,11 +10869,21 @@
         "published_date": "2026-03-26"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-26; due date 2026-04-09. Notes reference: This vulnerability involves a supply‑chain compromise in a product that may be used across multiple products and environments. Additional vendor‑provided guidance must be followed to ensure full remed",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory.",
+    "iocs": {
+      "behavioral": [
+        "Aquasecurity Trivy at a version below the fixed release named in the vendor advisory (for the embedded-malicious-code case, any affected build is suspect regardless of reachability).",
+        "Code or updates fetched by the Trivy scanner over an unauthenticated or unverified channel, or unexpected binaries/DLLs loaded by it.",
+        "Anomalous behavior from the Trivy scanner — unexpected outbound connections, unexpected process execution, or access beyond its normal scope — consistent with substituted or embedded malicious code (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-33634, CISA KEV (added 2026-03-26), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1195.002 software supply-chain compromise) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-34291": {
     "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
@@ -22374,7 +22394,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -22395,7 +22416,7 @@
     "cwe_refs": [
       "CWE-287"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.hikvision.com/us-en/support/document-center/special-notices/privilege-escalating-vulnerability-in-certain-hikvision-ip-cameras/",
@@ -22424,11 +22445,21 @@
         "published_date": "2026-03-05"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-05; due date 2026-03-26. Notes reference: https://www.hikvision.com/us-en/support/document-center/special-notices/privilege-escalating-vulnerability-in-certain-hikvision-ip-cameras/ ; https://nvd.nist.gov/vuln/detail/CVE-2017-7921",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain access to sensitive information."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain access to sensitive information.",
+    "iocs": {
+      "behavioral": [
+        "Hikvision IP cameras reachable on the network (especially from IT or the internet) at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Hikvision camera consistent with improper-authentication flaw.",
+        "Unexpected configuration, logic, or account changes on the Hikvision camera, or access to the device from outside its intended OT zone, with no corresponding operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2017-7921, CISA KEV (added 2026-03-05), and the vendor / CISA ICS advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-22681": {
     "name": "Rockwell Multiple Products Insufficient Protected Credentials Vulnerability",
@@ -22470,7 +22501,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -22491,7 +22523,7 @@
     "cwe_refs": [
       "CWE-522"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.rockwellautomation.com/app/answers/answer_view/a_id/1130301/~/cve-2021-22681%3A-authentication-bypass-vulnerability-found-in-logix-controllers-",
@@ -22521,11 +22553,21 @@
         "published_date": "2026-03-05"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-05; due date 2026-03-26. Notes reference: https://support.rockwellautomation.com/app/answers/answer_view/a_id/1130301/~/cve-2021-22681%3A-authentication-bypass-vulnerability-found-in-logix-controllers- ; https://www.cisa.gov/news-events/ics-a",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Rockwell products contain an insufficient protected credentials vulnerability. Studio 5000 Logix Designer software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Multiple Rockwell products contain an insufficient protected credentials vulnerability. Studio 5000 Logix Designer software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller.",
+    "iocs": {
+      "behavioral": [
+        "Rockwell Automation Logix controllers reachable on the network (especially from IT or the internet) at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Rockwell Logix PLC consistent with insufficiently-protected-credentials flaw.",
+        "Unexpected configuration, logic, or account changes on the Rockwell Logix PLC, or access to the device from outside its intended OT zone, with no corresponding operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2021-22681, CISA KEV (added 2026-03-05), and the vendor / CISA ICS advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2023-43000": {
     "name": "Apple Multiple products Use-After-Free Vulnerability",
@@ -24568,7 +24610,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1195.002"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -24589,7 +24631,7 @@
     "cwe_refs": [
       "CWE-494"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://notepad-plus-plus.org/news/clarification-security-incident/",
@@ -24619,11 +24661,21 @@
         "published_date": "2026-02-12"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-12; due date 2026-03-05. Notes reference: https://notepad-plus-plus.org/news/clarification-security-incident/ ; https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix ; https://nvd.nist.gov/vuln/detail/CVE-2025-1",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Notepad++ when using the WinGUp updater, contains a download of code without integrity check vulnerability that could allow an attacker to intercept or redirect update traffic to download and execute an attacker-controlled installer. This could lead to arbitrary code execution with the privileges of the user."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Notepad++ when using the WinGUp updater, contains a download of code without integrity check vulnerability that could allow an attacker to intercept or redirect update traffic to download and execute an attacker-controlled installer. This could lead to arbitrary code execution with the privileges of the user.",
+    "iocs": {
+      "behavioral": [
+        "Notepad++ at a version below the fixed release named in the vendor advisory (for the embedded-malicious-code case, any affected build is suspect regardless of reachability).",
+        "Code or updates fetched by the Notepad++ over an unauthenticated or unverified channel, or unexpected binaries/DLLs loaded by it.",
+        "Anomalous behavior from the Notepad++ — unexpected outbound connections, unexpected process execution, or access beyond its normal scope — consistent with substituted or embedded malicious code (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-15556, CISA KEV (added 2026-02-12), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1195.002 software supply-chain compromise) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-40536": {
     "name": "SolarWinds Web Help Desk Security Control Bypass Vulnerability",
@@ -29188,7 +29240,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1505.003"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -29209,7 +29262,7 @@
     "cwe_refs": [
       "CWE-434"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/SCADA-LTS/Scada-LTS/pull/2174",
@@ -29238,11 +29291,21 @@
         "published_date": "2025-12-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-03; due date 2025-12-24. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "OpenPLC ScadaBR contains an unrestricted upload of file with dangerous type vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "OpenPLC ScadaBR contains an unrestricted upload of file with dangerous type vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.",
+    "iocs": {
+      "behavioral": [
+        "OpenPLC ScadaBR reachable on the network (especially from IT or the internet) at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the ScadaBR HMI consistent with unrestricted file-upload flaw.",
+        "Unexpected configuration, logic, or account changes on the ScadaBR HMI, or access to the device from outside its intended OT zone, with no corresponding operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2021-26828, CISA KEV (added 2025-12-03), and the vendor / CISA ICS advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-48633": {
     "name": "Android Framework Information Disclosure Vulnerability",
@@ -29494,7 +29557,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1059.007"
+      "T1059.007",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -29515,7 +29579,7 @@
     "cwe_refs": [
       "CWE-79"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/SCADA-LTS/Scada-LTS/pull/3211",
@@ -29544,11 +29608,21 @@
         "published_date": "2025-11-28"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-28; due date 2025-12-19. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "OpenPLC ScadaBR contains a cross-site scripting vulnerability via system_settings.shtm."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "OpenPLC ScadaBR contains a cross-site scripting vulnerability via system_settings.shtm.",
+    "iocs": {
+      "behavioral": [
+        "OpenPLC ScadaBR reachable on the network (especially from IT or the internet) at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the ScadaBR HMI consistent with cross-site scripting flaw.",
+        "Unexpected configuration, logic, or account changes on the ScadaBR HMI, or access to the device from outside its intended OT zone, with no corresponding operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2021-26829, CISA KEV (added 2025-11-28), and the vendor / CISA ICS advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-61757": {
     "name": "Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability",