@blamejs/exceptd-skills 0.15.29 → 0.15.31

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.15.31 — 2026-05-29
+
+Draft-curation pass 28 — internet-facing server-side web applications. Seven CISA KEV-listed unauthenticated CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: server-side request forgery in GitLab (CVE-2021-22175, CVE-2021-39935) and Omnissa Workspace ONE UEM (CVE-2021-22054), PaperCut NG/MF authentication bypass (CVE-2023-27351), the Adobe Commerce/Magento "SessionReaper" session-takeover flaw (CVE-2025-54236), Adobe Experience Manager Forms code execution (CVE-2025-54253), and Sitecore ViewState deserialization via a known machine key (CVE-2025-53690). All map T1190, with per-class T1059 (code injection/deserialization) or T1078 (auth bypass/session takeover). The lessons separate the SSRF defense (egress filtering and cloud-metadata blocking as compensating controls) from the RCE/auth defense (web-shell hunting, machine-key rotation, and session invalidation beyond the patch).
+
+## 0.15.30 — 2026-05-29
+
+Draft-curation pass 27 — software supply-chain code integrity. Three CISA KEV-listed CVEs where code is trusted without integrity verification are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the TrueConf client and Notepad++ download code/updates without an integrity check (CVE-2026-3502, CVE-2025-15556), and a Trivy distribution shipped embedded malicious code that runs in the trusted context of the vulnerability scanner (CVE-2026-33634). All map T1195.002 (Compromise Software Supply Chain). The lessons frame the defense as enforced signature and provenance verification — code signing, Sigstore/in-toto, SLSA build provenance, TLS-pinned update channels — rather than patching, and note that response is environment-wide because a compromised updater or scanner reaches every host it runs on.
+
 ## 0.15.29 — 2026-05-29
 
 Draft-curation pass 26 — ICS/OT devices. Four CISA KEV-listed industrial-control and operational-technology CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: OpenPLC ScadaBR SCADA/HMI (CVE-2021-26828 unrestricted file upload, CVE-2021-26829 cross-site scripting), Hikvision IP camera authentication bypass (CVE-2017-7921), and the Rockwell Automation Logix protected-credential weakness (CVE-2021-22681). All map T1190, with per-class T1505.003, T1078, or T1552. The lessons carry an OT-specific framing: these devices frequently cannot be patched on an IT cadence, so the load-bearing controls are IEC 62443 zones-and-conduits segmentation, removal of IT/internet reachability, and OT-network monitoring — and response must validate process/control-logic integrity, not just perform IT cleanup, because compromise can have physical and safety consequences.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-30T01:46:06.048Z",
+  "generated_at": "2026-05-30T02:25:27.676Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "0f5212a60d6b8f8f0b5861b3a9d7e37c9ed816a218bcf1ae7eb1e0d0c33633e5",
+    "manifest.json": "39901df2e2191434c2001f2d633eec9c78ac5d7878a66447a4ec44fdb71a4d7f",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "5a7f8b7bd744fc05397c9e61925f620cc1edb4d52a39ccc991be044adfe80fc3",
-    "data/cve-catalog.json": "119c5540c49ab7999be6dbaf750281321cca7a86ab0d8379f1e03d21c3fe3177",
+    "data/attack-techniques.json": "fb1569d7aa3426bed85c5e7f641d15eff5a250c8bbccec47e9860739f2d48de3",
+    "data/cve-catalog.json": "e4b099b2454f70a2e4cdd222c82c974480ca68539cb322a8ecc83c48236a652a",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "e8ea9a0126b278a0ecd012e8f23af44c9ccc631f75787919e96023ad8bee5c9a",
+    "data/zeroday-lessons.json": "ffbd67341ec6feb08254dac166499b26c375155d87bd0663620fe5da3d2fffc3",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json

@@ -329,9 +329,11 @@
       "CVE-2025-49704",
       "CVE-2025-5086",
       "CVE-2025-51480",
+      "CVE-2025-53690",
       "CVE-2025-53773",
       "CVE-2025-54068",
       "CVE-2025-54136",
+      "CVE-2025-54253",
       "CVE-2025-55319",
       "CVE-2025-58034",
       "CVE-2025-60455",
@@ -611,6 +613,7 @@
       "CVE-2025-3935",
       "CVE-2025-4427",
       "CVE-2025-49706",
+      "CVE-2025-54236",
       "CVE-2025-57819",
       "CVE-2025-61757",
       "CVE-2025-6205",
@@ -951,9 +954,12 @@
       "CVE-2020-25078",
       "CVE-2020-25079",
       "CVE-2020-7796",
+      "CVE-2021-22054",
+      "CVE-2021-22175",
       "CVE-2021-22681",
       "CVE-2021-26828",
       "CVE-2021-26829",
+      "CVE-2021-39935",
       "CVE-2021-43798",
       "CVE-2022-1471",
       "CVE-2022-20775",
@@ -962,6 +968,7 @@
       "CVE-2022-40799",
       "CVE-2023-21529",
       "CVE-2023-2533",
+      "CVE-2023-27351",
       "CVE-2023-33538",
       "CVE-2023-3519",
       "CVE-2023-39780",
@@ -1016,7 +1023,6 @@
       "CVE-2025-14611",
       "CVE-2025-14733",
       "CVE-2025-14847",
-      "CVE-2025-15556",
       "CVE-2025-1796",
       "CVE-2025-20281",
       "CVE-2025-20333",
@@ -1173,10 +1179,8 @@
       "CVE-2026-32201",
       "CVE-2026-32202",
       "CVE-2026-33017",
-      "CVE-2026-33634",
       "CVE-2026-34159",
       "CVE-2026-34197",
-      "CVE-2026-3502",
       "CVE-2026-35616",
       "CVE-2026-39987",
       "CVE-2026-40933",
@@ -1275,11 +1279,14 @@
       "CVE-2024-37060",
