npm - @blamejs/exceptd-skills - Versions diffs - 0.15.28 → 0.15.30 - Mend

@blamejs/exceptd-skills 0.15.28 → 0.15.30

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +5 -5
package/data/attack-techniques.json +7 -3
package/data/cve-catalog.json +116 -42
package/data/zeroday-lessons.json +300 -104
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +18 -18

package/data/zeroday-lessons.json CHANGED Viewed

@@ -8313,35 +8313,63 @@
   },
   "CVE-2026-3502": {
     "name": "TrueConf Client Download of Code Without Integrity Check Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "TrueConf Client contains a download of code without integrity check vulnerability. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "the TrueConf client downloads code/updates without verifying their integrity (CWE-494), letting an attacker who can influence the download channel (a hijacked update endpoint or machine-in-the-middle) substitute malicious code that runs on the client. CISA KEV-listed 2026-04-02 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the attacker influences the download/update channel or the shipped artifact; no authentication to the victim is required)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Enforce cryptographic integrity verification on all downloaded code and updates (code signing with signature verification, Sigstore/in-toto, TLS-pinned update channels); for the embedded-malicious-code case, verify build provenance (SLSA) and pin/verify the tool's release artifacts before use.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 SR-11 / NIST SSDF 800-218 / SLSA",
+        "adequacy": "Signature and provenance verification is the definitive control; the flaw exists precisely because it was absent or unenforced — patching the version does not retroactively restore trust in artifacts already installed."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring for unexpected code/DLLs loaded by the TrueConf client, updates fetched over unauthenticated channels, and anomalous outbound connections or process execution from the tool.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because supply-chain substitution is silent — the tool runs as expected while the embedded/substituted code executes alongside it."
+      },
+      "response": {
+        "what_would_have_worked": "Pull the affected version, reinstall from a verified-signed release, rotate any credentials the compromised process could reach, and audit every host where the tool ran — a compromised updater or scanner has broad reach.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; supply-chain compromise propagates through every host that ran the tainted code, so response is environment-wide, not host-local."
+      }
     },
     "framework_coverage": {
-      "NIST-800-53-SI-2": {
+      "NIST-800-53-SR-11": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "Component authenticity / anti-counterfeit is named, but verification is not enforced at install/update time — these products fetched or shipped code without a verified signature, so the control is paper unless signed-artifact verification (Sigstore/in-toto) is mandated at the download step."
       },
-      "ISO-27001-2022-A.8.8": {
+      "NIST-SSDF-800-218-PS.2": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "The SSDF calls for protecting release integrity and providing provenance, but downstream consumers had no enforced way to verify it; without signed releases plus provenance a consumer cannot detect substitution or embedded malicious code."
+      },
+      "SLSA-build-provenance": {
+        "covered": true,
+        "adequate": false,
+        "gap": "SLSA build provenance and signed releases would let a consumer detect tampering or substitution; absent enforced verification at the download/update step the trust gap remains open."
+      },
+      "EU-CRA-secure-update": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The EU Cyber Resilience Act requires secure update mechanisms and shipping without known exploitable defects; an unauthenticated download path or embedded malicious code violates the secure-update and integrity expectations."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 77,
+      "basis": "Software-distribution and update integrity is widely assumed rather than verified; audited organizations that install vendor updates or run security tooling without enforcing signature/provenance verification are exposed to substitution and embedded-malicious-code attacks — and a compromised updater or scanner reaches every host it touches.",
+      "theater_pattern": "update_channel_integrity_unverified"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2026-5281": {
     "name": "Google Dawn Use-After-Free Vulnerability",
@@ -8492,35 +8520,63 @@
   },
   "CVE-2026-33634": {
     "name": "Aquasecurity Trivy Embedded Malicious Code Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a Trivy distribution/component contained embedded malicious code (CWE-506), executing in the trusted context of the vulnerability scanner across every environment it runs in. CISA KEV-listed 2026-03-26 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the attacker influences the download/update channel or the shipped artifact; no authentication to the victim is required)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Enforce cryptographic integrity verification on all downloaded code and updates (code signing with signature verification, Sigstore/in-toto, TLS-pinned update channels); for the embedded-malicious-code case, verify build provenance (SLSA) and pin/verify the tool's release artifacts before use.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 SR-11 / NIST SSDF 800-218 / SLSA",
+        "adequacy": "Signature and provenance verification is the definitive control; the flaw exists precisely because it was absent or unenforced — patching the version does not retroactively restore trust in artifacts already installed."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring for unexpected code/DLLs loaded by the Trivy scanner, updates fetched over unauthenticated channels, and anomalous outbound connections or process execution from the tool.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because supply-chain substitution is silent — the tool runs as expected while the embedded/substituted code executes alongside it."
+      },
+      "response": {
+        "what_would_have_worked": "Pull the affected version, reinstall from a verified-signed release, rotate any credentials the compromised process could reach, and audit every host where the tool ran — a compromised updater or scanner has broad reach.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; supply-chain compromise propagates through every host that ran the tainted code, so response is environment-wide, not host-local."
+      }
     },
     "framework_coverage": {
-      "NIST-800-53-SI-2": {
+      "NIST-800-53-SR-11": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "Component authenticity / anti-counterfeit is named, but verification is not enforced at install/update time — these products fetched or shipped code without a verified signature, so the control is paper unless signed-artifact verification (Sigstore/in-toto) is mandated at the download step."
       },
-      "ISO-27001-2022-A.8.8": {
+      "NIST-SSDF-800-218-PS.2": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "The SSDF calls for protecting release integrity and providing provenance, but downstream consumers had no enforced way to verify it; without signed releases plus provenance a consumer cannot detect substitution or embedded malicious code."
+      },
+      "SLSA-build-provenance": {
+        "covered": true,
+        "adequate": false,
+        "gap": "SLSA build provenance and signed releases would let a consumer detect tampering or substitution; absent enforced verification at the download/update step the trust gap remains open."
+      },
+      "EU-CRA-secure-update": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The EU Cyber Resilience Act requires secure update mechanisms and shipping without known exploitable defects; an unauthenticated download path or embedded malicious code violates the secure-update and integrity expectations."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 77,
+      "basis": "Software-distribution and update integrity is widely assumed rather than verified; audited organizations that install vendor updates or run security tooling without enforcing signature/provenance verification are exposed to substitution and embedded-malicious-code attacks — and a compromised updater or scanner reaches every host it touches.",
+      "theater_pattern": "update_channel_integrity_unverified"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2026-25592": {
     "name": "Microsoft Semantic Kernel SessionsPythonPlugin Path Traversal — Prompt-Injection to Host RCE",
@@ -11923,67 +11979,123 @@
   },
   "CVE-2017-7921": {
     "name": "Hikvision Multiple Products Improper Authentication Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain access to sensitive information.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an improper-authentication flaw (CWE-287) on Hikvision IP cameras, letting an unauthenticated attacker escalate to administrator and access the device and its video feed. CISA KEV-listed 2026-03-05 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the device is reachable by an unauthenticated attacker; exposure is amplified when the OT zone is not segmented)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor firmware/update where one exists; where the device cannot be patched, isolate it in a segmented OT zone (zones-and-conduits / Purdue model), block all IT and internet reachability, and restrict access to authenticated engineering workstations.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation) + IEC 62443-3-3",
+        "adequacy": "Patching is often impossible on OT; segmentation and access restriction are the real controls, and a flat or internet-exposed OT network defeats them."
+      },
+      "detection": {
+        "what_would_have_worked": "OT-network monitoring for unauthorized connections to the Hikvision camera, unexpected configuration/logic changes, and access from outside the device's intended zone.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because unpatched OT devices may stay exploitable indefinitely; behavioral detection is the backstop."
+      },
+      "response": {
+        "what_would_have_worked": "Isolate the device, validate and restore its configuration/logic from a known-good baseline, rotate any credentials/keys it held, and investigate for safety-impacting manipulation; engage OT/safety engineering before any change.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-82r3 + NIST 800-53 IR-4",
+        "adequacy": "Mandatory; OT compromise can have physical/safety consequences, so response must include process-integrity validation, not just IT cleanup."
+      }
     },
     "framework_coverage": {
-      "NIST-800-53-SI-2": {
+      "NIST-800-82r3-ICS": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "OT/ICS devices often cannot be patched on an IT cadence (availability and safety constraints, vendor re-certification), so the exposure window for a KEV-listed flaw is months-to-years; the standard treats patching as primary but for OT the load-bearing control is network segmentation and access restriction."
+      },
+      "IEC-62443-3-3-zones-conduits": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Zones-and-conduits segmentation is required, but it is frequently unimplemented or bypassed (flat OT networks, internet-exposed HMIs/cameras/PLCs); the device itself is exploitable whenever it is reachable, and the standard does not force a compromised-device response plan."
