@blamejs/exceptd-skills 0.15.3 → 0.15.5

package/data/cve-catalog.json

@@ -7619,7 +7619,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -7640,7 +7641,7 @@
     "cwe_refs": [
       "CWE-306"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026",
@@ -7671,11 +7672,21 @@
         "published_date": "2026-04-30"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-30; due date 2026-05-03. Notes reference: https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026 ; https://docs.cpanel.net/release-notes/release-notes/ ; https://docs.wpsquared.com/changelogs/version",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.",
+    "iocs": {
+      "behavioral": [
+        "WebPros cPanel & WHM / WP2 reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the cPanel/WHM management surface consistent with missing authentication for a critical function (CWE-306) on the cPanel & WHM / WP2 management surface, reachable by an unauthenticated attacker.",
+        "Unexpected access, command/code execution, or new accounts on the cPanel/WHM management surface with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-41940, CISA KEV (added 2026-04-30), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-1708": {
     "name": "ConnectWise ScreenConnect Path Traversal Vulnerability",
@@ -9863,7 +9874,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -9884,7 +9895,7 @@
     "cwe_refs": [
       "CWE-1321"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://helpx.adobe.com/security/products/acrobat/apsb26-43.html",
@@ -9913,11 +9924,21 @@
         "published_date": "2026-04-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-13; due date 2026-04-27. Notes reference: https://helpx.adobe.com/security/products/acrobat/apsb26-43.html ; https://nvd.nist.gov/vuln/detail/CVE-2026-34621",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Adobe Acrobat and Reader contain a prototype pollution vulnerability that allows for arbitrary code execution."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Adobe Acrobat and Reader contain a prototype pollution vulnerability that allows for arbitrary code execution.",
+    "iocs": {
+      "behavioral": [
+        "Adobe Acrobat and Reader below the patched build on an endpoint exposed to a crafted PDF document.",
+        "Renderer/process crashes consistent with a prototype-pollution flaw (CWE-1321) in Acrobat/Reader enabling arbitrary code execution when a crafted PDF is opened when processing a crafted PDF document.",
+        "Delivery of a crafted PDF document immediately preceding anomalous child-process spawning from the PDF reader (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-34621, CISA KEV (added 2026-04-13), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-1340": {
     "name": "Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability",
@@ -10281,7 +10302,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_31.html",
@@ -10310,11 +10331,21 @@
         "published_date": "2026-04-01"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-01; due date 2026-04-15. Notes reference: This vulnerability affects an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://ch",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Google Dawn contains an use-after-free vulnerability that could allow a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. This vulnerability could affect multiple Chromium-based products including, but not limited to, Google Chrome, Microsoft Edge, and Opera."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Google Dawn contains an use-after-free vulnerability that could allow a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. This vulnerability could affect multiple Chromium-based products including, but not limited to, Google Chrome, Microsoft Edge, and Opera.",
+    "iocs": {
+      "behavioral": [
+        "Google Chrome (Dawn / WebGPU) below the patched build on an endpoint exposed to attacker-controlled web content after a renderer compromise.",
+        "Renderer/process crashes consistent with a use-after-free in Dawn / WebGPU (CWE-416) usable by an attacker who has already compromised the renderer, as a sandbox-escape step in an exploit chain when processing attacker-controlled web content after a renderer compromise.",
+        "Delivery of attacker-controlled web content after a renderer compromise immediately preceding anomalous child-process spawning from the browser renderer / GPU process (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-5281, CISA KEV (added 2026-04-01), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-3055": {
     "name": "Citrix NetScaler Out-of-Bounds Read Vulnerability",
@@ -21370,7 +21401,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -21391,7 +21422,7 @@
     "cwe_refs": [
       "CWE-119"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html",
@@ -21420,11 +21451,21 @@
         "published_date": "2026-03-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-13; due date 2026-03-27. Notes reference: https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html ; https://nvd.nist.gov/vuln/detail/CVE-2026-3910",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Google Chromium V8 contains an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Google Chromium V8 contains an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.",
+    "iocs": {
+      "behavioral": [
+        "Google Chrome (V8 JavaScript engine) below the patched build on an endpoint exposed to crafted web content.",
+        "Renderer/process crashes consistent with an out-of-bounds memory access in the V8 JavaScript engine (CWE-119) when processing crafted web content.",
+        "Delivery of crafted web content immediately preceding anomalous child-process spawning from the browser renderer (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-3910, CISA KEV (added 2026-03-13), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-3909": {
     "name": "Google Skia Out-of-Bounds Write Vulnerability",
@@ -21466,7 +21507,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -21487,7 +21528,7 @@
     "cwe_refs": [
       "CWE-787"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html",
@@ -21516,11 +21557,21 @@
         "published_date": "2026-03-13"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-13; due date 2026-03-27. Notes reference: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For mor",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products.",
+    "iocs": {
+      "behavioral": [
+        "Google Chrome (Skia graphics library) below the patched build on an endpoint exposed to attacker-controlled web content.",
+        "Renderer/process crashes consistent with an out-of-bounds write in the Skia graphics library (CWE-787) when processing attacker-controlled web content.",
+        "Delivery of attacker-controlled web content immediately preceding anomalous child-process spawning from the browser renderer (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-3909, CISA KEV (added 2026-03-13), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1203 client execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-68613": {
     "name": "n8n Improper Control of Dynamically-Managed Code Resources Vulnerability",
@@ -21850,7 +21901,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -21871,7 +21923,7 @@
     "cwe_refs": [
       "CWE-288"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US",
@@ -21900,11 +21952,21 @@
         "published_date": "2026-03-09"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-09; due date 2026-03-23. Notes reference: https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US ; https://nvd.nist.gov/vuln/detail/CVE-2026-1603",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Ivanti Endpoint Manager (EPM) contains an authentication bypass using an alternate path or channel vulnerability that could allow a remote unauthenticated attacker to leak specific stored credential data."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Ivanti Endpoint Manager (EPM) contains an authentication bypass using an alternate path or channel vulnerability that could allow a remote unauthenticated attacker to leak specific stored credential data.",
+    "iocs": {
+      "behavioral": [
+        "Ivanti Endpoint Manager (EPM) reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the EPM management surface consistent with authentication bypass (CWE-288) granting an unauthenticated attacker access to the Ivanti Endpoint Manager surface.",
+        "Unexpected access, command/code execution, or new accounts on the EPM management surface with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-1603, CISA KEV (added 2026-03-09), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2017-7921": {
     "name": "Hikvision Multiple Products Improper Authentication Vulnerability",
@@ -22732,7 +22794,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -22753,7 +22816,7 @@
     "cwe_refs": [
       "CWE-287"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems",
@@ -22784,11 +22847,21 @@
         "published_date": "2026-02-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-25; due date 2026-02-27. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, contain an authentication bypass vulnerability could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, contain an authentication bypass vulnerability could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.",
+    "iocs": {
+      "behavioral": [
+        "Cisco Catalyst SD-WAN Controller / Manager reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the Catalyst SD-WAN management plane consistent with improper authentication (CWE-287) on the Catalyst SD-WAN Controller/Manager, letting an unauthenticated attacker bypass authentication to the management plane.",
+        "Unexpected access, command/code execution, or new accounts on the Catalyst SD-WAN management plane with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-20127, CISA KEV (added 2026-02-25), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-25108": {
     "name": "Soliton Systems K.K FileZen OS Command Injection Vulnerability",
@@ -24881,7 +24954,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -24902,7 +24976,7 @@
     "cwe_refs": [
       "CWE-306"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.smartertools.com/smartermail/release-notes/current",
@@ -24932,11 +25006,21 @@
         "published_date": "2026-02-05"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-05; due date 2026-02-26. Notes reference: https://www.smartertools.com/smartermail/release-notes/current ; https://www.cve.org/CVERecord?id=CVE-2026-24423 ; https://nvd.nist.gov/vuln/detail/CVE-2026-24423",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SmarterTools SmarterMail contains a missing authentication for critical function vulnerability in the ConnectToHub API method. This could allow the attacker to point the SmarterMail instance to a malicious HTTP server which serves the malicious OS command and could lead to command execution. "
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "SmarterTools SmarterMail contains a missing authentication for critical function vulnerability in the ConnectToHub API method. This could allow the attacker to point the SmarterMail instance to a malicious HTTP server which serves the malicious OS command and could lead to command execution. ",
+    "iocs": {
+      "behavioral": [
+        "SmarterTools SmarterMail reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the SmarterMail server consistent with missing authentication for a critical function (CWE-306) on SmarterMail, reachable by an unauthenticated attacker.",
+        "Unexpected access, command/code execution, or new accounts on the SmarterMail server with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-24423, CISA KEV (added 2026-02-05), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-39935": {
     "name": "GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability",
@@ -25361,7 +25445,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -25382,7 +25467,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340",
@@ -25413,11 +25498,21 @@
         "published_date": "2026-01-29"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-29; due date 2026-02-01. Notes reference: Please adhere to Ivanti's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Ivanti products affected by this vulnerability. Apply any",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.",
+    "iocs": {
+      "behavioral": [
+        "Ivanti Endpoint Manager Mobile (EPMM) reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the EPMM management surface consistent with code injection (CWE-94) yielding unauthenticated remote code execution on the EPMM management surface.",
+        "Unexpected access, command/code execution, or new accounts on the EPMM management surface with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-1281, CISA KEV (added 2026-01-29), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-24858": {
     "name": "Fortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability",
@@ -25459,7 +25554,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -25480,7 +25576,7 @@
     "cwe_refs": [
       "CWE-288"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://fortiguard.fortinet.com/psirt/FG-IR-26-060",
@@ -25510,11 +25606,21 @@
         "published_date": "2026-01-27"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-27; due date 2026-01-30. Notes reference: Please adhere to Fortinet's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Fortinet products affected by this vulnerability. Apply",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy contain an authentication bypass using an alternate path or channel that could allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy contain an authentication bypass using an alternate path or channel that could allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.",
+    "iocs": {
+      "behavioral": [
+        "Fortinet (multiple products) reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the Fortinet management surface consistent with authentication bypass using an alternate path or channel (CWE-288) across multiple Fortinet products.",
+        "Unexpected access, command/code execution, or new accounts on the Fortinet management surface with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-24858, CISA KEV (added 2026-01-27), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2018-14634": {
     "name": "Linux Kernel Integer Overflow Vulnerability",
@@ -25755,7 +25861,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -25776,7 +25883,7 @@
     "cwe_refs": [
       "CWE-288"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.smartertools.com/smartermail/release-notes/current",
@@ -25805,11 +25912,21 @@
         "published_date": "2026-01-26"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-26; due date 2026-02-16. Notes reference: https://www.smartertools.com/smartermail/release-notes/current ; https://nvd.nist.gov/vuln/detail/CVE-2026-23760",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SmarterTools SmarterMail contains an authentication bypass using an alternate path or channel vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. This could allow an unauthenticated attacker to supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "SmarterTools SmarterMail contains an authentication bypass using an alternate path or channel vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. This could allow an unauthenticated attacker to supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance.",
+    "iocs": {
+      "behavioral": [
+        "SmarterTools SmarterMail reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the SmarterMail mail server consistent with authentication bypass using an alternate path or channel (CWE-288), granting unauthenticated access to the mail server.",
+        "Unexpected access, command/code execution, or new accounts on the SmarterMail mail server with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-23760, CISA KEV (added 2026-01-26), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-24061": {
     "name": "GNU InetUtils Argument Injection Vulnerability",
@@ -26527,7 +26644,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -26548,7 +26666,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b",
@@ -26577,11 +26695,21 @@
         "published_date": "2026-01-21"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-21; due date 2026-02-11. Notes reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b ; https://nvd.nist.gov/vuln/detail/CVE-2026-20045",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance contain a code injection vulnerability that could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance contain a code injection vulnerability that could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.",
+    "iocs": {
+      "behavioral": [
+        "Cisco Unified Communications products reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Unauthenticated requests to the Unified Communications management surface consistent with code injection (CWE-94) yielding remote code execution on the Cisco Unified Communications product.",
+        "Unexpected access, command/code execution, or new accounts on the Unified Communications management surface with no corresponding administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-20045, CISA KEV (added 2026-01-21), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-20805": {
     "name": "Microsoft Windows Information Disclosure Vulnerability",