       "CVE-2025-10164",
       "CVE-2025-1550",
+      "CVE-2025-15556",
       "CVE-2025-32434",
       "CVE-2025-33236",
       "CVE-2025-51480",
       "CVE-2025-8747",
       "CVE-2026-31229",
+      "CVE-2026-33634",
+      "CVE-2026-3502",
       "CVE-2026-45321",
       "CVE-2026-5760",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG",

package/data/cve-catalog.json

@@ -8597,7 +8597,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -8618,7 +8619,7 @@
     "cwe_refs": [
       "CWE-287"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.papercut.com/kb/Main/PO-1216-and-PO-1219",
@@ -8647,11 +8648,21 @@
         "published_date": "2026-04-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-20; due date 2026-05-04. Notes reference: https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 ; https://nvd.nist.gov/vuln/detail/CVE-2023-27351",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "PaperCut NG/MF contains an improper authentication vulnerability that could allow remote attackers to bypass authentication on affected installations via the SecurityRequestFilter class."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "PaperCut NG/MF contains an improper authentication vulnerability that could allow remote attackers to bypass authentication on affected installations via the SecurityRequestFilter class.",
+    "iocs": {
+      "behavioral": [
+        "PaperCut NG/MF reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the PaperCut consistent with improper-authentication flaw.",
+        "Post-exploitation indicators on the PaperCut — web shells, unexpected process execution, session/admin takeover, or use of forged key material — with no matching legitimate login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2023-27351, CISA KEV (added 2026-04-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-48700": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability",
@@ -10402,7 +10413,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1195.002"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -10423,7 +10434,7 @@
     "cwe_refs": [
       "CWE-494"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://trueconf.com/blog/update/trueconf-8-5",
@@ -10453,11 +10464,21 @@
         "published_date": "2026-04-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-02; due date 2026-04-16. Notes reference: https://trueconf.com/blog/update/trueconf-8-5 ; https://trueconf.com/downloads/windows.html ; https://nvd.nist.gov/vuln/detail/CVE-2026-3502",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "TrueConf Client contains a download of code without integrity check vulnerability. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "TrueConf Client contains a download of code without integrity check vulnerability. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user.",
+    "iocs": {
+      "behavioral": [
+        "TrueConf Client at a version below the fixed release named in the vendor advisory (for the embedded-malicious-code case, any affected build is suspect regardless of reachability).",
+        "Code or updates fetched by the TrueConf client over an unauthenticated or unverified channel, or unexpected binaries/DLLs loaded by it.",
+        "Anomalous behavior from the TrueConf client — unexpected outbound connections, unexpected process execution, or access beyond its normal scope — consistent with substituted or embedded malicious code (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-3502, CISA KEV (added 2026-04-02), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1195.002 software supply-chain compromise) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-5281": {
     "name": "Google Dawn Use-After-Free Vulnerability",
@@ -10809,7 +10830,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1195.002"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -10830,7 +10851,7 @@
     "cwe_refs": [
       "CWE-506"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/advisories/GHSA-69fq-xp46-6x23",
@@ -10859,11 +10880,21 @@
         "published_date": "2026-03-26"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-26; due date 2026-04-09. Notes reference: This vulnerability involves a supply‑chain compromise in a product that may be used across multiple products and environments. Additional vendor‑provided guidance must be followed to ensure full remed",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory.",
+    "iocs": {
+      "behavioral": [
+        "Aquasecurity Trivy at a version below the fixed release named in the vendor advisory (for the embedded-malicious-code case, any affected build is suspect regardless of reachability).",
+        "Code or updates fetched by the Trivy scanner over an unauthenticated or unverified channel, or unexpected binaries/DLLs loaded by it.",
+        "Anomalous behavior from the Trivy scanner — unexpected outbound connections, unexpected process execution, or access beyond its normal scope — consistent with substituted or embedded malicious code (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-33634, CISA KEV (added 2026-03-26), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1195.002 software supply-chain compromise) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-34291": {
     "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
@@ -22063,7 +22094,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -22084,7 +22116,7 @@
     "cwe_refs": [
       "CWE-918"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://web.archive.org/web/20211222154335/https://www.vmware.com/security/advisories/VMSA-2021-0029.html",
@@ -22113,11 +22145,21 @@
         "published_date": "2026-03-09"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-09; due date 2026-03-23. Notes reference: https://web.archive.org/web/20211222154335/https://www.vmware.com/security/advisories/VMSA-2021-0029.html ; https://nvd.nist.gov/vuln/detail/CVE-2021-22054",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Omnissa Workspace One UEM formerly known as VMware Workspace One UEM contains a server-side request forgery (SSRF) vulnerability that could allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Omnissa Workspace One UEM formerly known as VMware Workspace One UEM contains a server-side request forgery (SSRF) vulnerability that could allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.",
+    "iocs": {
+      "behavioral": [
+        "Omnissa Workspace ONE UEM reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Workspace ONE UEM consistent with server-side request forgery flaw.",
+        "The Workspace ONE UEM making outbound requests to internal or cloud-metadata endpoints on attacker input, with no legitimate cause (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2021-22054, CISA KEV (added 2026-03-09), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-26399": {
     "name": "SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability",
@@ -23656,7 +23698,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -23677,7 +23720,7 @@
     "cwe_refs": [
       "CWE-918"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22175.json",
@@ -23706,11 +23749,21 @@
         "published_date": "2026-02-18"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-18; due date 2026-03-11. Notes reference: https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22175.json ; https://nvd.nist.gov/vuln/detail/CVE-2021-22175",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "GitLab contains a server-side request forgery (SSRF) vulnerability when requests to the internal network for webhooks are enabled."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "GitLab contains a server-side request forgery (SSRF) vulnerability when requests to the internal network for webhooks are enabled.",
+    "iocs": {
+      "behavioral": [
+        "GitLab reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the GitLab consistent with server-side request forgery flaw.",
+        "The GitLab making outbound requests to internal or cloud-metadata endpoints on attacker input, with no legitimate cause (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2021-22175, CISA KEV (added 2026-02-18), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-22769": {
     "name": "Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability",
@@ -24590,7 +24643,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1195.002"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -24611,7 +24664,7 @@
     "cwe_refs": [
       "CWE-494"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://notepad-plus-plus.org/news/clarification-security-incident/",
@@ -24641,11 +24694,21 @@
         "published_date": "2026-02-12"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-12; due date 2026-03-05. Notes reference: https://notepad-plus-plus.org/news/clarification-security-incident/ ; https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix ; https://nvd.nist.gov/vuln/detail/CVE-2025-1",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Notepad++ when using the WinGUp updater, contains a download of code without integrity check vulnerability that could allow an attacker to intercept or redirect update traffic to download and execute an attacker-controlled installer. This could lead to arbitrary code execution with the privileges of the user."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Notepad++ when using the WinGUp updater, contains a download of code without integrity check vulnerability that could allow an attacker to intercept or redirect update traffic to download and execute an attacker-controlled installer. This could lead to arbitrary code execution with the privileges of the user.",
+    "iocs": {
+      "behavioral": [
+        "Notepad++ at a version below the fixed release named in the vendor advisory (for the embedded-malicious-code case, any affected build is suspect regardless of reachability).",
+        "Code or updates fetched by the Notepad++ over an unauthenticated or unverified channel, or unexpected binaries/DLLs loaded by it.",
+        "Anomalous behavior from the Notepad++ — unexpected outbound connections, unexpected process execution, or access beyond its normal scope — consistent with substituted or embedded malicious code (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-15556, CISA KEV (added 2026-02-12), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1195.002 software supply-chain compromise) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-40536": {
     "name": "SolarWinds Web Help Desk Security Control Bypass Vulnerability",