+      },
+      "NIS2-Art21-OT": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats OT/ICS as essential-function infrastructure but lacks a device-level compressed remediation expectation and does not address the reality that many OT devices are end-of-life or unpatchable and must be isolated rather than fixed."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined and ill-suited to OT, where patching may be impossible; compensating controls (segmentation, monitoring, restricted engineering-workstation access) carry the load and must be explicit."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "Hikvision IP cameras is OT/ICS equipment that frequently cannot be patched on an IT cadence and is often reachable on flat or internet-exposed networks; audited organizations that rely on a patch SLA rather than enforced segmentation remain exposed for this KEV-listed, actively-exploited flaw.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2021-22681": {
     "name": "Rockwell Multiple Products Insufficient Protected Credentials Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Multiple Rockwell products contain an insufficient protected credentials vulnerability. Studio 5000 Logix Designer software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an insufficiently-protected-credentials flaw (CWE-522) in the Studio 5000 / Logix secret-key handling, letting an unauthenticated attacker bypass authentication and connect to the PLC to alter its configuration or control logic. CISA KEV-listed 2026-03-05 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the device is reachable by an unauthenticated attacker; exposure is amplified when the OT zone is not segmented)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor firmware/update where one exists; where the device cannot be patched, isolate it in a segmented OT zone (zones-and-conduits / Purdue model), block all IT and internet reachability, and restrict access to authenticated engineering workstations.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation) + IEC 62443-3-3",
+        "adequacy": "Patching is often impossible on OT; segmentation and access restriction are the real controls, and a flat or internet-exposed OT network defeats them."
+      },
+      "detection": {
+        "what_would_have_worked": "OT-network monitoring for unauthorized connections to the Rockwell Logix PLC, unexpected configuration/logic changes, and access from outside the device's intended zone.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because unpatched OT devices may stay exploitable indefinitely; behavioral detection is the backstop."
+      },
+      "response": {
+        "what_would_have_worked": "Isolate the device, validate and restore its configuration/logic from a known-good baseline, rotate any credentials/keys it held, and investigate for safety-impacting manipulation; engage OT/safety engineering before any change.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-82r3 + NIST 800-53 IR-4",
+        "adequacy": "Mandatory; OT compromise can have physical/safety consequences, so response must include process-integrity validation, not just IT cleanup."
+      }
     },
     "framework_coverage": {
-      "NIST-800-53-SI-2": {
+      "NIST-800-82r3-ICS": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "OT/ICS devices often cannot be patched on an IT cadence (availability and safety constraints, vendor re-certification), so the exposure window for a KEV-listed flaw is months-to-years; the standard treats patching as primary but for OT the load-bearing control is network segmentation and access restriction."
+      },
+      "IEC-62443-3-3-zones-conduits": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Zones-and-conduits segmentation is required, but it is frequently unimplemented or bypassed (flat OT networks, internet-exposed HMIs/cameras/PLCs); the device itself is exploitable whenever it is reachable, and the standard does not force a compromised-device response plan."
+      },
+      "NIS2-Art21-OT": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats OT/ICS as essential-function infrastructure but lacks a device-level compressed remediation expectation and does not address the reality that many OT devices are end-of-life or unpatchable and must be isolated rather than fixed."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined and ill-suited to OT, where patching may be impossible; compensating controls (segmentation, monitoring, restricted engineering-workstation access) carry the load and must be explicit."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "Rockwell Automation Logix controllers is OT/ICS equipment that frequently cannot be patched on an IT cadence and is often reachable on flat or internet-exposed networks; audited organizations that rely on a patch SLA rather than enforced segmentation remain exposed for this KEV-listed, actively-exploited flaw.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2023-43000": {
     "name": "Apple Multiple products Use-After-Free Vulnerability",
@@ -12985,35 +13097,63 @@
   },
   "CVE-2025-15556": {
     "name": "Notepad++ Download of Code Without Integrity Check Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Notepad++ when using the WinGUp updater, contains a download of code without integrity check vulnerability that could allow an attacker to intercept or redirect update traffic to download and execute an attacker-controlled installer. This could lead to arbitrary code execution with the privileges of the user.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "Notepad++ downloads code/components without an integrity check (CWE-494), enabling malicious-code substitution via a tampered download or planted binary for execution on the host. CISA KEV-listed 2026-02-12 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the attacker influences the download/update channel or the shipped artifact; no authentication to the victim is required)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Enforce cryptographic integrity verification on all downloaded code and updates (code signing with signature verification, Sigstore/in-toto, TLS-pinned update channels); for the embedded-malicious-code case, verify build provenance (SLSA) and pin/verify the tool's release artifacts before use.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 SR-11 / NIST SSDF 800-218 / SLSA",
+        "adequacy": "Signature and provenance verification is the definitive control; the flaw exists precisely because it was absent or unenforced — patching the version does not retroactively restore trust in artifacts already installed."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring for unexpected code/DLLs loaded by the Notepad++, updates fetched over unauthenticated channels, and anomalous outbound connections or process execution from the tool.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because supply-chain substitution is silent — the tool runs as expected while the embedded/substituted code executes alongside it."
