@blamejs/exceptd-skills 0.15.31 → 0.15.33

package/data/cve-catalog.json

@@ -10753,7 +10753,7 @@
     "cwe_refs": [
       "CWE-121"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://my.f5.com/manage/s/article/K000156741",
@@ -10784,11 +10784,21 @@
         "published_date": "2026-03-27"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-27; due date 2026-03-30. Notes reference: Please adhere to F5’s guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible F5 products affected by this vulnerability. For more informat",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "F5 BIG-IP APM contains a stack-based buffer overflow vulnerability that could allow a threat actor to achieve remote code execution."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "F5 BIG-IP APM contains a stack-based buffer overflow vulnerability that could allow a threat actor to achieve remote code execution.",
+    "iocs": {
+      "behavioral": [
+        "F5 BIG-IP reachable on the network at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the BIG-IP consistent with stack-based buffer overflow.",
+        "Post-exploitation indicators on the BIG-IP — web shells, unexpected process execution, configuration/credential changes, or memory-corruption crashes — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-53521, CISA KEV (added 2026-03-27), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-33634": {
     "name": "Aquasecurity Trivy Embedded Malicious Code Vulnerability",
@@ -27048,7 +27058,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -27069,7 +27080,7 @@
     "cwe_refs": [
       "CWE-288"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://security-portal.versa-networks.com/emailbulletins/6830f94328defa375486ff2e",
@@ -27098,11 +27109,21 @@
         "published_date": "2026-01-22"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-22; due date 2026-02-12. Notes reference: https://security-portal.versa-networks.com/emailbulletins/6830f94328defa375486ff2e ; https://nvd.nist.gov/vuln/detail/CVE-2025-34026",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Versa Concerto SD-WAN orchestration platform contains an improper authentication vulnerability in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Versa Concerto SD-WAN orchestration platform contains an improper authentication vulnerability in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.",
+    "iocs": {
+      "behavioral": [
+        "Versa Concerto reachable on the network at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Versa Concerto consistent with authentication bypass using an alternate path or channel.",
+        "Post-exploitation indicators on the Versa Concerto — web shells, unexpected process execution, configuration/credential changes, or memory-corruption crashes — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-34026, CISA KEV (added 2026-01-22), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-31125": {
     "name": "Vite Vitejs Improper Access Control Vulnerability",
@@ -27774,7 +27795,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -27795,7 +27817,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US",
@@ -27824,11 +27846,21 @@
         "published_date": "2026-01-07"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-07; due date 2026-01-28. Notes reference: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US ; https://nvd.nist.gov/vuln/detail/CVE-2025-37164",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Hewlett Packard Enterprise (HPE) OneView contains a code injection vulnerability that allows a remote unauthenticated user to perform remote code execution."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Hewlett Packard Enterprise (HPE) OneView contains a code injection vulnerability that allows a remote unauthenticated user to perform remote code execution.",
+    "iocs": {
+      "behavioral": [
+        "HPE OneView reachable on the network at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the HPE OneView consistent with code-injection flaw.",
+        "Post-exploitation indicators on the HPE OneView — web shells, unexpected process execution, configuration/credential changes, or memory-corruption crashes — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-37164, CISA KEV (added 2026-01-07), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2023-52163": {
     "name": "Digiever DS-2105 Pro Missing Authorization Vulnerability",
@@ -27870,7 +27902,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -27891,7 +27924,7 @@
     "cwe_refs": [
       "CWE-862"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.digiever.com/tw/support/faq-content.php?FAQ=217",
@@ -27920,11 +27953,21 @@
         "published_date": "2025-12-22"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-22; due date 2026-01-12. Notes reference: https://www.digiever.com/tw/support/faq-content.php?FAQ=217 ; https://nvd.nist.gov/vuln/detail/CVE-2023-52163",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Digiever DS-2105 Pro contains a missing authorization vulnerability which could allow for command injection via time_tzsetup.cgi."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Digiever DS-2105 Pro contains a missing authorization vulnerability which could allow for command injection via time_tzsetup.cgi.",
+    "iocs": {
+      "behavioral": [
+        "Digiever DS-2105 Pro reachable on the network at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Digiever DVR consistent with missing-authorization flaw.",
+        "Post-exploitation indicators on the Digiever DVR — botnet/ORB beaconing, unexpected outbound traffic, web shells, or altered config — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2023-52163, CISA KEV (added 2025-12-22), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-14733": {
     "name": "WatchGuard Firebox Out of Bounds Write Vulnerability",
@@ -28586,7 +28629,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1505.003"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -28607,7 +28651,7 @@
     "cwe_refs": [
       "CWE-434"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.cisa.gov/news-events/ics-advisories/icsa-19-122-03",
@@ -28638,11 +28682,21 @@
         "published_date": "2025-12-12"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-12; due date 2026-01-02. Notes reference: https://www.cisa.gov/news-events/ics-advisories/icsa-19-122-03 ; https://source.sierrawireless.com/resources/airlink/software_reference_docs/technical-bulletin/sierra-wireless-technical-bulletin---swi",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Sierra Wireless AirLink ALEOS contains an unrestricted upload of file with dangerous type vulnerability. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Sierra Wireless AirLink ALEOS contains an unrestricted upload of file with dangerous type vulnerability. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "Sierra Wireless AirLink ALEOS reachable on the network at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the AirLink ALEOS gateway consistent with unrestricted file-upload flaw.",
+        "Post-exploitation indicators on the AirLink ALEOS gateway — botnet/ORB beaconing, unexpected outbound traffic, web shells, or altered config — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2018-4063, CISA KEV (added 2025-12-12), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-58360": {
     "name": "OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability",
@@ -29088,7 +29142,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -29109,7 +29164,7 @@
     "cwe_refs": [
       "CWE-78"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/ag.html",
@@ -29139,11 +29194,21 @@
         "published_date": "2025-12-08"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-08; due date 2025-12-29. Notes reference: https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/ag.html ; https://www.jpcert.or.jp/at/2025/at250024.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-66644",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands.",
+    "iocs": {
+      "behavioral": [
+        "Array Networks ArrayOS AG reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the ArrayOS AG gateway consistent with OS command-injection flaw.",
+        "Post-exploitation indicators on the ArrayOS AG gateway — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-66644, CISA KEV (added 2025-12-08), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-55182": {
     "name": "Meta React Server Components Remote Code Execution Vulnerability",
@@ -30547,7 +30612,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -30568,7 +30634,7 @@
     "cwe_refs": [
       "CWE-78"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://control-webpanel.com/changelog",
@@ -30597,11 +30663,21 @@
         "published_date": "2025-11-04"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-04; due date 2025-11-25. Notes reference: https://control-webpanel.com/changelog ; https://nvd.nist.gov/vuln/detail/CVE-2025-48703",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.",
+    "iocs": {
+      "behavioral": [
+        "CWP Control Web Panel reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Control Web Panel consistent with OS command-injection flaw.",
+        "Post-exploitation indicators on the Control Web Panel — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-48703, CISA KEV (added 2025-11-04), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-11371": {
     "name": "Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability",
@@ -33451,7 +33527,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -33472,7 +33549,7 @@
     "cwe_refs": [
       "CWE-78"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027",
@@ -33504,11 +33581,21 @@
         "published_date": "2025-10-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-02; due date 2025-10-23. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: http:",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "GNU Bash contains an OS command injection vulnerability which allows remote attackers to execute arbitrary commands via a crafted environment."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "GNU Bash contains an OS command injection vulnerability which allows remote attackers to execute arbitrary commands via a crafted environment.",
+    "iocs": {
+      "behavioral": [
+        "GNU Bash reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Bash (Shellshock family) consistent with OS command-injection flaw.",
+        "Post-exploitation indicators on the Bash (Shellshock family) — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2014-6278, CISA KEV (added 2025-10-02), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2017-1000353": {
     "name": "Jenkins Remote Code Execution Vulnerability",
@@ -33550,7 +33637,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -33571,7 +33659,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.jenkins.io/security/advisory/2017-04-26/",
@@ -33600,11 +33688,21 @@
         "published_date": "2025-10-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-02; due date 2025-10-23. Notes reference: https://www.jenkins.io/security/advisory/2017-04-26/ ; https://nvd.nist.gov/vuln/detail/CVE-2017-1000353",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Jenkins contains a remote code execution vulnerability. This vulnerability that could allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection mechanism."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Jenkins contains a remote code execution vulnerability. This vulnerability that could allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection mechanism.",
+    "iocs": {
+      "behavioral": [
+        "Jenkins reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Jenkins consistent with Java deserialization remote-code-execution flaw.",
+        "Post-exploitation indicators on the Jenkins — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2017-1000353, CISA KEV (added 2025-10-02), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2015-7755": {
     "name": "Juniper ScreenOS Improper Authentication Vulnerability",
@@ -34041,7 +34139,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -34062,7 +34161,7 @@
     "cwe_refs": [
       "CWE-77"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://docs.libraesva.com/knowledgebase/security-advisory-command-injection-vulnerability-cve-2025-59689/",
@@ -34091,11 +34190,21 @@
         "published_date": "2025-09-29"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-29; due date 2025-10-20. Notes reference: https://docs.libraesva.com/knowledgebase/security-advisory-command-injection-vulnerability-cve-2025-59689/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-59689",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Libraesva Email Security Gateway (ESG) contains a command injection vulnerability which allows command injection via a compressed e-mail attachment."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Libraesva Email Security Gateway (ESG) contains a command injection vulnerability which allows command injection via a compressed e-mail attachment.",
+    "iocs": {
+      "behavioral": [
+        "Libraesva Email Security Gateway reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Libraesva ESG consistent with command-injection flaw.",
+        "Post-exploitation indicators on the Libraesva ESG — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-59689, CISA KEV (added 2025-09-29), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-10035": {
     "name": "Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability",
@@ -34139,7 +34248,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -34161,7 +34271,7 @@
       "CWE-502",
       "CWE-77"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.fortra.com/security/advisories/product-security/fi-2025-012",
@@ -34190,11 +34300,21 @@
         "published_date": "2025-09-29"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-29; due date 2025-10-20. Notes reference: https://www.fortra.com/security/advisories/product-security/fi-2025-012 ; https://nvd.nist.gov/vuln/detail/CVE-2025-10035",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.",
+    "iocs": {
+      "behavioral": [
+        "Fortra GoAnywhere MFT reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the GoAnywhere MFT consistent with deserialization-of-untrusted-data flaw.",
+        "Post-exploitation indicators on the GoAnywhere MFT — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-10035, CISA KEV (added 2025-09-29), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-20352": {
     "name": "Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability",
@@ -35904,7 +36024,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -35925,7 +36046,7 @@
     "cwe_refs": [
       "CWE-78"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://success.trendmicro.com/en-US/solution/KA-0020652",
@@ -35954,11 +36075,21 @@
         "published_date": "2025-08-18"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-18; due date 2025-09-08. Notes reference: https://success.trendmicro.com/en-US/solution/KA-0020652 ; N/A ; https://nvd.nist.gov/vuln/detail/CVE-2025-54948",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.",
+    "iocs": {
+      "behavioral": [
+        "Trend Micro Apex One reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Apex One console consistent with OS command-injection flaw.",
+        "Post-exploitation indicators on the Apex One console — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-54948, CISA KEV (added 2025-08-18), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-8876": {
     "name": "N-able N-Central Command Injection Vulnerability",
@@ -38427,7 +38558,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -38449,7 +38581,7 @@
       "CWE-77",
       "CWE-88"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18",
@@ -38479,11 +38611,21 @@
         "published_date": "2025-07-07"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-07; due date 2025-07-28. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "PHPMailer contains a command injection vulnerability because it fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "PHPMailer contains a command injection vulnerability because it fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.",
+    "iocs": {
+      "behavioral": [
+        "PHPMailer reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the PHPMailer consistent with command-injection flaw.",
+        "Post-exploitation indicators on the PHPMailer — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2016-10033, CISA KEV (added 2025-07-07), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2014-3931": {
     "name": "Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability",
@@ -40444,7 +40586,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -40465,7 +40608,7 @@
     "cwe_refs": [
       "CWE-287"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.asus.com/us/supportonly/lyra%20mini/helpdesk_bios/",
@@ -40495,11 +40638,21 @@
         "published_date": "2025-06-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-02; due date 2025-06-23. Notes reference: https://www.asus.com/us/supportonly/lyra%20mini/helpdesk_bios/ ; https://www.asus.com/us/supportonly/rog%20rapture%20gt-ac2900/helpdesk_bios/; https://nvd.nist.gov/vuln/detail/CVE-2021-32030",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "ASUS Lyra Mini and ASUS GT-AC2900 devices contain an improper authentication vulnerability that allows an attacker to gain unauthorized access to the administrative interface. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ASUS Lyra Mini and ASUS GT-AC2900 devices contain an improper authentication vulnerability that allows an attacker to gain unauthorized access to the administrative interface. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "ASUS routers reachable on the network at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the ASUS router consistent with improper-authentication flaw.",
+        "Post-exploitation indicators on the ASUS router — botnet/ORB beaconing, unexpected outbound traffic, web shells, or altered config — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2021-32030, CISA KEV (added 2025-06-02), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-3935": {
     "name": "ConnectWise ScreenConnect Improper Authentication Vulnerability",
@@ -40851,7 +41004,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -40872,7 +41026,7 @@
     "cwe_refs": [
       "CWE-78"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.asus.com/networking-iot-servers/wifi-6/all-series/rt-ax55/helpdesk_bios/?model2Name=RT-AX55",
@@ -40902,11 +41056,21 @@
         "published_date": "2025-06-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-02; due date 2025-06-23. Notes reference: https://www.asus.com/networking-iot-servers/wifi-6/all-series/rt-ax55/helpdesk_bios/?model2Name=RT-AX55 ;   https://www.asus.com/content/asus-product-security-advisory/ ; https://nvd.nist.gov/vuln/det",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "ASUS RT-AX55 devices contain an OS command injection vulnerability that could allow a remote, authenticated attacker to execute arbitrary commands. As represented by CVE-2023-41346."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ASUS RT-AX55 devices contain an OS command injection vulnerability that could allow a remote, authenticated attacker to execute arbitrary commands. As represented by CVE-2023-41346.",
+    "iocs": {
+      "behavioral": [
+        "ASUS RT-AX55 routers reachable on the network at a firmware/version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the ASUS router consistent with OS command-injection flaw.",
+        "Post-exploitation indicators on the ASUS router — botnet/ORB beaconing, unexpected outbound traffic, web shells, or altered config — with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2023-39780, CISA KEV (added 2025-06-02), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-4632": {
     "name": "Samsung MagicINFO 9 Server Path Traversal Vulnerability (variant: CVE-2025-4632)",