@blamejs/exceptd-skills 0.15.32 → 0.15.34

package/data/zeroday-lessons.json

@@ -13820,35 +13820,63 @@
   },
   "CVE-2019-19006": {
     "name": " Sangoma FreePBX Improper Authentication Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Sangoma FreePBX contains an improper authentication vulnerability that potentially allows unauthorized users to bypass password authentication and access services provided by the FreePBX admin.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an improper-authentication flaw (CWE-287) letting an unauthenticated attacker gain administrative access to the telephony server. CISA KEV-listed 2026-02-03 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw grants access without valid credentials)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor update and restrict the management/admin interface to a trusted network/jump host; monitor for unexpected admin sessions, and for the RCE case hunt for web shells and rotate credentials. MFA does not mitigate an auth-bypass.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary; network restriction of the management plane is the compensating control, and MFA does not help once authentication is bypassed."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the FreePBX: admin sessions without a matching authentication event, use of known backdoor credentials, and configuration/account changes from unexpected sources.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because an auth-bypass produces sessions that look authenticated; the anomaly is the absence of a legitimate credential event and the source."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, restrict the management plane, rotate all credentials and keys, review configuration/account changes during the exposure window, and hunt for web shells and persistence.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; an auth-bypass typically leaves administrative persistence that a patch alone does not remove."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed authentication-bypass on an internet-facing system; these grant administrative access without credentials and are mass-exploited within days — the ScreenOS case shows the class also includes supply-chain-planted backdoors."
+      },
+      "NIST-800-53-IA-2-MFA": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Multi-factor authentication does not help when the flaw bypasses authentication entirely (hardcoded backdoor, missing-auth endpoint, spoofable identity) — the control assumes the auth path is reached, which the flaw circumvents. Restricting the management plane to a trusted network/jump host is the load-bearing compensating control."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited auth-bypass on an internet-facing system or appliance."
+      },
+      "NIS2-Art21-access-control": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats access control as an essential-function requirement but assumes the authentication mechanism is sound; an auth-bypass defeats that assumption, and the framework lacks a compressed remediation SLA plus a compromised-device response for below-OS targets like a BMC."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 78,
+      "basis": "Internet-facing Sangoma FreePBX is run by audited organizations whose access-control posture (passwords, MFA, RBAC) is irrelevant to an authentication bypass; without management-plane network restriction and prompt patching the system is exposed, and below-OS/backdoor cases require rebuild that is rarely performed.",
+      "theater_pattern": "authentication_assumed_complete"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-40551": {
     "name": "SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability (variant: CVE-2025-40551)",
@@ -15431,35 +15459,63 @@
   },
   "CVE-2025-66644": {
     "name": "Array Networks ArrayOS AG OS Command Injection Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an OS command-injection flaw (CWE-78) enabling unauthenticated remote command execution on the secure-access gateway appliance. CISA KEV-listed 2025-12-08 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker; bundled-library flaws are reachable wherever the library processes attacker input)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Array Networks update; treat an exploited gateway as compromised — rebuild and rotate VPN/session secrets, since it fronts internal access.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — web shells and stolen credentials survive the patch, bundled-library flaws require updating every consumer, and CI/MFT/EDR-console compromise has downstream reach."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the ArrayOS AG gateway: exploit-shaped requests, new web-shell files, and unexpected child-process execution by the service (a shell or interpreter spawned from a web/daemon process is a strong injection signal).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch exploitation and resident persistence after patching."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately (every consumer for a bundled library), hunt and remove web shells, rotate credentials and secrets, and review downstream/supply-chain impact (CI build artifacts, MFT data, EDR-managed endpoints).",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; injection-to-RCE typically yields persistence and a pivot, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated injection-to-RCE flaw; these are mass-exploited within days, and bundled-library flaws (PHPMailer/Bash) persist for years across the long tail."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing service or a widely-bundled vulnerable library."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing services as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / credential-rotation / supply-chain-review cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing service in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 76,
+      "basis": "Internet-facing Array Networks ArrayOS AG is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt, credential rotation, and (for bundled libraries) updating every consumer are rarely fully done, leaving long-tail exposure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-55182": {
     "name": "Meta React Server Components Remote Code Execution Vulnerability",
@@ -15725,35 +15781,63 @@
   },
   "CVE-2025-61757": {
     "name": "Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Oracle Fusion Middleware contains a missing authentication for critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a missing-authentication-for-critical-function flaw (CWE-306) letting an unauthenticated attacker reach a critical function without credentials. CISA KEV-listed 2025-11-21 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw grants access without valid credentials)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor update and restrict the management/admin interface to a trusted network/jump host; monitor for unexpected admin sessions, and for the RCE case hunt for web shells and rotate credentials. MFA does not mitigate an auth-bypass.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary; network restriction of the management plane is the compensating control, and MFA does not help once authentication is bypassed."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Oracle Fusion Middleware: admin sessions without a matching authentication event, use of known backdoor credentials, and configuration/account changes from unexpected sources.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because an auth-bypass produces sessions that look authenticated; the anomaly is the absence of a legitimate credential event and the source."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, restrict the management plane, rotate all credentials and keys, review configuration/account changes during the exposure window, and hunt for web shells and persistence.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; an auth-bypass typically leaves administrative persistence that a patch alone does not remove."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed authentication-bypass on an internet-facing system; these grant administrative access without credentials and are mass-exploited within days — the ScreenOS case shows the class also includes supply-chain-planted backdoors."
+      },
+      "NIST-800-53-IA-2-MFA": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Multi-factor authentication does not help when the flaw bypasses authentication entirely (hardcoded backdoor, missing-auth endpoint, spoofable identity) — the control assumes the auth path is reached, which the flaw circumvents. Restricting the management plane to a trusted network/jump host is the load-bearing compensating control."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited auth-bypass on an internet-facing system or appliance."
+      },
+      "NIS2-Art21-access-control": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats access control as an essential-function requirement but assumes the authentication mechanism is sound; an auth-bypass defeats that assumption, and the framework lacks a compressed remediation SLA plus a compromised-device response for below-OS targets like a BMC."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 78,
+      "basis": "Internet-facing Oracle Fusion Middleware is run by audited organizations whose access-control posture (passwords, MFA, RBAC) is irrelevant to an authentication bypass; without management-plane network restriction and prompt patching the system is exposed, and below-OS/backdoor cases require rebuild that is rarely performed.",
+      "theater_pattern": "authentication_assumed_complete"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-13223": {
     "name": "Google Chromium V8 Type Confusion Vulnerability",
@@ -16162,35 +16246,63 @@
   },
   "CVE-2025-48703": {
     "name": "CWP Control Web Panel OS Command Injection Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an OS command-injection flaw (CWE-78) enabling unauthenticated remote command execution on the hosting-control server. CISA KEV-listed 2025-11-04 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker; bundled-library flaws are reachable wherever the library processes attacker input)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the CWP update; hunt for web shells across hosted sites and rotate panel/hosting credentials — a control-panel compromise reaches every site it manages.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — web shells and stolen credentials survive the patch, bundled-library flaws require updating every consumer, and CI/MFT/EDR-console compromise has downstream reach."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Control Web Panel: exploit-shaped requests, new web-shell files, and unexpected child-process execution by the service (a shell or interpreter spawned from a web/daemon process is a strong injection signal).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch exploitation and resident persistence after patching."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately (every consumer for a bundled library), hunt and remove web shells, rotate credentials and secrets, and review downstream/supply-chain impact (CI build artifacts, MFT data, EDR-managed endpoints).",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; injection-to-RCE typically yields persistence and a pivot, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated injection-to-RCE flaw; these are mass-exploited within days, and bundled-library flaws (PHPMailer/Bash) persist for years across the long tail."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing service or a widely-bundled vulnerable library."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing services as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / credential-rotation / supply-chain-review cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing service in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 76,
+      "basis": "Internet-facing CWP Control Web Panel is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt, credential rotation, and (for bundled libraries) updating every consumer are rarely fully done, leaving long-tail exposure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-11371": {
     "name": "Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability",
@@ -17031,35 +17143,63 @@
   },
   "CVE-2016-7836": {
     "name": "SKYSEA Client View Improper Authentication Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "SKYSEA Client View contains an improper authentication vulnerability that allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an improper-authentication flaw (CWE-287) in the SKYSEA Client View management server, letting an unauthenticated attacker bypass authentication and reach privileged functionality. CISA KEV-listed 2025-10-14 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw grants access without valid credentials)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor update and restrict the management/admin interface to a trusted network/jump host; monitor for unexpected admin sessions, and for the RCE case hunt for web shells and rotate credentials. MFA does not mitigate an auth-bypass.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary; network restriction of the management plane is the compensating control, and MFA does not help once authentication is bypassed."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the SKYSEA Client View: admin sessions without a matching authentication event, use of known backdoor credentials, and configuration/account changes from unexpected sources.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because an auth-bypass produces sessions that look authenticated; the anomaly is the absence of a legitimate credential event and the source."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, restrict the management plane, rotate all credentials and keys, review configuration/account changes during the exposure window, and hunt for web shells and persistence.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; an auth-bypass typically leaves administrative persistence that a patch alone does not remove."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed authentication-bypass on an internet-facing system; these grant administrative access without credentials and are mass-exploited within days — the ScreenOS case shows the class also includes supply-chain-planted backdoors."
+      },
+      "NIST-800-53-IA-2-MFA": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Multi-factor authentication does not help when the flaw bypasses authentication entirely (hardcoded backdoor, missing-auth endpoint, spoofable identity) — the control assumes the auth path is reached, which the flaw circumvents. Restricting the management plane to a trusted network/jump host is the load-bearing compensating control."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited auth-bypass on an internet-facing system or appliance."
+      },
+      "NIS2-Art21-access-control": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats access control as an essential-function requirement but assumes the authentication mechanism is sound; an auth-bypass defeats that assumption, and the framework lacks a compressed remediation SLA plus a compromised-device response for below-OS targets like a BMC."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 78,
+      "basis": "Internet-facing SKYSEA Client View is run by audited organizations whose access-control posture (passwords, MFA, RBAC) is irrelevant to an authentication bypass; without management-plane network restriction and prompt patching the system is exposed, and below-OS/backdoor cases require rebuild that is rarely performed.",
+      "theater_pattern": "authentication_assumed_complete"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2021-43798": {
     "name": "Grafana Path Traversal Vulnerability",
@@ -17573,99 +17713,183 @@
   },
   "CVE-2014-6278": {
     "name": "GNU Bash OS Command Injection Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "GNU Bash contains an OS command injection vulnerability which allows remote attackers to execute arbitrary commands via a crafted environment.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an OS command-injection flaw (CWE-78) in Bash environment-variable parsing (a Shellshock-family flaw), enabling remote command execution wherever attacker-controlled data reaches a Bash environment such as CGI. CISA KEV-listed 2025-10-02 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker; bundled-library flaws are reachable wherever the library processes attacker input)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Bash update across the estate; this is a long-tail flaw, so inventory CGI/embedded systems that still shell out to Bash with attacker-influenced input.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — web shells and stolen credentials survive the patch, bundled-library flaws require updating every consumer, and CI/MFT/EDR-console compromise has downstream reach."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Bash (Shellshock family): exploit-shaped requests, new web-shell files, and unexpected child-process execution by the service (a shell or interpreter spawned from a web/daemon process is a strong injection signal).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch exploitation and resident persistence after patching."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately (every consumer for a bundled library), hunt and remove web shells, rotate credentials and secrets, and review downstream/supply-chain impact (CI build artifacts, MFT data, EDR-managed endpoints).",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; injection-to-RCE typically yields persistence and a pivot, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated injection-to-RCE flaw; these are mass-exploited within days, and bundled-library flaws (PHPMailer/Bash) persist for years across the long tail."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing service or a widely-bundled vulnerable library."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing services as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / credential-rotation / supply-chain-review cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing service in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 76,
+      "basis": "Internet-facing GNU Bash is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt, credential rotation, and (for bundled libraries) updating every consumer are rarely fully done, leaving long-tail exposure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2017-1000353": {
     "name": "Jenkins Remote Code Execution Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Jenkins contains a remote code execution vulnerability. This vulnerability that could allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection mechanism.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a Java deserialization remote-code-execution flaw (CWE-94) in the Jenkins CLI, enabling unauthenticated remote code execution on the CI server. CISA KEV-listed 2025-10-02 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker; bundled-library flaws are reachable wherever the library processes attacker input)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
     },
-    "framework_coverage": {
-      "NIST-800-53-SI-2": {
-        "covered": true,
-        "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
-      },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Jenkins update and disable the legacy CLI remoting; treat CI compromise as a software-supply-chain risk — rotate credentials and signing keys and review build artifacts/configs for injected steps.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — web shells and stolen credentials survive the patch, bundled-library flaws require updating every consumer, and CI/MFT/EDR-console compromise has downstream reach."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Jenkins: exploit-shaped requests, new web-shell files, and unexpected child-process execution by the service (a shell or interpreter spawned from a web/daemon process is a strong injection signal).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch exploitation and resident persistence after patching."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately (every consumer for a bundled library), hunt and remove web shells, rotate credentials and secrets, and review downstream/supply-chain impact (CI build artifacts, MFT data, EDR-managed endpoints).",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; injection-to-RCE typically yields persistence and a pivot, which a bare patch does not remediate."
+      }
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated injection-to-RCE flaw; these are mass-exploited within days, and bundled-library flaws (PHPMailer/Bash) persist for years across the long tail."
+      },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing service or a widely-bundled vulnerable library."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing services as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / credential-rotation / supply-chain-review cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing service in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 76,
+      "basis": "Internet-facing Jenkins is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt, credential rotation, and (for bundled libraries) updating every consumer are rarely fully done, leaving long-tail exposure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2015-7755": {
     "name": "Juniper ScreenOS Improper Authentication Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Juniper ScreenOS contains an improper authentication vulnerability that could allow unauthorized remote administrative access to the device.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a hardcoded backdoor authentication credential (CWE-287) in Juniper ScreenOS, letting anyone with the planted password gain administrative SSH/Telnet access to the firewall (a supply-chain-planted backdoor). CISA KEV-listed 2025-10-02 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw grants access without valid credentials)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor update and restrict the management interface to a trusted network/jump host; because this grants access without credentials (and the BMC/backdoor sits below the OS), treat an exposed device as compromised — re-image/rebuild and rotate all secrets. MFA does not mitigate an auth-bypass.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but a below-OS (BMC) or backdoored device must be treated as compromised and rebuilt; MFA and password policy are irrelevant to a bypass."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the ScreenOS firewall: admin sessions without a matching authentication event, use of known backdoor credentials, and configuration/account changes from unexpected sources.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because an auth-bypass produces sessions that look authenticated; the anomaly is the absence of a legitimate credential event and the source."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, restrict the management plane, rotate all credentials and keys, review configuration/account changes during the exposure window, and re-image the device/BMC (below-OS persistence survives OS reinstall).",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; an auth-bypass typically leaves administrative persistence that a patch alone does not remove."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed authentication-bypass on an internet-facing system; these grant administrative access without credentials and are mass-exploited within days — the ScreenOS case shows the class also includes supply-chain-planted backdoors."
+      },
+      "NIST-800-53-IA-2-MFA": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Multi-factor authentication does not help when the flaw bypasses authentication entirely (hardcoded backdoor, missing-auth endpoint, spoofable identity) — the control assumes the auth path is reached, which the flaw circumvents. Restricting the management plane to a trusted network/jump host is the load-bearing compensating control."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited auth-bypass on an internet-facing system or appliance."
+      },
+      "NIS2-Art21-access-control": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats access control as an essential-function requirement but assumes the authentication mechanism is sound; an auth-bypass defeats that assumption, and the framework lacks a compressed remediation SLA plus a compromised-device response for below-OS targets like a BMC."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 78,
+      "basis": "Internet-facing Juniper ScreenOS is run by audited organizations whose access-control posture (passwords, MFA, RBAC) is irrelevant to an authentication bypass; without management-plane network restriction and prompt patching the system is exposed, and below-OS/backdoor cases require rebuild that is rarely performed.",
+      "theater_pattern": "authentication_assumed_complete"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-21043": {
     "name": "Samsung Mobile Devices Out-of-Bounds Write Vulnerability (variant: CVE-2025-21043)",
@@ -17788,67 +18012,123 @@
   },
   "CVE-2025-59689": {
     "name": "Libraesva Email Security Gateway Command Injection Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Libraesva Email Security Gateway (ESG) contains a command injection vulnerability which allows command injection via a compressed e-mail attachment.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a command-injection flaw (CWE-77) enabling remote command execution on the mail-security appliance, triggered via a crafted email/attachment. CISA KEV-listed 2025-09-29 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker; bundled-library flaws are reachable wherever the library processes attacker input)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Libraesva update; hunt for web shells, rotate credentials, and review mail-flow integrity — the gateway processes all inbound mail.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — web shells and stolen credentials survive the patch, bundled-library flaws require updating every consumer, and CI/MFT/EDR-console compromise has downstream reach."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Libraesva ESG: exploit-shaped requests, new web-shell files, and unexpected child-process execution by the service (a shell or interpreter spawned from a web/daemon process is a strong injection signal).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch exploitation and resident persistence after patching."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately (every consumer for a bundled library), hunt and remove web shells, rotate credentials and secrets, and review downstream/supply-chain impact (CI build artifacts, MFT data, EDR-managed endpoints).",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; injection-to-RCE typically yields persistence and a pivot, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated injection-to-RCE flaw; these are mass-exploited within days, and bundled-library flaws (PHPMailer/Bash) persist for years across the long tail."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing service or a widely-bundled vulnerable library."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing services as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / credential-rotation / supply-chain-review cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing service in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 76,
+      "basis": "Internet-facing Libraesva Email Security Gateway is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt, credential rotation, and (for bundled libraries) updating every consumer are rarely fully done, leaving long-tail exposure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-10035": {
     "name": "Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a deserialization-of-untrusted-data flaw (CWE-502/CWE-77) in the GoAnywhere MFT license servlet, enabling unauthenticated remote code execution on the managed-file-transfer server (mass-exploited in data-theft extortion campaigns). CISA KEV-listed 2025-09-29 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker; bundled-library flaws are reachable wherever the library processes attacker input)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Fortra GoAnywhere update, restrict the admin console from the internet, hunt for web shells, rotate credentials, and review transferred-file exposure — MFT compromise targets the data in transit.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — web shells and stolen credentials survive the patch, bundled-library flaws require updating every consumer, and CI/MFT/EDR-console compromise has downstream reach."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the GoAnywhere MFT: exploit-shaped requests, new web-shell files, and unexpected child-process execution by the service (a shell or interpreter spawned from a web/daemon process is a strong injection signal).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch exploitation and resident persistence after patching."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately (every consumer for a bundled library), hunt and remove web shells, rotate credentials and secrets, and review downstream/supply-chain impact (CI build artifacts, MFT data, EDR-managed endpoints).",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; injection-to-RCE typically yields persistence and a pivot, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated injection-to-RCE flaw; these are mass-exploited within days, and bundled-library flaws (PHPMailer/Bash) persist for years across the long tail."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing service or a widely-bundled vulnerable library."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing services as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / credential-rotation / supply-chain-review cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing service in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 75,
-      "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
+      "percent_audit_passing_orgs_still_exposed": 76,
+      "basis": "Internet-facing Fortra GoAnywhere MFT is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt, credential rotation, and (for bundled libraries) updating every consumer are rarely fully done, leaving long-tail exposure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-20352": {
     "name": "Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability",
@@ -18336,35 +18616,63 @@
   },
   "CVE-2020-24363": {
     "name": "TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "TP-link TL-WA855RE contains a missing authentication for critical function vulnerability. This vulnerability could allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtain incorrect access control by setting a new administrative password. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a missing-authentication-for-critical-function flaw (CWE-306) on the TP-Link TL-WA855RE extender, letting an unauthenticated attacker on the network reset the device and gain administrative control. CISA KEV-listed 2025-09-02 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw grants access without valid credentials)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor update and restrict the management interface to a trusted network/jump host; because this grants access without credentials (and the BMC/backdoor sits below the OS), treat an exposed device as compromised — re-image/rebuild and rotate all secrets. MFA does not mitigate an auth-bypass.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but a below-OS (BMC) or backdoored device must be treated as compromised and rebuilt; MFA and password policy are irrelevant to a bypass."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the TL-WA855RE extender: admin sessions without a matching authentication event, use of known backdoor credentials, and configuration/account changes from unexpected sources.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because an auth-bypass produces sessions that look authenticated; the anomaly is the absence of a legitimate credential event and the source."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, restrict the management plane, rotate all credentials and keys, review configuration/account changes during the exposure window, and re-image the device/BMC (below-OS persistence survives OS reinstall).",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; an auth-bypass typically leaves administrative persistence that a patch alone does not remove."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed authentication-bypass on an internet-facing system; these grant administrative access without credentials and are mass-exploited within days — the ScreenOS case shows the class also includes supply-chain-planted backdoors."
+      },
+      "NIST-800-53-IA-2-MFA": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Multi-factor authentication does not help when the flaw bypasses authentication entirely (hardcoded backdoor, missing-auth endpoint, spoofable identity) — the control assumes the auth path is reached, which the flaw circumvents. Restricting the management plane to a trusted network/jump host is the load-bearing compensating control."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited auth-bypass on an internet-facing system or appliance."
+      },
+      "NIS2-Art21-access-control": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats access control as an essential-function requirement but assumes the authentication mechanism is sound; an auth-bypass defeats that assumption, and the framework lacks a compressed remediation SLA plus a compromised-device response for below-OS targets like a BMC."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 78,
+      "basis": "Internet-facing TP-Link TL-WA855RE is run by audited organizations whose access-control posture (passwords, MFA, RBAC) is irrelevant to an authentication bypass; without management-plane network restriction and prompt patching the system is exposed, and below-OS/backdoor cases require rebuild that is rarely performed.",
+      "theater_pattern": "authentication_assumed_complete"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-55177": {
     "name": "Meta Platforms WhatsApp Incorrect Authorization Vulnerability",
@@ -18672,35 +18980,63 @@
   },
   "CVE-2025-54948": {
     "name": "Trend Micro Apex One OS Command Injection Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an OS command-injection flaw (CWE-78) enabling unauthenticated remote command execution on the Apex One management console. CISA KEV-listed 2025-08-18 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker; bundled-library flaws are reachable wherever the library processes attacker input)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Trend Micro Apex One update; treat the EDR management server as fleet-reaching — hunt for web shells, rotate credentials, and audit policy/tasking pushed to managed endpoints.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — web shells and stolen credentials survive the patch, bundled-library flaws require updating every consumer, and CI/MFT/EDR-console compromise has downstream reach."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Apex One console: exploit-shaped requests, new web-shell files, and unexpected child-process execution by the service (a shell or interpreter spawned from a web/daemon process is a strong injection signal).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch exploitation and resident persistence after patching."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately (every consumer for a bundled library), hunt and remove web shells, rotate credentials and secrets, and review downstream/supply-chain impact (CI build artifacts, MFT data, EDR-managed endpoints).",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; injection-to-RCE typically yields persistence and a pivot, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated injection-to-RCE flaw; these are mass-exploited within days, and bundled-library flaws (PHPMailer/Bash) persist for years across the long tail."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing service or a widely-bundled vulnerable library."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing services as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / credential-rotation / supply-chain-review cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing service in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 76,