@@ -25618,7 +25681,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -25639,7 +25703,7 @@
     "cwe_refs": [
       "CWE-918"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://about.gitlab.com/releases/2021/12/06/security-release-gitlab-14-5-2-released/",
@@ -25668,11 +25732,21 @@
         "published_date": "2026-02-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-03; due date 2026-02-24. Notes reference: https://about.gitlab.com/releases/2021/12/06/security-release-gitlab-14-5-2-released/ ; https://nvd.nist.gov/vuln/detail/CVE-2021-39935",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "GitLab Community and Enterprise Editions contain a server-side request forgery vulnerability which could allow unauthorized external users to perform Server Side Requests via the CI Lint API. "
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "GitLab Community and Enterprise Editions contain a server-side request forgery vulnerability which could allow unauthorized external users to perform Server Side Requests via the CI Lint API. ",
+    "iocs": {
+      "behavioral": [
+        "GitLab Community and Enterprise Editions reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the GitLab consistent with server-side request forgery flaw.",
+        "The GitLab making outbound requests to internal or cloud-metadata endpoints on attacker input, with no legitimate cause (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2021-39935, CISA KEV (added 2026-02-03), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-64328": {
     "name": "Sangoma FreePBX OS Command Injection Vulnerability",
@@ -31082,7 +31156,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -31103,7 +31178,7 @@
     "cwe_refs": [
       "CWE-20"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397",
@@ -31132,11 +31207,21 @@
         "published_date": "2025-10-24"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-24; due date 2025-11-14. Notes reference: https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397 ; https://nvd.nist.gov/vuln/detail/CVE-2025-54236",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API.",
+    "iocs": {
+      "behavioral": [
+        "Adobe Commerce and Magento reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Adobe Commerce / Magento consistent with improper-input-validation flaw.",
+        "Post-exploitation indicators on the Adobe Commerce / Magento — web shells, unexpected process execution, session/admin takeover, or use of forged key material — with no matching legitimate login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-54236, CISA KEV (added 2025-10-24), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-59287": {
     "name": "Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability",
@@ -31897,7 +31982,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -31918,7 +32004,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html",
@@ -31947,11 +32033,21 @@
         "published_date": "2025-10-15"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-15; due date 2025-11-05. Notes reference: https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-54253",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Adobe Experience Manager Forms in JEE contains an unspecified vulnerability that allows for arbitrary code execution."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Adobe Experience Manager Forms in JEE contains an unspecified vulnerability that allows for arbitrary code execution.",
+    "iocs": {
+      "behavioral": [
+        "Adobe Experience Manager Forms reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the AEM Forms consistent with code-execution flaw.",
+        "Post-exploitation indicators on the AEM Forms — web shells, unexpected process execution, session/admin takeover, or use of forged key material — with no matching legitimate login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-54253, CISA KEV (added 2025-10-15), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-47827": {
     "name": "IGEL OS Use of a Key Past its Expiration Date Vulnerability",
@@ -34766,7 +34862,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -34787,7 +34884,7 @@
     "cwe_refs": [
       "CWE-502"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865",
@@ -34816,11 +34913,21 @@
         "published_date": "2025-09-04"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-04; due date 2025-09-25. Notes reference: https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865 ; https://nvd.nist.gov/vuln/detail/CVE-2025-53690",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution. "
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution. ",
+    "iocs": {
+      "behavioral": [
+        "Sitecore reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Sitecore consistent with deserialization-of-untrusted-data flaw.",
+        "Post-exploitation indicators on the Sitecore — web shells, unexpected process execution, session/admin takeover, or use of forged key material — with no matching legitimate login (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-53690, CISA KEV (added 2025-09-04), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2023-50224": {
     "name": "TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability",