@blamejs/exceptd-skills 0.15.32 → 0.15.34

package/data/cve-catalog.json

@@ -25905,7 +25905,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -25926,7 +25927,7 @@
     "cwe_refs": [
       "CWE-287"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://wiki.freepbx.org/display/FOP/2019-11-20%2BRemote%2BAdmin%2BAuthentication%2BBypass",
@@ -25955,11 +25956,21 @@
         "published_date": "2026-02-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-03; due date 2026-02-24. Notes reference: https://wiki.freepbx.org/display/FOP/2019-11-20%2BRemote%2BAdmin%2BAuthentication%2BBypass ; https://nvd.nist.gov/vuln/detail/CVE-2019-19006",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Sangoma FreePBX contains an improper authentication vulnerability that potentially allows unauthorized users to bypass password authentication and access services provided by the FreePBX admin."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Sangoma FreePBX contains an improper authentication vulnerability that potentially allows unauthorized users to bypass password authentication and access services provided by the FreePBX admin.",
+    "iocs": {
+      "behavioral": [
+        "Sangoma FreePBX reachable on the network at a version below the fixed release named in the vendor advisory (for the backdoor/BMC cases, treat any affected build as compromised regardless of version).",
+        "Administrative access to the FreePBX with no corresponding legitimate credential use — sessions from unexpected sources, use of a known backdoor credential, or access to privileged functions without authentication.",
+        "Post-bypass indicators — configuration/account changes, web shells or new admin objects, or command execution — with no matching operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2019-19006, CISA KEV (added 2026-02-03), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1078 auth bypass) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-40551": {
     "name": "SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability (variant: CVE-2025-40551)",
@@ -29142,7 +29153,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -29163,7 +29175,7 @@
     "cwe_refs": [
       "CWE-78"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/ag.html",
@@ -29193,11 +29205,21 @@
         "published_date": "2025-12-08"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-08; due date 2025-12-29. Notes reference: https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/ag.html ; https://www.jpcert.or.jp/at/2025/at250024.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-66644",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands.",
+    "iocs": {
+      "behavioral": [
+        "Array Networks ArrayOS AG reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the ArrayOS AG gateway consistent with OS command-injection flaw.",
+        "Post-exploitation indicators on the ArrayOS AG gateway — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-66644, CISA KEV (added 2025-12-08), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-55182": {
     "name": "Meta React Server Components Remote Code Execution Vulnerability",
@@ -29762,7 +29784,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -29783,7 +29806,7 @@
     "cwe_refs": [
       "CWE-306"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.oracle.com/security-alerts/cpuoct2025.html",
@@ -29812,11 +29835,21 @@
         "published_date": "2025-11-21"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-21; due date 2025-12-12. Notes reference: https://www.oracle.com/security-alerts/cpuoct2025.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-61757",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Oracle Fusion Middleware contains a missing authentication for critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Oracle Fusion Middleware contains a missing authentication for critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager.",
+    "iocs": {
+      "behavioral": [
+        "Oracle Fusion Middleware reachable on the network at a version below the fixed release named in the vendor advisory (for the backdoor/BMC cases, treat any affected build as compromised regardless of version).",
+        "Administrative access to the Oracle Fusion Middleware with no corresponding legitimate credential use — sessions from unexpected sources, use of a known backdoor credential, or access to privileged functions without authentication.",
+        "Post-bypass indicators — configuration/account changes, web shells or new admin objects, or command execution — with no matching operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-61757, CISA KEV (added 2025-11-21), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1078 auth bypass) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-13223": {
     "name": "Google Chromium V8 Type Confusion Vulnerability",
@@ -30601,7 +30634,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -30622,7 +30656,7 @@
     "cwe_refs": [
       "CWE-78"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://control-webpanel.com/changelog",
@@ -30651,11 +30685,21 @@
         "published_date": "2025-11-04"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-04; due date 2025-11-25. Notes reference: https://control-webpanel.com/changelog ; https://nvd.nist.gov/vuln/detail/CVE-2025-48703",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.",
+    "iocs": {
+      "behavioral": [
+        "CWP Control Web Panel reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Control Web Panel consistent with OS command-injection flaw.",
+        "Post-exploitation indicators on the Control Web Panel — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-48703, CISA KEV (added 2025-11-04), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-11371": {
     "name": "Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability",