+      },
+      "response": {
+        "what_would_have_worked": "Pull the affected version, reinstall from a verified-signed release, rotate any credentials the compromised process could reach, and audit every host where the tool ran — a compromised updater or scanner has broad reach.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; supply-chain compromise propagates through every host that ran the tainted code, so response is environment-wide, not host-local."
+      }
     },
     "framework_coverage": {
-      "NIST-800-53-SI-2": {
+      "NIST-800-53-SR-11": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "Component authenticity / anti-counterfeit is named, but verification is not enforced at install/update time — these products fetched or shipped code without a verified signature, so the control is paper unless signed-artifact verification (Sigstore/in-toto) is mandated at the download step."
       },
-      "ISO-27001-2022-A.8.8": {
+      "NIST-SSDF-800-218-PS.2": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "The SSDF calls for protecting release integrity and providing provenance, but downstream consumers had no enforced way to verify it; without signed releases plus provenance a consumer cannot detect substitution or embedded malicious code."
+      },
+      "SLSA-build-provenance": {
+        "covered": true,
+        "adequate": false,
+        "gap": "SLSA build provenance and signed releases would let a consumer detect tampering or substitution; absent enforced verification at the download/update step the trust gap remains open."
+      },
+      "EU-CRA-secure-update": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The EU Cyber Resilience Act requires secure update mechanisms and shipping without known exploitable defects; an unauthenticated download path or embedded malicious code violates the secure-update and integrity expectations."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 77,
+      "basis": "Software-distribution and update integrity is widely assumed rather than verified; audited organizations that install vendor updates or run security tooling without enforcing signature/provenance verification are exposed to substitution and embedded-malicious-code attacks — and a compromised updater or scanner reaches every host it touches.",
+      "theater_pattern": "update_channel_integrity_unverified"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-40536": {
     "name": "SolarWinds Web Help Desk Security Control Bypass Vulnerability",
@@ -15103,35 +15243,63 @@
   },
   "CVE-2021-26828": {
     "name": "OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "OpenPLC ScadaBR contains an unrestricted upload of file with dangerous type vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an unrestricted file-upload flaw (CWE-434) on the ScadaBR SCADA/HMI web interface, letting an unauthenticated attacker upload a file (e.g. a web shell) for code execution on the HMI server. CISA KEV-listed 2025-12-03 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the device is reachable by an unauthenticated attacker; exposure is amplified when the OT zone is not segmented)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor firmware/update where one exists; where the device cannot be patched, isolate it in a segmented OT zone (zones-and-conduits / Purdue model), block all IT and internet reachability, and restrict access to authenticated engineering workstations.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation) + IEC 62443-3-3",
+        "adequacy": "Patching is often impossible on OT; segmentation and access restriction are the real controls, and a flat or internet-exposed OT network defeats them."
+      },
+      "detection": {
+        "what_would_have_worked": "OT-network monitoring for unauthorized connections to the ScadaBR HMI, unexpected configuration/logic changes, and access from outside the device's intended zone.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because unpatched OT devices may stay exploitable indefinitely; behavioral detection is the backstop."
+      },
+      "response": {
+        "what_would_have_worked": "Isolate the device, validate and restore its configuration/logic from a known-good baseline, rotate any credentials/keys it held, and investigate for safety-impacting manipulation; engage OT/safety engineering before any change.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-82r3 + NIST 800-53 IR-4",
+        "adequacy": "Mandatory; OT compromise can have physical/safety consequences, so response must include process-integrity validation, not just IT cleanup."
+      }
     },
     "framework_coverage": {
-      "NIST-800-53-SI-2": {
+      "NIST-800-82r3-ICS": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "OT/ICS devices often cannot be patched on an IT cadence (availability and safety constraints, vendor re-certification), so the exposure window for a KEV-listed flaw is months-to-years; the standard treats patching as primary but for OT the load-bearing control is network segmentation and access restriction."
+      },
+      "IEC-62443-3-3-zones-conduits": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Zones-and-conduits segmentation is required, but it is frequently unimplemented or bypassed (flat OT networks, internet-exposed HMIs/cameras/PLCs); the device itself is exploitable whenever it is reachable, and the standard does not force a compromised-device response plan."
+      },
+      "NIS2-Art21-OT": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats OT/ICS as essential-function infrastructure but lacks a device-level compressed remediation expectation and does not address the reality that many OT devices are end-of-life or unpatchable and must be isolated rather than fixed."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined and ill-suited to OT, where patching may be impossible; compensating controls (segmentation, monitoring, restricted engineering-workstation access) carry the load and must be explicit."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "OpenPLC ScadaBR is OT/ICS equipment that frequently cannot be patched on an IT cadence and is often reachable on flat or internet-exposed networks; audited organizations that rely on a patch SLA rather than enforced segmentation remain exposed for this KEV-listed, actively-exploited flaw.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-48633": {
     "name": "Android Framework Information Disclosure Vulnerability",
@@ -15245,35 +15413,63 @@
   },
   "CVE-2021-26829": {
     "name": "OpenPLC ScadaBR Cross-site Scripting Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "OpenPLC ScadaBR contains a cross-site scripting vulnerability via system_settings.shtm.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a cross-site scripting flaw (CWE-79) on the ScadaBR SCADA/HMI web interface, letting an attacker run script in an operator's authenticated session. CISA KEV-listed 2025-11-28 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the device is reachable by an unauthenticated attacker; exposure is amplified when the OT zone is not segmented)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor firmware/update where one exists; where the device cannot be patched, isolate it in a segmented OT zone (zones-and-conduits / Purdue model), block all IT and internet reachability, and restrict access to authenticated engineering workstations.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation) + IEC 62443-3-3",
+        "adequacy": "Patching is often impossible on OT; segmentation and access restriction are the real controls, and a flat or internet-exposed OT network defeats them."
+      },
+      "detection": {
+        "what_would_have_worked": "OT-network monitoring for unauthorized connections to the ScadaBR HMI, unexpected configuration/logic changes, and access from outside the device's intended zone.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because unpatched OT devices may stay exploitable indefinitely; behavioral detection is the backstop."
+      },
+      "response": {
+        "what_would_have_worked": "Isolate the device, validate and restore its configuration/logic from a known-good baseline, rotate any credentials/keys it held, and investigate for safety-impacting manipulation; engage OT/safety engineering before any change.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-82r3 + NIST 800-53 IR-4",
+        "adequacy": "Mandatory; OT compromise can have physical/safety consequences, so response must include process-integrity validation, not just IT cleanup."
+      }
     },
     "framework_coverage": {
-      "NIST-800-53-SI-2": {
+      "NIST-800-82r3-ICS": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "OT/ICS devices often cannot be patched on an IT cadence (availability and safety constraints, vendor re-certification), so the exposure window for a KEV-listed flaw is months-to-years; the standard treats patching as primary but for OT the load-bearing control is network segmentation and access restriction."
+      },
+      "IEC-62443-3-3-zones-conduits": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Zones-and-conduits segmentation is required, but it is frequently unimplemented or bypassed (flat OT networks, internet-exposed HMIs/cameras/PLCs); the device itself is exploitable whenever it is reachable, and the standard does not force a compromised-device response plan."
+      },
+      "NIS2-Art21-OT": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats OT/ICS as essential-function infrastructure but lacks a device-level compressed remediation expectation and does not address the reality that many OT devices are end-of-life or unpatchable and must be isolated rather than fixed."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined and ill-suited to OT, where patching may be impossible; compensating controls (segmentation, monitoring, restricted engineering-workstation access) carry the load and must be explicit."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "OpenPLC ScadaBR is OT/ICS equipment that frequently cannot be patched on an IT cadence and is often reachable on flat or internet-exposed networks; audited organizations that rely on a patch SLA rather than enforced segmentation remain exposed for this KEV-listed, actively-exploited flaw.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-61757": {
     "name": "Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability",