@blamejs/exceptd-skills 0.15.32 → 0.15.33

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.15.33 — 2026-05-29
+
+Draft-curation pass 30 — unauthenticated command/code-injection RCE. Eight CISA KEV-listed CVEs where attacker input reaches a shell or interpreter are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Array Networks ArrayOS AG (CVE-2025-66644), CWP Control Web Panel (CVE-2025-48703), Libraesva Email Security Gateway (CVE-2025-59689), Trend Micro Apex One console (CVE-2025-54948), GNU Bash Shellshock-family parsing (CVE-2014-6278), PHPMailer sender-address injection (CVE-2016-10033), Jenkins CLI Java deserialization (CVE-2017-1000353), and Fortra GoAnywhere MFT license-servlet deserialization (CVE-2025-10035). All map T1190 and T1059. The lessons highlight a high-fidelity detection signal — a shell or interpreter spawned from a web/daemon process — and stress that bundled-library flaws (Bash, PHPMailer) require updating every consumer, while CI, MFT, and EDR-console compromise carries downstream supply-chain and data reach beyond the patched host.
+
 ## 0.15.32 — 2026-05-29
 
 Draft-curation pass 29 — network devices and edge appliances. Seven CISA KEV-listed unauthenticated CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons, spanning enterprise appliances — F5 BIG-IP stack overflow (CVE-2025-53521), HPE OneView code injection (CVE-2025-37164), Versa Concerto SD-WAN orchestrator authentication bypass (CVE-2025-34026) — and SOHO/embedded devices: ASUS router OS command injection (CVE-2023-39780) and authentication bypass (CVE-2021-32030), Digiever DVR missing authorization (CVE-2023-52163), and Sierra Wireless AirLink ALEOS unrestricted upload (CVE-2018-4063). All map T1190, with per-class T1059, T1078, or T1505.003. The lessons split remediation by device class: enterprise appliances must be rebuilt and re-keyed after compromise, while embedded/SOHO devices — often end-of-life and recruited into botnets — require firmware re-flash or replacement rather than patch-in-place.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-30T02:46:03.958Z",
+  "generated_at": "2026-05-30T03:05:30.785Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "bfb12203bc94fbd39b4c1343556482b87f365f89b77c0df1970ecc3f3f29a5e4",
+    "manifest.json": "9045d51286721985592156db17c8cb917201b948715597901238bda99b99f792",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "287890d9363989eae37cc65cc32d2c7daeb9393c7c213c3acd0aa12bc5de6bc7",
-    "data/cve-catalog.json": "da1abcc2d3878253bf38e6bb1924b702e89ca2681aeb586100a85ec39e33ce3f",
+    "data/attack-techniques.json": "6849ebc7b44fe562f1e2728d1e881d2e9148d8c89b8d6b050b580c5338d3dd23",
+    "data/cve-catalog.json": "b18466211fdd24ed61766573c402cc38324d7fd90ec55a147e7c98a5f6a6444f",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "78c717b5c3c9dab103447cac53fdacf966449f9e5450bff323967eaefdd4dbca",
+    "data/zeroday-lessons.json": "4c41089a5a095fc4be5898833a4f83c0cebe06e5b13f959a022241acb1164dc4",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json

@@ -272,6 +272,9 @@
       "DS0017"
     ],
     "cve_refs": [
+      "CVE-2014-6278",
+      "CVE-2016-10033",
+      "CVE-2017-1000353",
       "CVE-2020-25078",
       "CVE-2020-25079",
       "CVE-2022-1471",
@@ -303,6 +306,7 @@
       "CVE-2024-5565",
       "CVE-2024-56145",
       "CVE-2024-8069",
+      "CVE-2025-10035",
       "CVE-2025-10164",
       "CVE-2025-1094",
       "CVE-2025-11837",
@@ -326,6 +330,7 @@
       "CVE-2025-40551",
       "CVE-2025-4428",
       "CVE-2025-47812",
+      "CVE-2025-48703",
       "CVE-2025-49113",
       "CVE-2025-49596",
       "CVE-2025-49704",
@@ -336,13 +341,16 @@
       "CVE-2025-54068",
       "CVE-2025-54136",
       "CVE-2025-54253",
+      "CVE-2025-54948",
       "CVE-2025-55319",
       "CVE-2025-58034",
+      "CVE-2025-59689",
       "CVE-2025-60455",
       "CVE-2025-61882",
       "CVE-2025-6204",
       "CVE-2025-64328",
       "CVE-2025-64496",
+      "CVE-2025-66644",
       "CVE-2025-68613",
       "CVE-2025-68645",
       "CVE-2025-68664",