@@ -32450,7 +32494,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -32471,7 +32516,7 @@
     "cwe_refs": [
       "CWE-287"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.skyseaclientview.net/news/161221/",
@@ -32500,11 +32545,21 @@
         "published_date": "2025-10-14"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-14; due date 2025-11-04. Notes reference: https://www.skyseaclientview.net/news/161221/ ; https://nvd.nist.gov/vuln/detail/CVE-2016-7836",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SKYSEA Client View contains an improper authentication vulnerability that allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "SKYSEA Client View contains an improper authentication vulnerability that allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program.",
+    "iocs": {
+      "behavioral": [
+        "SKYSEA Client View reachable on the network at a version below the fixed release named in the vendor advisory (for the backdoor/BMC cases, treat any affected build as compromised regardless of version).",
+        "Administrative access to the SKYSEA Client View with no corresponding legitimate credential use — sessions from unexpected sources, use of a known backdoor credential, or access to privileged functions without authentication.",
+        "Post-bypass indicators — configuration/account changes, web shells or new admin objects, or command execution — with no matching operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2016-7836, CISA KEV (added 2025-10-14), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1078 auth bypass) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-43798": {
     "name": "Grafana Path Traversal Vulnerability",
@@ -33505,7 +33560,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -33526,7 +33582,7 @@
     "cwe_refs": [
       "CWE-78"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027",
@@ -33558,11 +33614,21 @@
         "published_date": "2025-10-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-02; due date 2025-10-23. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: http:",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "GNU Bash contains an OS command injection vulnerability which allows remote attackers to execute arbitrary commands via a crafted environment."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "GNU Bash contains an OS command injection vulnerability which allows remote attackers to execute arbitrary commands via a crafted environment.",
+    "iocs": {
+      "behavioral": [
+        "GNU Bash reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Bash (Shellshock family) consistent with OS command-injection flaw.",
+        "Post-exploitation indicators on the Bash (Shellshock family) — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2014-6278, CISA KEV (added 2025-10-02), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2017-1000353": {
     "name": "Jenkins Remote Code Execution Vulnerability",
@@ -33604,7 +33670,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -33625,7 +33692,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.jenkins.io/security/advisory/2017-04-26/",
@@ -33654,11 +33721,21 @@
         "published_date": "2025-10-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-02; due date 2025-10-23. Notes reference: https://www.jenkins.io/security/advisory/2017-04-26/ ; https://nvd.nist.gov/vuln/detail/CVE-2017-1000353",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Jenkins contains a remote code execution vulnerability. This vulnerability that could allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection mechanism."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Jenkins contains a remote code execution vulnerability. This vulnerability that could allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection mechanism.",
+    "iocs": {
+      "behavioral": [
+        "Jenkins reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Jenkins consistent with Java deserialization remote-code-execution flaw.",
+        "Post-exploitation indicators on the Jenkins — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2017-1000353, CISA KEV (added 2025-10-02), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2015-7755": {
     "name": "Juniper ScreenOS Improper Authentication Vulnerability",
@@ -33700,7 +33777,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -33721,7 +33799,7 @@
     "cwe_refs": [
       "CWE-287"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://supportportal.juniper.net/s/article/2015-12-Out-of-Cycle-Security-Bulletin-ScreenOS-Multiple-Security-issues-with-ScreenOS-CVE-2015-7755-CVE-2015-7756",
@@ -33750,11 +33828,21 @@
         "published_date": "2025-10-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-02; due date 2025-10-23. Notes reference: https://supportportal.juniper.net/s/article/2015-12-Out-of-Cycle-Security-Bulletin-ScreenOS-Multiple-Security-issues-with-ScreenOS-CVE-2015-7755-CVE-2015-7756 ; https://nvd.nist.gov/vuln/detail/CVE-20",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Juniper ScreenOS contains an improper authentication vulnerability that could allow unauthorized remote administrative access to the device."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Juniper ScreenOS contains an improper authentication vulnerability that could allow unauthorized remote administrative access to the device.",
+    "iocs": {
+      "behavioral": [
+        "Juniper ScreenOS reachable on the network at a version below the fixed release named in the vendor advisory (for the backdoor/BMC cases, treat any affected build as compromised regardless of version).",
+        "Administrative access to the ScreenOS firewall with no corresponding legitimate credential use — sessions from unexpected sources, use of a known backdoor credential, or access to privileged functions without authentication.",
+        "Post-bypass indicators — configuration/account changes, firmware/below-OS persistence (especially for the BMC), or command execution — with no matching operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2015-7755, CISA KEV (added 2025-10-02), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1078 auth bypass) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-21043": {
     "name": "Samsung Mobile Devices Out-of-Bounds Write Vulnerability (variant: CVE-2025-21043)",
@@ -34095,7 +34183,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -34116,7 +34205,7 @@
     "cwe_refs": [
       "CWE-77"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://docs.libraesva.com/knowledgebase/security-advisory-command-injection-vulnerability-cve-2025-59689/",
@@ -34145,11 +34234,21 @@
         "published_date": "2025-09-29"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-29; due date 2025-10-20. Notes reference: https://docs.libraesva.com/knowledgebase/security-advisory-command-injection-vulnerability-cve-2025-59689/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-59689",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Libraesva Email Security Gateway (ESG) contains a command injection vulnerability which allows command injection via a compressed e-mail attachment."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Libraesva Email Security Gateway (ESG) contains a command injection vulnerability which allows command injection via a compressed e-mail attachment.",
+    "iocs": {
+      "behavioral": [
+        "Libraesva Email Security Gateway reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Libraesva ESG consistent with command-injection flaw.",
+        "Post-exploitation indicators on the Libraesva ESG — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-59689, CISA KEV (added 2025-09-29), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-10035": {
     "name": "Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability",
@@ -34193,7 +34292,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -34215,7 +34315,7 @@
       "CWE-502",
       "CWE-77"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.fortra.com/security/advisories/product-security/fi-2025-012",
@@ -34244,11 +34344,21 @@
         "published_date": "2025-09-29"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-29; due date 2025-10-20. Notes reference: https://www.fortra.com/security/advisories/product-security/fi-2025-012 ; https://nvd.nist.gov/vuln/detail/CVE-2025-10035",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.",
+    "iocs": {
+      "behavioral": [
+        "Fortra GoAnywhere MFT reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the GoAnywhere MFT consistent with deserialization-of-untrusted-data flaw.",
+        "Post-exploitation indicators on the GoAnywhere MFT — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-10035, CISA KEV (added 2025-09-29), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-20352": {
     "name": "Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability",
@@ -35237,7 +35347,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -35258,7 +35369,7 @@
     "cwe_refs": [
       "CWE-306"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.tp-link.com/us/home-networking/range-extender/tl-wa855re/#overview",
@@ -35288,11 +35399,21 @@
         "published_date": "2025-09-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-02; due date 2025-09-23. Notes reference: https://www.tp-link.com/us/home-networking/range-extender/tl-wa855re/#overview ; https://www.tp-link.com/us/support/download/tl-wa855re/#FAQs ; https://nvd.nist.gov/vuln/detail/CVE-2020-24363",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "TP-link TL-WA855RE contains a missing authentication for critical function vulnerability. This vulnerability could allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtain incorrect access control by setting a new administrative password. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "TP-link TL-WA855RE contains a missing authentication for critical function vulnerability. This vulnerability could allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtain incorrect access control by setting a new administrative password. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "TP-Link TL-WA855RE reachable on the network at a version below the fixed release named in the vendor advisory (for the backdoor/BMC cases, treat any affected build as compromised regardless of version).",
+        "Administrative access to the TL-WA855RE extender with no corresponding legitimate credential use — sessions from unexpected sources, use of a known backdoor credential, or access to privileged functions without authentication.",
+        "Post-bypass indicators — configuration/account changes, firmware/below-OS persistence (especially for the BMC), or command execution — with no matching operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2020-24363, CISA KEV (added 2025-09-02), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1078 auth bypass) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-55177": {
     "name": "Meta Platforms WhatsApp Incorrect Authorization Vulnerability",
@@ -35958,7 +36079,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -35979,7 +36101,7 @@
     "cwe_refs": [
       "CWE-78"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://success.trendmicro.com/en-US/solution/KA-0020652",
@@ -36008,11 +36130,21 @@
         "published_date": "2025-08-18"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-18; due date 2025-09-08. Notes reference: https://success.trendmicro.com/en-US/solution/KA-0020652 ; N/A ; https://nvd.nist.gov/vuln/detail/CVE-2025-54948",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.",
+    "iocs": {
+      "behavioral": [
+        "Trend Micro Apex One reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Apex One console consistent with OS command-injection flaw.",
+        "Post-exploitation indicators on the Apex One console — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-54948, CISA KEV (added 2025-08-18), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-8876": {
     "name": "N-able N-Central Command Injection Vulnerability",
@@ -38481,7 +38613,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -38503,7 +38636,7 @@
       "CWE-77",
       "CWE-88"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18",
@@ -38533,11 +38666,21 @@
         "published_date": "2025-07-07"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-07; due date 2025-07-28. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "PHPMailer contains a command injection vulnerability because it fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "PHPMailer contains a command injection vulnerability because it fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.",
+    "iocs": {
+      "behavioral": [
+        "PHPMailer reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the PHPMailer consistent with command-injection flaw.",
+        "Post-exploitation indicators on the PHPMailer — web shells, unexpected child-process execution from the service, or commands run with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2016-10033, CISA KEV (added 2025-07-07), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 command/code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2014-3931": {
     "name": "Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability",
@@ -39267,7 +39410,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1078"
+      "T1078",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39288,7 +39432,7 @@
     "cwe_refs": [
       "CWE-290"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://go.ami.com/hubfs/Security%20Advisories/2025/AMI-SA-2025003.pdf",
@@ -39318,11 +39462,21 @@
         "published_date": "2025-06-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-25; due date 2025-07-16. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "AMI MegaRAC SPx contains an authentication bypass by spoofing vulnerability in the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "AMI MegaRAC SPx contains an authentication bypass by spoofing vulnerability in the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability.",
+    "iocs": {
+      "behavioral": [
+        "AMI MegaRAC SPx reachable on the network at a version below the fixed release named in the vendor advisory (for the backdoor/BMC cases, treat any affected build as compromised regardless of version).",
+        "Administrative access to the MegaRAC BMC with no corresponding legitimate credential use — sessions from unexpected sources, use of a known backdoor credential, or access to privileged functions without authentication.",
+        "Post-bypass indicators — configuration/account changes, firmware/below-OS persistence (especially for the BMC), or command execution — with no matching operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-54085, CISA KEV (added 2025-06-25), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1078 auth bypass) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2023-0386": {
     "name": "Linux Kernel Improper Ownership Management Vulnerability",
@@ -39979,7 +40133,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1078",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -40000,7 +40156,7 @@
     "cwe_refs": [
       "CWE-306"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2",
@@ -40030,11 +40186,21 @@
         "published_date": "2025-06-09"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-09; due date 2025-06-30. Notes reference: This vulnerability affects a common open-source project, third-party library, or a protocol used by different products. For more information, please see: https://github.com/erlang/otp/security/advisor",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Erlang Erlang/OTP SSH server contains a missing authentication for critical function vulnerability. This could allow an attacker to execute arbitrary commands without valid credentials, potentially leading to unauthenticated remote code execution (RCE). By exploiting a flaw in how SSH protocol messages are handled, a malicious actor could gain unauthorized access to affected systems. This vulnerability could affect various products that implement Erlang/OTP SSH server, including—but not limited to—Cisco, NetApp, and SUSE."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Erlang Erlang/OTP SSH server contains a missing authentication for critical function vulnerability. This could allow an attacker to execute arbitrary commands without valid credentials, potentially leading to unauthenticated remote code execution (RCE). By exploiting a flaw in how SSH protocol messages are handled, a malicious actor could gain unauthorized access to affected systems. This vulnerability could affect various products that implement Erlang/OTP SSH server, including—but not limited to—Cisco, NetApp, and SUSE.",
+    "iocs": {
+      "behavioral": [
+        "Erlang/OTP SSH Server reachable on the network at a version below the fixed release named in the vendor advisory (for the backdoor/BMC cases, treat any affected build as compromised regardless of version).",
+        "Administrative access to the Erlang/OTP SSH with no corresponding legitimate credential use — sessions from unexpected sources, use of a known backdoor credential, or access to privileged functions without authentication.",
+        "Post-bypass indicators — configuration/account changes, web shells or new admin objects, or command execution — with no matching operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-32433, CISA KEV (added 2025-06-09), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1078 auth bypass + T1059 RCE) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-5419": {
     "name": "Google Chromium V8 Out-of-Bounds Read and Write Vulnerability",