@blamejs/exceptd-skills 0.15.3 → 0.15.4

package/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 0.15.4 — 2026-05-29
+
+Draft-curation pass 2. Eight more CISA KEV-listed CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons — the network-service authentication-bypass and code-injection class: Ivanti EPMM (CVE-2026-1281), SmarterTools SmarterMail auth bypass (CVE-2026-23760) and missing-auth (CVE-2026-24423), Cisco Unified Communications code injection (CVE-2026-20045), cPanel & WHM / WP2 missing authentication (CVE-2026-41940), Ivanti EPM authentication bypass (CVE-2026-1603), Cisco Catalyst SD-WAN improper authentication (CVE-2026-20127), and Fortinet multi-product authentication bypass (CVE-2026-24858).
+
+The catalog-gap `temporal-staleness` class no longer counts a passed CISA KEV due-date. That date is a fixed external operator-remediation deadline, not a measure of whether a catalog entry's data is current — every historical KEV entry's due-date passes by calendar. The class now reflects only maintainer-controllable data-freshness (source verification, last-updated, and EPSS recency), so `exceptd`'s gap audit no longer reports every aged KEV entry as stale.
+
 ## 0.15.3 — 2026-05-29
 
 Draft-curation pass (1 of an ongoing series). Eight CISA KEV-listed CVE entries that were carried as auto-imported drafts are promoted to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Apache ActiveMQ (CVE-2026-34197), Microsoft SharePoint deserialization (CVE-2026-20963), BeyondTrust RS/PRA command injection (CVE-2026-1731), Fortinet FortiClient EMS SQL injection (CVE-2026-21643), Ivanti EPMM code injection (CVE-2026-1340), Cisco Secure Firewall Management Center deserialization (CVE-2026-20131), Broadcom VMware Aria Operations command injection (CVE-2026-22719), and Soliton FileZen command injection (CVE-2026-25108). The CVSS, KEV status, and vendor advisories were retained from the verified import; curation adds detection and response guidance.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-29T15:42:14.664Z",
+  "generated_at": "2026-05-29T16:17:03.003Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "e8e97bbe842dcab1f5fcde056ec1afc32a3c2ce6b9ddd7ee29a0fee8c606b9b1",
+    "manifest.json": "6890a34b6c35eb92b41a78659b2ac070023943602061fd0285da67ae0c8b8700",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "a55232127999ce6aed914016e7a8eab5104cb1142fe2196c9e6d4daf975a41c0",
-    "data/cve-catalog.json": "3dcdbf16b8c33352526399070142a65a077d1d8d39ce8283bda1d7fb5aa39852",
+    "data/attack-techniques.json": "ecf58df3bb4828d160c489ec8bba98aef9f7f66eca9bfdd569ed4839178a6a78",
+    "data/cve-catalog.json": "b25afd0b41e24cdb15e3c792e9fd12e2fbdc10975541e39328a41bd25693edee",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "3ae4273d8d79b787bc5053da3de1aedab043ef97e1098e39be19975114f12ff9",
+    "data/zeroday-lessons.json": "4435378f8b4870e1088843e78adf69ea22c8b27e21969db061ebea56da412639",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json

@@ -322,8 +322,10 @@
       "CVE-2025-68668",
       "CVE-2025-8747",
       "CVE-2026-0766",
+      "CVE-2026-1281",
       "CVE-2026-1340",
       "CVE-2026-1731",
+      "CVE-2026-20045",
       "CVE-2026-21858",
       "CVE-2026-21877",
       "CVE-2026-22252",
@@ -562,6 +564,7 @@
       "CVE-2026-20127",
       "CVE-2026-20182",
       "CVE-2026-21858",
+      "CVE-2026-23760",
       "CVE-2026-24061",
       "CVE-2026-24423",
       "CVE-2026-24858",
@@ -1067,9 +1070,11 @@
       "CVE-2026-0766",
       "CVE-2026-1281",
       "CVE-2026-1340",
+      "CVE-2026-1603",
       "CVE-2026-1731",
       "CVE-2026-20045",
       "CVE-2026-20122",
+      "CVE-2026-20127",
       "CVE-2026-20128",
       "CVE-2026-20131",
       "CVE-2026-20133",
@@ -1099,6 +1104,8 @@
       "CVE-2026-24213",
       "CVE-2026-24214",
       "CVE-2026-24215",
+      "CVE-2026-24423",
+      "CVE-2026-24858",
       "CVE-2026-25108",
       "CVE-2026-26015",
       "CVE-2026-26190",
@@ -1121,6 +1128,7 @@
       "CVE-2026-3910",
       "CVE-2026-39987",
       "CVE-2026-40933",
+      "CVE-2026-41940",
       "CVE-2026-41947",
       "CVE-2026-41950",
       "CVE-2026-42208",

package/data/cve-catalog.json

@@ -7619,7 +7619,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -7640,7 +7641,7 @@
     "cwe_refs": [
       "CWE-306"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026",
@@ -7671,11 +7672,21 @@
         "published_date": "2026-04-30"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-30; due date 2026-05-03. Notes reference: https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026 ; https://docs.cpanel.net/release-notes/release-notes/ ; https://docs.wpsquared.com/changelogs/version",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.",
+    "iocs": {
+      "behavioral": [
+        "WebPros cPanel & WHM / WP2 reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the cPanel/WHM management surface consistent with missing authentication for a critical function (CWE-306) on the cPanel & WHM / WP2 management surface, reachable by an unauthenticated attacker.",
+        "Unexpected access, command/code execution, or new accounts on the cPanel/WHM management surface with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-41940, CISA KEV (added 2026-04-30), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-1708": {
     "name": "ConnectWise ScreenConnect Path Traversal Vulnerability",
@@ -21850,7 +21861,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -21871,7 +21883,7 @@
     "cwe_refs": [
       "CWE-288"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US",
@@ -21900,11 +21912,21 @@
         "published_date": "2026-03-09"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-09; due date 2026-03-23. Notes reference: https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US ; https://nvd.nist.gov/vuln/detail/CVE-2026-1603",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Ivanti Endpoint Manager (EPM) contains an authentication bypass using an alternate path or channel vulnerability that could allow a remote unauthenticated attacker to leak specific stored credential data."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Ivanti Endpoint Manager (EPM) contains an authentication bypass using an alternate path or channel vulnerability that could allow a remote unauthenticated attacker to leak specific stored credential data.",
+    "iocs": {
+      "behavioral": [
+        "Ivanti Endpoint Manager (EPM) reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the EPM management surface consistent with authentication bypass (CWE-288) granting an unauthenticated attacker access to the Ivanti Endpoint Manager surface.",
+        "Unexpected access, command/code execution, or new accounts on the EPM management surface with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-1603, CISA KEV (added 2026-03-09), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2017-7921": {
     "name": "Hikvision Multiple Products Improper Authentication Vulnerability",
@@ -22732,7 +22754,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -22753,7 +22776,7 @@
     "cwe_refs": [
       "CWE-287"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems",
@@ -22784,11 +22807,21 @@
         "published_date": "2026-02-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-25; due date 2026-02-27. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, contain an authentication bypass vulnerability could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, contain an authentication bypass vulnerability could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.",
+    "iocs": {
+      "behavioral": [
+        "Cisco Catalyst SD-WAN Controller / Manager reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the Catalyst SD-WAN management plane consistent with improper authentication (CWE-287) on the Catalyst SD-WAN Controller/Manager, letting an unauthenticated attacker bypass authentication to the management plane.",
+        "Unexpected access, command/code execution, or new accounts on the Catalyst SD-WAN management plane with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-20127, CISA KEV (added 2026-02-25), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-25108": {
     "name": "Soliton Systems K.K FileZen OS Command Injection Vulnerability",
@@ -24881,7 +24914,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -24902,7 +24936,7 @@
     "cwe_refs": [
       "CWE-306"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.smartertools.com/smartermail/release-notes/current",
@@ -24932,11 +24966,21 @@
         "published_date": "2026-02-05"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-05; due date 2026-02-26. Notes reference: https://www.smartertools.com/smartermail/release-notes/current ; https://www.cve.org/CVERecord?id=CVE-2026-24423 ; https://nvd.nist.gov/vuln/detail/CVE-2026-24423",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SmarterTools SmarterMail contains a missing authentication for critical function vulnerability in the ConnectToHub API method. This could allow the attacker to point the SmarterMail instance to a malicious HTTP server which serves the malicious OS command and could lead to command execution. "
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "SmarterTools SmarterMail contains a missing authentication for critical function vulnerability in the ConnectToHub API method. This could allow the attacker to point the SmarterMail instance to a malicious HTTP server which serves the malicious OS command and could lead to command execution. ",
+    "iocs": {
+      "behavioral": [
+        "SmarterTools SmarterMail reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the SmarterMail server consistent with missing authentication for a critical function (CWE-306) on SmarterMail, reachable by an unauthenticated attacker.",
+        "Unexpected access, command/code execution, or new accounts on the SmarterMail server with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-24423, CISA KEV (added 2026-02-05), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-39935": {
     "name": "GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability",
@@ -25361,7 +25405,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -25382,7 +25427,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340",
@@ -25413,11 +25458,21 @@
         "published_date": "2026-01-29"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-29; due date 2026-02-01. Notes reference: Please adhere to Ivanti's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Ivanti products affected by this vulnerability. Apply any",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.",
+    "iocs": {
+      "behavioral": [
+        "Ivanti Endpoint Manager Mobile (EPMM) reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the EPMM management surface consistent with code injection (CWE-94) yielding unauthenticated remote code execution on the EPMM management surface.",
+        "Unexpected access, command/code execution, or new accounts on the EPMM management surface with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-1281, CISA KEV (added 2026-01-29), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-24858": {
     "name": "Fortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability",
@@ -25459,7 +25514,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -25480,7 +25536,7 @@
     "cwe_refs": [
       "CWE-288"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://fortiguard.fortinet.com/psirt/FG-IR-26-060",
@@ -25510,11 +25566,21 @@
         "published_date": "2026-01-27"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-27; due date 2026-01-30. Notes reference: Please adhere to Fortinet's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Fortinet products affected by this vulnerability. Apply",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy contain an authentication bypass using an alternate path or channel that could allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy contain an authentication bypass using an alternate path or channel that could allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.",
+    "iocs": {
+      "behavioral": [
+        "Fortinet (multiple products) reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the Fortinet management surface consistent with authentication bypass using an alternate path or channel (CWE-288) across multiple Fortinet products.",
+        "Unexpected access, command/code execution, or new accounts on the Fortinet management surface with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-24858, CISA KEV (added 2026-01-27), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2018-14634": {
     "name": "Linux Kernel Integer Overflow Vulnerability",
@@ -25755,7 +25821,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -25776,7 +25843,7 @@
     "cwe_refs": [
       "CWE-288"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.smartertools.com/smartermail/release-notes/current",
@@ -25805,11 +25872,21 @@
         "published_date": "2026-01-26"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-26; due date 2026-02-16. Notes reference: https://www.smartertools.com/smartermail/release-notes/current ; https://nvd.nist.gov/vuln/detail/CVE-2026-23760",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SmarterTools SmarterMail contains an authentication bypass using an alternate path or channel vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. This could allow an unauthenticated attacker to supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "SmarterTools SmarterMail contains an authentication bypass using an alternate path or channel vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. This could allow an unauthenticated attacker to supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance.",
+    "iocs": {
+      "behavioral": [
+        "SmarterTools SmarterMail reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the SmarterMail mail server consistent with authentication bypass using an alternate path or channel (CWE-288), granting unauthenticated access to the mail server.",
+        "Unexpected access, command/code execution, or new accounts on the SmarterMail mail server with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-23760, CISA KEV (added 2026-01-26), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-24061": {
     "name": "GNU InetUtils Argument Injection Vulnerability",
@@ -26527,7 +26604,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -26548,7 +26626,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b",
@@ -26577,11 +26655,21 @@
         "published_date": "2026-01-21"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-21; due date 2026-02-11. Notes reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b ; https://nvd.nist.gov/vuln/detail/CVE-2026-20045",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance contain a code injection vulnerability that could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance contain a code injection vulnerability that could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.",
+    "iocs": {
+      "behavioral": [
+        "Cisco Unified Communications products reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the Unified Communications management surface consistent with code injection (CWE-94) yielding remote code execution on the Cisco Unified Communications product.",
+        "Unexpected access, command/code execution, or new accounts on the Unified Communications management surface with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-20045, CISA KEV (added 2026-01-21), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-20805": {
     "name": "Microsoft Windows Information Disclosure Vulnerability",