npm - @blamejs/exceptd-skills - Versions diffs - 0.15.34 → 0.15.36 - Mend

@blamejs/exceptd-skills 0.15.34 → 0.15.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +5 -5
package/data/attack-techniques.json +18 -4
package/data/cve-catalog.json +185 -65
package/data/zeroday-lessons.json +430 -142
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +18 -18

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,13 @@
 # Changelog
+## 0.15.36 — 2026-05-29
+Draft-curation pass 33 — client-side file and content handling. Four CISA KEV-listed CVEs where a victim processes attacker-supplied content are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: WinRAR archive-extraction path traversals that drop a payload into an autorun location (CVE-2025-6218, CVE-2025-8088 — the latter used by espionage actors), the Microsoft Video ActiveX (msvidctl) Internet Explorer drive-by (CVE-2008-0015), and the Git link-following flaw that lets a malicious repository write outside the working tree on clone/checkout (CVE-2025-48384). They map T1203 (exploitation for client execution) with T1547.001 for the archive autorun drops, and T1204.002 (user execution of a malicious file) for the Git repository case. The lessons name the load-bearing controls beyond patching: Mark-of-the-Web propagation to extracted files, ASR rules, ActiveX kill-bits and retiring end-of-life Internet Explorer, and hardened version-control clone settings (protectNTFS, disabling symlinks) on developer machines.
+## 0.15.35 — 2026-05-29
+Draft-curation pass 32 — server-side processing of untrusted data. Seven CISA KEV-listed unauthenticated CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons. The remote-code-execution set — SAP NetWeaver deserialization (CVE-2025-42999), Wazuh server deserialization (CVE-2025-24016), Meta React Server Components (CVE-2025-55182), and XWiki eval injection (CVE-2025-24893) — maps T1190 and T1059; the forgery/disclosure set — OSGeo GeoServer XXE (CVE-2025-58360), Adminer SSRF (CVE-2021-21311), and Oracle E-Business Suite SSRF (CVE-2025-61884) — maps T1190. The lessons separate the RCE response (web-shell hunting and secret rotation) from the SSRF/XXE response (egress filtering, cloud-metadata blocking, disabling external entities), and flag two amplifiers: a compromised Wazuh monitoring server blinds detection across the estate, and SAP/Oracle E-Business Suite sit adjacent to financial data in PCI scope.
 ## 0.15.34 — 2026-05-29
 Draft-curation pass 31 — authentication bypass and missing authentication. Seven CISA KEV-listed CVEs that grant access without valid credentials are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the Juniper ScreenOS hardcoded-backdoor credential (CVE-2015-7755), Sangoma FreePBX (CVE-2019-19006) and SKYSEA Client View (CVE-2016-7836) improper authentication, AMI MegaRAC SPx baseboard-management-controller authentication bypass by spoofing (CVE-2024-54085), the Erlang/OTP SSH server pre-authentication remote code execution (CVE-2025-32433), Oracle Fusion Middleware missing authentication (CVE-2025-61757), and the TP-Link TL-WA855RE extender missing authentication (CVE-2020-24363). All map T1190 and T1078; the Erlang flaw also maps T1059. The lessons make the load-bearing point that multi-factor authentication and password policy are irrelevant once authentication is bypassed — the compensating control is restricting the management plane to a trusted network — and that below-the-OS targets (the BMC) and planted backdoors require device rebuild, because firmware-level persistence survives an OS reinstall.

package/data/_indexes/_meta.json CHANGED Viewed

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-30T03:26:11.638Z",
+  "generated_at": "2026-05-30T04:05:55.244Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "74458ac0665d22cbe1d574a3b5cf3eb22b51968b93208deb0832911156160355",
+    "manifest.json": "884aba4143a7e713aeb7e65d91e2cc581c9b910ad01099ba44d6bd4d44e10382",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "17bcc2da0674c811c9b31fc4c0870adf6e019c90d18852d6f564a656c39eb13d",
-    "data/cve-catalog.json": "71ced4e5637b5e6be30fe65d0f6370a2f32e851a066837eaab8d8523499291ae",
+    "data/attack-techniques.json": "a79c8dae3527ce9b7bdb305b86d54b7939406602bb36ac49b7732f461fa9bb59",
+    "data/cve-catalog.json": "fa2ed2e00aac67bbbd053ef97a2c165f5f836c58375c279419f2192aafbd84d1",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "83eb8a65889305f4fed33a453b1e693e43e929f4ea6d06646eecf0ec4f7caa96",
+    "data/zeroday-lessons.json": "3d8efcdc4d8edda2f4d85ac33767ea0b471f035840c93fa8c24a3ea8c03e4962",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json CHANGED Viewed

@@ -315,6 +315,8 @@
       "CVE-2025-20281",
       "CVE-2025-20337",
       "CVE-2025-23254",
+      "CVE-2025-24016",
+      "CVE-2025-24893",
       "CVE-2025-26399",
       "CVE-2025-27520",
       "CVE-2025-29635",
@@ -329,6 +331,7 @@
       "CVE-2025-3466",
       "CVE-2025-37164",
       "CVE-2025-40551",
+      "CVE-2025-42999",
       "CVE-2025-4428",
       "CVE-2025-47812",
       "CVE-2025-48703",
@@ -343,6 +346,7 @@
       "CVE-2025-54136",
       "CVE-2025-54253",
       "CVE-2025-54948",
+      "CVE-2025-55182",
       "CVE-2025-55319",
       "CVE-2025-58034",
       "CVE-2025-59689",
@@ -954,7 +958,6 @@
     "name": "Exploit Public-Facing Application",
     "version": "v19",
     "cve_refs": [
-      "CVE-2008-0015",
       "CVE-2008-4250",
       "CVE-2014-6278",
       "CVE-2015-7755",
@@ -971,6 +974,7 @@
       "CVE-2020-25078",
       "CVE-2020-25079",
       "CVE-2020-7796",
+      "CVE-2021-21311",
       "CVE-2021-22054",
       "CVE-2021-22175",
       "CVE-2021-22681",
@@ -1093,7 +1097,6 @@
       "CVE-2025-4632",
       "CVE-2025-47812",
       "CVE-2025-47827",
-      "CVE-2025-48384",
       "CVE-2025-48700",
       "CVE-2025-48703",
       "CVE-2025-48927",
@@ -1130,6 +1133,7 @@
       "CVE-2025-59718",
       "CVE-2025-61757",
       "CVE-2025-61882",
+      "CVE-2025-61884",
       "CVE-2025-61932",
       "CVE-2025-6204",
       "CVE-2025-6205",
@@ -1359,6 +1363,7 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2007-0671",
+      "CVE-2008-0015",
       "CVE-2009-0238",
       "CVE-2009-0556",
       "CVE-2009-1537",
@@ -1391,8 +1396,10 @@
       "CVE-2025-43529",
       "CVE-2025-4919",
       "CVE-2025-5419",
+      "CVE-2025-6218",
       "CVE-2025-6554",
       "CVE-2025-6558",
+      "CVE-2025-8088",
       "CVE-2026-20700",
       "CVE-2026-21519",
       "CVE-2026-2441",
@@ -10770,7 +10777,10 @@
     "stix_id": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
     "last_verified": "2026-05-19",
     "_auto_imported": true,
-    "_intake_method": "mitre-attack-stix"
+    "_intake_method": "mitre-attack-stix",
+    "cve_refs": [
+      "CVE-2025-48384"
+    ]
   },
   "T1204.003": {
     "id": "T1204.003",
@@ -13048,7 +13058,11 @@
     "stix_id": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
     "last_verified": "2026-05-19",
     "_auto_imported": true,
-    "_intake_method": "mitre-attack-stix"
+    "_intake_method": "mitre-attack-stix",
+    "cve_refs": [
+      "CVE-2025-6218",
+      "CVE-2025-8088"
+    ]
   },
   "T1547.002": {
     "id": "T1547.002",

package/data/cve-catalog.json CHANGED Viewed

@@ -24127,7 +24127,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -24148,7 +24148,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://web.archive.org/web/20110305211119/https://www.microsoft.com/technet/security/bulletin/ms09-032.mspx",
@@ -24177,11 +24177,21 @@
         "published_date": "2026-02-17"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-17; due date 2026-03-10. Notes reference: https://web.archive.org/web/20110305211119/https://www.microsoft.com/technet/security/bulletin/ms09-032.mspx ; https://nvd.nist.gov/vuln/detail/CVE-2008-0015",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Video ActiveX Control contains a remote code execution vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Video ActiveX Control contains a remote code execution vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Video ActiveX control at a version below the fixed release named in the vendor advisory on an endpoint that opens attacker-supplied web content.",
+        "Renderer/process crashes or memory-corruption signatures from the Video ActiveX (IE) after the victim opens attacker web content, followed by unexpected child-process execution.",
+        "Inbound delivery of weaponized web pages followed by code execution with no legitimate cause (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2008-0015, CISA KEV (added 2026-02-17), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1203) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-2441": {
     "name": "Google Chromium CSS Use-After-Free Vulnerability",
@@ -28770,7 +28780,7 @@
     "cwe_refs": [
       "CWE-611"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525",
@@ -28800,11 +28810,21 @@
         "published_date": "2025-12-11"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-11; due date 2026-01-01. Notes reference: This vulnerability affects an open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/geoserver/geoserver/security/ad",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request.",
+    "iocs": {
+      "behavioral": [
+        "OSGeo GeoServer reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the GeoServer consistent with XML external entity.",
+        "The GeoServer making outbound requests to internal or cloud-metadata endpoints, or reading server files, on attacker input with no legitimate cause (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-58360, CISA KEV (added 2025-12-11), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-6218": {
     "name": "RARLAB WinRAR Path Traversal Vulnerability",
@@ -28845,7 +28865,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1203",
+      "T1547.001"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -28866,7 +28888,7 @@
     "cwe_refs": [
       "CWE-22"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=276&cHash=b5165454d983fc9717bc8748901a64f9",
@@ -28895,11 +28917,21 @@
         "published_date": "2025-12-09"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-09; due date 2025-12-30. Notes reference: https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=276&cHash=b5165454d983fc9717bc8748901a64f9 ; https://nvd.nist.gov/vuln/detail/CVE-2025-6218",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user.",
+    "iocs": {
+      "behavioral": [
+        "RARLAB WinRAR at a version below the fixed release named in the vendor advisory on an endpoint that opens attacker-supplied archives.",
+        "Files written by WinRAR outside the chosen extraction directory — especially into Startup/autorun locations — and execution of those files at next logon.",
+        "Inbound delivery of weaponized archives (email/download) followed by code execution with no legitimate cause (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-6218, CISA KEV (added 2025-12-09), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1203 + T1547.001) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-62221": {
     "name": "Microsoft Windows Use After Free Vulnerability",
@@ -29263,7 +29295,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -29284,7 +29317,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components",
@@ -29314,11 +29347,21 @@
         "published_date": "2025-12-05"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-05; due date 2025-12-12. Notes reference: Check for signs of potential compromise on all internet accessible REACT instances after applying mitigations. For more information, please see: https://react.dev/blog/2025/12/03/critical-security-vul",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.",
+    "iocs": {
+      "behavioral": [
+        "Meta React Server Components reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the React Server Components consistent with remote-code-execution flaw.",
+        "Post-exploitation indicators on the React Server Components — web shells, unexpected child-process execution, or cryptominer/backdoor activity — with no corresponding legitimate action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-55182, CISA KEV (added 2025-12-05), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-26828": {
     "name": "OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability",
@@ -30944,7 +30987,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -30965,7 +31009,7 @@
     "cwe_refs": [
       "CWE-95"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j",
@@ -30994,11 +31038,21 @@
         "published_date": "2025-10-30"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-30; due date 2025-11-20. Notes reference: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j ; https://nvd.nist.gov/vuln/detail/CVE-2025-24893",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch.",
+    "iocs": {
+      "behavioral": [
+        "XWiki Platform reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the XWiki consistent with eval-injection flaw.",
+        "Post-exploitation indicators on the XWiki — web shells, unexpected child-process execution, or cryptominer/backdoor activity — with no corresponding legitimate action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-24893, CISA KEV (added 2025-10-30), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-6204": {
     "name": "Dassault Systèmes DELMIA Apriso Code Injection Vulnerability",
@@ -31984,7 +32038,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -32005,7 +32060,7 @@
     "cwe_refs": [
       "CWE-918"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.oracle.com/security-alerts/alert-cve-2025-61884.html",
@@ -32034,11 +32089,21 @@
         "published_date": "2025-10-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-20; due date 2025-11-10. Notes reference: https://www.oracle.com/security-alerts/alert-cve-2025-61884.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-61884",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication.",
+    "iocs": {
+      "behavioral": [
+        "Oracle E-Business Suite reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Oracle E-Business Suite consistent with server-side request forgery flaw.",
+        "The Oracle E-Business Suite making outbound requests to internal or cloud-metadata endpoints, or reading server files, on attacker input with no legitimate cause (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-61884, CISA KEV (added 2025-10-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-54253": {
     "name": "Adobe Experience Manager Forms Code Execution Vulnerability",
@@ -34506,7 +34571,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -34527,7 +34593,7 @@
     "cwe_refs": [
       "CWE-918"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6",
@@ -34556,11 +34622,21 @@
         "published_date": "2025-09-29"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-29; due date 2025-10-20. Notes reference: https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6 ; https://nvd.nist.gov/vuln/detail/CVE-2021-21311",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Adminer contains a server-side request forgery vulnerability that, when exploited, allows a remote attacker to obtain potentially sensitive information."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Adminer contains a server-side request forgery vulnerability that, when exploited, allows a remote attacker to obtain potentially sensitive information.",
+    "iocs": {
+      "behavioral": [
+        "Adminer reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Adminer consistent with server-side request forgery flaw.",
+        "The Adminer making outbound requests to internal or cloud-metadata endpoints, or reading server files, on attacker input with no legitimate cause (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2021-21311, CISA KEV (added 2025-09-29), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-20362": {
     "name": "Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Missing Authorization Vulnerability",
@@ -35765,7 +35841,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1204.002"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -35787,7 +35863,7 @@
       "CWE-59",
       "CWE-436"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9",
@@ -35820,11 +35896,21 @@
         "published_date": "2025-08-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-25; due date 2025-09-15. Notes reference: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/git/git/security/advisori",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Git contains a link following vulnerability that stems from Git’s inconsistent handling of carriage return characters in configuration files."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Git contains a link following vulnerability that stems from Git’s inconsistent handling of carriage return characters in configuration files.",
+    "iocs": {
+      "behavioral": [
+        "Git at a version below the fixed release named in the vendor advisory on an endpoint that opens attacker-supplied repositories.",
+        "Files written outside the working tree on clone/checkout (hooks, config) and execution of repository-supplied scripts.",
+        "Inbound delivery of weaponized repositories (links/clones) followed by code execution with no legitimate cause (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-48384, CISA KEV (added 2025-08-25), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1204.002) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-8068": {
     "name": "Citrix Session Recording Improper Privilege Management Vulnerability",
@@ -36399,7 +36485,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1203",
+      "T1547.001"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -36420,7 +36508,7 @@
     "cwe_refs": [
       "CWE-35"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=283&cHash=a64b4a8f662d3639dec8d65f47bc93c5",
@@ -36449,11 +36537,21 @@
         "published_date": "2025-08-12"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-12; due date 2025-09-02. Notes reference: https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=283&cHash=a64b4a8f662d3639dec8d65f47bc93c5 ; https://nvd.nist.gov/vuln/detail/CVE-2025-8088",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary code by crafting malicious archive files."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary code by crafting malicious archive files.",
+    "iocs": {
+      "behavioral": [
+        "RARLAB WinRAR at a version below the fixed release named in the vendor advisory on an endpoint that opens attacker-supplied archives.",
+        "Files written by WinRAR outside the chosen extraction directory — especially into Startup/autorun locations — and execution of those files at next logon.",
+        "Inbound delivery of weaponized archives (email/download) followed by code execution with no legitimate cause (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-8088, CISA KEV (added 2025-08-12), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1203 + T1547.001) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2007-0671": {
     "name": "Microsoft Office Excel Remote Code Execution Vulnerability",
@@ -39941,7 +40039,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39962,7 +40061,7 @@
     "cwe_refs": [
       "CWE-502"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://wazuh.com/blog/addressing-the-cve-2025-24016-vulnerability/",
@@ -39992,11 +40091,21 @@
         "published_date": "2025-06-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-10; due date 2025-07-01. Notes reference: https://wazuh.com/blog/addressing-the-cve-2025-24016-vulnerability/ ; https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh ; https://nvd.nist.gov/vuln/detail/CVE-2025-24016",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers.",
+    "iocs": {
+      "behavioral": [
+        "Wazuh Server reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Wazuh server consistent with deserialization-of-untrusted-data flaw.",
+        "Post-exploitation indicators on the Wazuh server — web shells, unexpected child-process execution, or cryptominer/backdoor activity — with no corresponding legitimate action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-24016, CISA KEV (added 2025-06-10), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-42009": {
     "name": "RoundCube Webmail Cross-Site Scripting Vulnerability",
@@ -41904,7 +42013,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -41925,7 +42035,7 @@
     "cwe_refs": [
       "CWE-502"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://me.sap.com/notes/3604119",
@@ -41954,11 +42064,21 @@
         "published_date": "2025-05-15"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-15; due date 2025-06-05. Notes reference: SAP users must have an account to log in and access the patch: https://me.sap.com/notes/3604119 ; https://nvd.nist.gov/vuln/detail/CVE-2025-42999",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content.",
+    "iocs": {
+      "behavioral": [
+        "SAP NetWeaver reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the SAP NetWeaver consistent with deserialization-of-untrusted-data flaw.",
+        "Post-exploitation indicators on the SAP NetWeaver — web shells, unexpected child-process execution, or cryptominer/backdoor activity — with no corresponding legitimate action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-42999, CISA KEV (added 2025-05-15), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1059 code execution) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-12987": {
     "name": "DrayTek Vigor Routers OS Command Injection Vulnerability",