@blamejs/exceptd-skills 0.15.34 → 0.15.35

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.15.35 — 2026-05-29
+
+Draft-curation pass 32 — server-side processing of untrusted data. Seven CISA KEV-listed unauthenticated CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons. The remote-code-execution set — SAP NetWeaver deserialization (CVE-2025-42999), Wazuh server deserialization (CVE-2025-24016), Meta React Server Components (CVE-2025-55182), and XWiki eval injection (CVE-2025-24893) — maps T1190 and T1059; the forgery/disclosure set — OSGeo GeoServer XXE (CVE-2025-58360), Adminer SSRF (CVE-2021-21311), and Oracle E-Business Suite SSRF (CVE-2025-61884) — maps T1190. The lessons separate the RCE response (web-shell hunting and secret rotation) from the SSRF/XXE response (egress filtering, cloud-metadata blocking, disabling external entities), and flag two amplifiers: a compromised Wazuh monitoring server blinds detection across the estate, and SAP/Oracle E-Business Suite sit adjacent to financial data in PCI scope.
+
 ## 0.15.34 — 2026-05-29
 
 Draft-curation pass 31 — authentication bypass and missing authentication. Seven CISA KEV-listed CVEs that grant access without valid credentials are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the Juniper ScreenOS hardcoded-backdoor credential (CVE-2015-7755), Sangoma FreePBX (CVE-2019-19006) and SKYSEA Client View (CVE-2016-7836) improper authentication, AMI MegaRAC SPx baseboard-management-controller authentication bypass by spoofing (CVE-2024-54085), the Erlang/OTP SSH server pre-authentication remote code execution (CVE-2025-32433), Oracle Fusion Middleware missing authentication (CVE-2025-61757), and the TP-Link TL-WA855RE extender missing authentication (CVE-2020-24363). All map T1190 and T1078; the Erlang flaw also maps T1059. The lessons make the load-bearing point that multi-factor authentication and password policy are irrelevant once authentication is bypassed — the compensating control is restricting the management plane to a trusted network — and that below-the-OS targets (the BMC) and planted backdoors require device rebuild, because firmware-level persistence survives an OS reinstall.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-30T03:26:11.638Z",
+  "generated_at": "2026-05-30T03:45:52.260Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "74458ac0665d22cbe1d574a3b5cf3eb22b51968b93208deb0832911156160355",
+    "manifest.json": "1883386c234d1c94350e6ecbdbf4decb6b0bf7c280355a2977c89056c3b40f2d",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "17bcc2da0674c811c9b31fc4c0870adf6e019c90d18852d6f564a656c39eb13d",
-    "data/cve-catalog.json": "71ced4e5637b5e6be30fe65d0f6370a2f32e851a066837eaab8d8523499291ae",
+    "data/attack-techniques.json": "14746c8acf8019d2340a93912393c0d5986d9df509ca551d2dae25d199c223de",
+    "data/cve-catalog.json": "31c934e524a16a103651ed8f3a76e175dac934886999f9add2ca0633168a9139",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "83eb8a65889305f4fed33a453b1e693e43e929f4ea6d06646eecf0ec4f7caa96",
+    "data/zeroday-lessons.json": "73fd27ed2806eddbd690f58e21c7a8a6d7554283c2a7f9b41ac09b6c3a129da9",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json

@@ -315,6 +315,8 @@
       "CVE-2025-20281",
       "CVE-2025-20337",
       "CVE-2025-23254",
+      "CVE-2025-24016",
+      "CVE-2025-24893",
       "CVE-2025-26399",
       "CVE-2025-27520",
       "CVE-2025-29635",
@@ -329,6 +331,7 @@
       "CVE-2025-3466",
       "CVE-2025-37164",
       "CVE-2025-40551",
+      "CVE-2025-42999",
       "CVE-2025-4428",
       "CVE-2025-47812",
       "CVE-2025-48703",
@@ -343,6 +346,7 @@
       "CVE-2025-54136",
       "CVE-2025-54253",
       "CVE-2025-54948",
+      "CVE-2025-55182",
       "CVE-2025-55319",
       "CVE-2025-58034",
       "CVE-2025-59689",
@@ -971,6 +975,7 @@
       "CVE-2020-25078",
       "CVE-2020-25079",
       "CVE-2020-7796",
+      "CVE-2021-21311",
       "CVE-2021-22054",
       "CVE-2021-22175",
       "CVE-2021-22681",
@@ -1130,6 +1135,7 @@
       "CVE-2025-59718",
       "CVE-2025-61757",
       "CVE-2025-61882",
+      "CVE-2025-61884",
       "CVE-2025-61932",
       "CVE-2025-6204",
       "CVE-2025-6205",

package/data/cve-catalog.json

@@ -28770,7 +28770,7 @@
     "cwe_refs": [
       "CWE-611"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525",
@@ -28800,11 +28800,21 @@
         "published_date": "2025-12-11"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-11; due date 2026-01-01. Notes reference: This vulnerability affects an open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/geoserver/geoserver/security/ad",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request.",
+    "iocs": {
+      "behavioral": [
+        "OSGeo GeoServer reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the GeoServer consistent with XML external entity.",
+        "The GeoServer making outbound requests to internal or cloud-metadata endpoints, or reading server files, on attacker input with no legitimate cause (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-58360, CISA KEV (added 2025-12-11), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-6218": {
     "name": "RARLAB WinRAR Path Traversal Vulnerability",
@@ -29263,7 +29273,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -29284,7 +29295,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components",
@@ -29314,11 +29325,21 @@
         "published_date": "2025-12-05"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-05; due date 2025-12-12. Notes reference: Check for signs of potential compromise on all internet accessible REACT instances after applying mitigations. For more information, please see: https://react.dev/blog/2025/12/03/critical-security-vul",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.",
+    "iocs": {
+      "behavioral": [
+        "Meta React Server Components reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the React Server Components consistent with remote-code-execution flaw.",
+        "Post-exploitation indicators on the React Server Components — web shells, unexpected child-process execution, or cryptominer/backdoor activity — with no corresponding legitimate action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-55182, CISA KEV (added 2025-12-05), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-26828": {
     "name": "OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability",
@@ -30944,7 +30965,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -30965,7 +30987,7 @@
     "cwe_refs": [
       "CWE-95"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j",
@@ -30994,11 +31016,21 @@
         "published_date": "2025-10-30"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-30; due date 2025-11-20. Notes reference: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j ; https://nvd.nist.gov/vuln/detail/CVE-2025-24893",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch.",
+    "iocs": {
+      "behavioral": [
+        "XWiki Platform reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the XWiki consistent with eval-injection flaw.",
+        "Post-exploitation indicators on the XWiki — web shells, unexpected child-process execution, or cryptominer/backdoor activity — with no corresponding legitimate action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-24893, CISA KEV (added 2025-10-30), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-6204": {
     "name": "Dassault Systèmes DELMIA Apriso Code Injection Vulnerability",
@@ -31984,7 +32016,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -32005,7 +32038,7 @@
     "cwe_refs": [
       "CWE-918"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.oracle.com/security-alerts/alert-cve-2025-61884.html",
@@ -32034,11 +32067,21 @@
         "published_date": "2025-10-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-20; due date 2025-11-10. Notes reference: https://www.oracle.com/security-alerts/alert-cve-2025-61884.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-61884",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication.",
+    "iocs": {
+      "behavioral": [
+        "Oracle E-Business Suite reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Oracle E-Business Suite consistent with server-side request forgery flaw.",
+        "The Oracle E-Business Suite making outbound requests to internal or cloud-metadata endpoints, or reading server files, on attacker input with no legitimate cause (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-61884, CISA KEV (added 2025-10-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-54253": {
     "name": "Adobe Experience Manager Forms Code Execution Vulnerability",
@@ -34506,7 +34549,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -34527,7 +34571,7 @@
     "cwe_refs": [
       "CWE-918"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6",
@@ -34556,11 +34600,21 @@
         "published_date": "2025-09-29"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-29; due date 2025-10-20. Notes reference: https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6 ; https://nvd.nist.gov/vuln/detail/CVE-2021-21311",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Adminer contains a server-side request forgery vulnerability that, when exploited, allows a remote attacker to obtain potentially sensitive information."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Adminer contains a server-side request forgery vulnerability that, when exploited, allows a remote attacker to obtain potentially sensitive information.",
+    "iocs": {
+      "behavioral": [
+        "Adminer reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Adminer consistent with server-side request forgery flaw.",
+        "The Adminer making outbound requests to internal or cloud-metadata endpoints, or reading server files, on attacker input with no legitimate cause (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2021-21311, CISA KEV (added 2025-09-29), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-20362": {
     "name": "Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Missing Authorization Vulnerability",
@@ -39941,7 +39995,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39962,7 +40017,7 @@
     "cwe_refs": [
       "CWE-502"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://wazuh.com/blog/addressing-the-cve-2025-24016-vulnerability/",
@@ -39992,11 +40047,21 @@
         "published_date": "2025-06-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-10; due date 2025-07-01. Notes reference: https://wazuh.com/blog/addressing-the-cve-2025-24016-vulnerability/ ; https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh ; https://nvd.nist.gov/vuln/detail/CVE-2025-24016",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers.",
+    "iocs": {
+      "behavioral": [
+        "Wazuh Server reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Wazuh server consistent with deserialization-of-untrusted-data flaw.",
+        "Post-exploitation indicators on the Wazuh server — web shells, unexpected child-process execution, or cryptominer/backdoor activity — with no corresponding legitimate action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-24016, CISA KEV (added 2025-06-10), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-42009": {
     "name": "RoundCube Webmail Cross-Site Scripting Vulnerability",
@@ -41904,7 +41969,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -41925,7 +41991,7 @@
     "cwe_refs": [
       "CWE-502"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://me.sap.com/notes/3604119",
@@ -41954,11 +42020,21 @@
         "published_date": "2025-05-15"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-15; due date 2025-06-05. Notes reference: SAP users must have an account to log in and access the patch: https://me.sap.com/notes/3604119 ; https://nvd.nist.gov/vuln/detail/CVE-2025-42999",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content.",
+    "iocs": {
+      "behavioral": [
+        "SAP NetWeaver reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the SAP NetWeaver consistent with deserialization-of-untrusted-data flaw.",
+        "Post-exploitation indicators on the SAP NetWeaver — web shells, unexpected child-process execution, or cryptominer/backdoor activity — with no corresponding legitimate action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-42999, CISA KEV (added 2025-05-15), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-12987": {
     "name": "DrayTek Vigor Routers OS Command Injection Vulnerability",