+      "basis": "Internet-facing Trend Micro Apex One is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt, credential rotation, and (for bundled libraries) updating every consumer are rarely fully done, leaving long-tail exposure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-8876": {
     "name": "N-able N-Central Command Injection Vulnerability",
@@ -19957,35 +20293,63 @@
   },
   "CVE-2016-10033": {
     "name": "PHPMailer Command Injection Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "PHPMailer contains a command injection vulnerability because it fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a command-injection flaw (CWE-77/CWE-88) in PHPMailer's sender-address handling, enabling remote code execution in PHP applications that pass attacker-controlled input to the From address. CISA KEV-listed 2025-07-07 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw is reachable by an unauthenticated attacker; bundled-library flaws are reachable wherever the library processes attacker input)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Update PHPMailer in every application that bundles it; hunt for web shells in apps that exposed a contact/registration form, and rotate application secrets.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but insufficient alone — web shells and stolen credentials survive the patch, bundled-library flaws require updating every consumer, and CI/MFT/EDR-console compromise has downstream reach."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the PHPMailer: exploit-shaped requests, new web-shell files, and unexpected child-process execution by the service (a shell or interpreter spawned from a web/daemon process is a strong injection signal).",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary to catch exploitation and resident persistence after patching."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately (every consumer for a bundled library), hunt and remove web shells, rotate credentials and secrets, and review downstream/supply-chain impact (CI build artifacts, MFT data, EDR-managed endpoints).",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; injection-to-RCE typically yields persistence and a pivot, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated injection-to-RCE flaw; these are mass-exploited within days, and bundled-library flaws (PHPMailer/Bash) persist for years across the long tail."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing service or a widely-bundled vulnerable library."
+      },
+      "NIS2-Art21-network-security": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats internet-facing services as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the web-shell-hunt / credential-rotation / supply-chain-review cleanup these RCEs need."
+      },
+      "PCI-DSS-4.0-6.3.3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing service in or adjacent to the CDE; WAF coverage is partial mitigation, not remediation."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 76,
+      "basis": "Internet-facing PHPMailer is run by audited organizations on a standard patch SLA and is mass-exploited within days; the required web-shell hunt, credential rotation, and (for bundled libraries) updating every consumer are rarely fully done, leaving long-tail exposure.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2014-3931": {
     "name": "Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability",
@@ -20292,35 +20656,63 @@
   },
   "CVE-2024-54085": {
     "name": "AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "AMI MegaRAC SPx contains an authentication bypass by spoofing vulnerability in the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an authentication-bypass-by-spoofing flaw (CWE-290) in the AMI MegaRAC SPx baseboard management controller (Redfish), letting an unauthenticated attacker gain administrative control of the BMC — and thus the host beneath the operating system. CISA KEV-listed 2025-06-25 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw grants access without valid credentials)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor update and restrict the management interface to a trusted network/jump host; because this grants access without credentials (and the BMC/backdoor sits below the OS), treat an exposed device as compromised — re-image/rebuild and rotate all secrets. MFA does not mitigate an auth-bypass.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but a below-OS (BMC) or backdoored device must be treated as compromised and rebuilt; MFA and password policy are irrelevant to a bypass."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the MegaRAC BMC: admin sessions without a matching authentication event, use of known backdoor credentials, and configuration/account changes from unexpected sources.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because an auth-bypass produces sessions that look authenticated; the anomaly is the absence of a legitimate credential event and the source."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, restrict the management plane, rotate all credentials and keys, review configuration/account changes during the exposure window, and re-image the device/BMC (below-OS persistence survives OS reinstall).",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; an auth-bypass typically leaves administrative persistence that a patch alone does not remove."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed authentication-bypass on an internet-facing system; these grant administrative access without credentials and are mass-exploited within days — the ScreenOS case shows the class also includes supply-chain-planted backdoors."
+      },
+      "NIST-800-53-IA-2-MFA": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Multi-factor authentication does not help when the flaw bypasses authentication entirely (hardcoded backdoor, missing-auth endpoint, spoofable identity) — the control assumes the auth path is reached, which the flaw circumvents. Restricting the management plane to a trusted network/jump host is the load-bearing compensating control."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited auth-bypass on an internet-facing system or appliance."
+      },
+      "NIS2-Art21-access-control": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats access control as an essential-function requirement but assumes the authentication mechanism is sound; an auth-bypass defeats that assumption, and the framework lacks a compressed remediation SLA plus a compromised-device response for below-OS targets like a BMC."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 78,
+      "basis": "Internet-facing AMI MegaRAC SPx is run by audited organizations whose access-control posture (passwords, MFA, RBAC) is irrelevant to an authentication bypass; without management-plane network restriction and prompt patching the system is exposed, and below-OS/backdoor cases require rebuild that is rarely performed.",
+      "theater_pattern": "authentication_assumed_complete"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2023-0386": {
     "name": "Linux Kernel Improper Ownership Management Vulnerability",
@@ -20590,35 +20982,63 @@
   },
   "CVE-2025-32433": {
     "name": "Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Erlang Erlang/OTP SSH server contains a missing authentication for critical function vulnerability. This could allow an attacker to execute arbitrary commands without valid credentials, potentially leading to unauthenticated remote code execution (RCE). By exploiting a flaw in how SSH protocol messages are handled, a malicious actor could gain unauthorized access to affected systems. This vulnerability could affect various products that implement Erlang/OTP SSH server, including—but not limited to—Cisco, NetApp, and SUSE.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a missing-authentication-for-critical-function flaw (CWE-306) in the Erlang/OTP SSH server, letting an unauthenticated attacker run protocol messages before authentication for full remote code execution. CISA KEV-listed 2025-06-09 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the flaw grants access without valid credentials)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the vendor update and restrict the management/admin interface to a trusted network/jump host; monitor for unexpected admin sessions, and for the RCE case hunt for web shells and rotate credentials. MFA does not mitigate an auth-bypass.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary; network restriction of the management plane is the compensating control, and MFA does not help once authentication is bypassed."
+      },
+      "detection": {
+        "what_would_have_worked": "Monitoring on the Erlang/OTP SSH: admin sessions without a matching authentication event, use of known backdoor credentials, and configuration/account changes from unexpected sources.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Necessary because an auth-bypass produces sessions that look authenticated; the anomaly is the absence of a legitimate credential event and the source."
+      },
+      "response": {
+        "what_would_have_worked": "Patch immediately, restrict the management plane, rotate all credentials and keys, review configuration/account changes during the exposure window, and hunt for web shells and persistence.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; an auth-bypass typically leaves administrative persistence that a patch alone does not remove."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed authentication-bypass on an internet-facing system; these grant administrative access without credentials and are mass-exploited within days — the ScreenOS case shows the class also includes supply-chain-planted backdoors."
+      },
+      "NIST-800-53-IA-2-MFA": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Multi-factor authentication does not help when the flaw bypasses authentication entirely (hardcoded backdoor, missing-auth endpoint, spoofable identity) — the control assumes the auth path is reached, which the flaw circumvents. Restricting the management plane to a trusted network/jump host is the load-bearing compensating control."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited auth-bypass on an internet-facing system or appliance."
+      },
+      "NIS2-Art21-access-control": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Treats access control as an essential-function requirement but assumes the authentication mechanism is sound; an auth-bypass defeats that assumption, and the framework lacks a compressed remediation SLA plus a compromised-device response for below-OS targets like a BMC."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
-      "theater_pattern": "patch_management"
+      "percent_audit_passing_orgs_still_exposed": 78,
+      "basis": "Internet-facing Erlang/OTP SSH Server is run by audited organizations whose access-control posture (passwords, MFA, RBAC) is irrelevant to an authentication bypass; without management-plane network restriction and prompt patching the system is exposed, and below-OS/backdoor cases require rebuild that is rarely performed.",
+      "theater_pattern": "authentication_assumed_complete"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-5419": {
     "name": "Google Chromium V8 Out-of-Bounds Read and Write Vulnerability",