package/data/cve-catalog.json

@@ -29142,7 +29142,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -29163,7 +29164,7 @@
     "cwe_refs": [
       "CWE-78"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/ag.html",
@@ -29193,11 +29194,21 @@
         "published_date": "2025-12-08"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-08; due date 2025-12-29. Notes reference: https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/ag.html ; https://www.jpcert.or.jp/at/2025/at250024.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-66644",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands.",
+    "iocs": {
+      "behavioral": [
+        "Array Networks ArrayOS AG reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the ArrayOS AG gateway consistent with OS command-injection flaw.",
+        "Post-exploitation indicators on the ArrayOS AG gateway — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-66644, CISA KEV (added 2025-12-08), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-55182": {
     "name": "Meta React Server Components Remote Code Execution Vulnerability",
@@ -30601,7 +30612,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -30622,7 +30634,7 @@
     "cwe_refs": [
       "CWE-78"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://control-webpanel.com/changelog",
@@ -30651,11 +30663,21 @@
         "published_date": "2025-11-04"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-04; due date 2025-11-25. Notes reference: https://control-webpanel.com/changelog ; https://nvd.nist.gov/vuln/detail/CVE-2025-48703",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.",
+    "iocs": {
+      "behavioral": [
+        "CWP Control Web Panel reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Control Web Panel consistent with OS command-injection flaw.",
+        "Post-exploitation indicators on the Control Web Panel — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-48703, CISA KEV (added 2025-11-04), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-11371": {
     "name": "Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability",
@@ -33505,7 +33527,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -33526,7 +33549,7 @@
     "cwe_refs": [
       "CWE-78"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027",
@@ -33558,11 +33581,21 @@
         "published_date": "2025-10-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-02; due date 2025-10-23. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: http:",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "GNU Bash contains an OS command injection vulnerability which allows remote attackers to execute arbitrary commands via a crafted environment."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "GNU Bash contains an OS command injection vulnerability which allows remote attackers to execute arbitrary commands via a crafted environment.",
+    "iocs": {
+      "behavioral": [
+        "GNU Bash reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Bash (Shellshock family) consistent with OS command-injection flaw.",
+        "Post-exploitation indicators on the Bash (Shellshock family) — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2014-6278, CISA KEV (added 2025-10-02), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2017-1000353": {
     "name": "Jenkins Remote Code Execution Vulnerability",
@@ -33604,7 +33637,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -33625,7 +33659,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.jenkins.io/security/advisory/2017-04-26/",
@@ -33654,11 +33688,21 @@
         "published_date": "2025-10-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-02; due date 2025-10-23. Notes reference: https://www.jenkins.io/security/advisory/2017-04-26/ ; https://nvd.nist.gov/vuln/detail/CVE-2017-1000353",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Jenkins contains a remote code execution vulnerability. This vulnerability that could allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection mechanism."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Jenkins contains a remote code execution vulnerability. This vulnerability that could allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection mechanism.",
+    "iocs": {
+      "behavioral": [
+        "Jenkins reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Jenkins consistent with Java deserialization remote-code-execution flaw.",
+        "Post-exploitation indicators on the Jenkins — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2017-1000353, CISA KEV (added 2025-10-02), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2015-7755": {
     "name": "Juniper ScreenOS Improper Authentication Vulnerability",
@@ -34095,7 +34139,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -34116,7 +34161,7 @@
     "cwe_refs": [
       "CWE-77"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://docs.libraesva.com/knowledgebase/security-advisory-command-injection-vulnerability-cve-2025-59689/",
@@ -34145,11 +34190,21 @@
         "published_date": "2025-09-29"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-29; due date 2025-10-20. Notes reference: https://docs.libraesva.com/knowledgebase/security-advisory-command-injection-vulnerability-cve-2025-59689/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-59689",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Libraesva Email Security Gateway (ESG) contains a command injection vulnerability which allows command injection via a compressed e-mail attachment."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Libraesva Email Security Gateway (ESG) contains a command injection vulnerability which allows command injection via a compressed e-mail attachment.",
+    "iocs": {
+      "behavioral": [
+        "Libraesva Email Security Gateway reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Libraesva ESG consistent with command-injection flaw.",
+        "Post-exploitation indicators on the Libraesva ESG — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-59689, CISA KEV (added 2025-09-29), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-10035": {
     "name": "Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability",
@@ -34193,7 +34248,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -34215,7 +34271,7 @@
       "CWE-502",
       "CWE-77"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.fortra.com/security/advisories/product-security/fi-2025-012",
@@ -34244,11 +34300,21 @@
         "published_date": "2025-09-29"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-29; due date 2025-10-20. Notes reference: https://www.fortra.com/security/advisories/product-security/fi-2025-012 ; https://nvd.nist.gov/vuln/detail/CVE-2025-10035",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.",
+    "iocs": {
+      "behavioral": [
+        "Fortra GoAnywhere MFT reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the GoAnywhere MFT consistent with deserialization-of-untrusted-data flaw.",
+        "Post-exploitation indicators on the GoAnywhere MFT — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-10035, CISA KEV (added 2025-09-29), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-20352": {
     "name": "Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability",
@@ -35958,7 +36024,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -35979,7 +36046,7 @@
     "cwe_refs": [
       "CWE-78"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://success.trendmicro.com/en-US/solution/KA-0020652",
@@ -36008,11 +36075,21 @@
         "published_date": "2025-08-18"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-18; due date 2025-09-08. Notes reference: https://success.trendmicro.com/en-US/solution/KA-0020652 ; N/A ; https://nvd.nist.gov/vuln/detail/CVE-2025-54948",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.",
+    "iocs": {
+      "behavioral": [
+        "Trend Micro Apex One reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Apex One console consistent with OS command-injection flaw.",
+        "Post-exploitation indicators on the Apex One console — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-54948, CISA KEV (added 2025-08-18), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-8876": {
     "name": "N-able N-Central Command Injection Vulnerability",
@@ -38481,7 +38558,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -38503,7 +38581,7 @@
       "CWE-77",
       "CWE-88"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18",
@@ -38533,11 +38611,21 @@
         "published_date": "2025-07-07"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-07; due date 2025-07-28. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "PHPMailer contains a command injection vulnerability because it fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "PHPMailer contains a command injection vulnerability because it fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.",
+    "iocs": {
+      "behavioral": [
+        "PHPMailer reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the PHPMailer consistent with command-injection flaw.",
+        "Post-exploitation indicators on the PHPMailer — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2016-10033, CISA KEV (added 2025-07-07), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2014-3931": {
     "name": "Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability",