npm - @blamejs/exceptd-skills - Versions diffs - 0.15.35 → 0.15.37 - Mend

@blamejs/exceptd-skills 0.15.35 → 0.15.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +5 -5
package/data/attack-techniques.json +19 -8
package/data/cve-catalog.json +132 -47
package/data/zeroday-lessons.json +289 -105
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +18 -18

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,13 @@
 # Changelog
+## 0.15.37 — 2026-05-29
+Draft-curation pass 34 — local and host privilege escalation. Four CISA KEV-listed escalation CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons, spanning four platforms: the Sudo chroot-handling local-to-root flaw (CVE-2025-32463), an Android Runtime privilege escalation (CVE-2025-48543), a VMware Aria Operations / VMware Tools guest privilege-management flaw (CVE-2025-41244), and the Windows SMB client NTLM-reflection-to-SYSTEM flaw (CVE-2025-33073). All map T1068; the SMB-client case also maps T1557.001 (NTLM relay). The lessons frame these as the escalation half of an intrusion chain and name the platform-specific backstops the frameworks leave unstated — SELinux/seccomp and least privilege on Linux, MDM-enforced OTA SLAs on Android, management-account segmentation for virtualization, and — most importantly — SMB signing plus NTLM disablement for the reflection class, which breaks the attack regardless of patch state.
+## 0.15.36 — 2026-05-29
+Draft-curation pass 33 — client-side file and content handling. Four CISA KEV-listed CVEs where a victim processes attacker-supplied content are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: WinRAR archive-extraction path traversals that drop a payload into an autorun location (CVE-2025-6218, CVE-2025-8088 — the latter used by espionage actors), the Microsoft Video ActiveX (msvidctl) Internet Explorer drive-by (CVE-2008-0015), and the Git link-following flaw that lets a malicious repository write outside the working tree on clone/checkout (CVE-2025-48384). They map T1203 (exploitation for client execution) with T1547.001 for the archive autorun drops, and T1204.002 (user execution of a malicious file) for the Git repository case. The lessons name the load-bearing controls beyond patching: Mark-of-the-Web propagation to extracted files, ASR rules, ActiveX kill-bits and retiring end-of-life Internet Explorer, and hardened version-control clone settings (protectNTFS, disabling symlinks) on developer machines.
 ## 0.15.35 — 2026-05-29
 Draft-curation pass 32 — server-side processing of untrusted data. Seven CISA KEV-listed unauthenticated CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons. The remote-code-execution set — SAP NetWeaver deserialization (CVE-2025-42999), Wazuh server deserialization (CVE-2025-24016), Meta React Server Components (CVE-2025-55182), and XWiki eval injection (CVE-2025-24893) — maps T1190 and T1059; the forgery/disclosure set — OSGeo GeoServer XXE (CVE-2025-58360), Adminer SSRF (CVE-2021-21311), and Oracle E-Business Suite SSRF (CVE-2025-61884) — maps T1190. The lessons separate the RCE response (web-shell hunting and secret rotation) from the SSRF/XXE response (egress filtering, cloud-metadata blocking, disabling external entities), and flag two amplifiers: a compromised Wazuh monitoring server blinds detection across the estate, and SAP/Oracle E-Business Suite sit adjacent to financial data in PCI scope.

package/data/_indexes/_meta.json CHANGED Viewed

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-30T03:45:52.260Z",
+  "generated_at": "2026-05-30T04:47:47.792Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "1883386c234d1c94350e6ecbdbf4decb6b0bf7c280355a2977c89056c3b40f2d",
+    "manifest.json": "4db3fbdad74120fea41c942cdc85622ac77d69d47a850acb3575d56674aeff58",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "14746c8acf8019d2340a93912393c0d5986d9df509ca551d2dae25d199c223de",
-    "data/cve-catalog.json": "31c934e524a16a103651ed8f3a76e175dac934886999f9add2ca0633168a9139",
+    "data/attack-techniques.json": "a402836f7d4443f6cccc3c6b4cc387f714dc001a266708b7d25bb0cafcbec842",
+    "data/cve-catalog.json": "1fa6bfad96c5ba8a89270a8aafb4433c3c03f1f107697e83f15dba4562737844",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "73fd27ed2806eddbd690f58e21c7a8a6d7554283c2a7f9b41ac09b6c3a129da9",
+    "data/zeroday-lessons.json": "1e7bd615bc5516d11db4c83a5dcf631a7826c26e626a6c65abe925401a525f7e",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json CHANGED Viewed

@@ -531,11 +531,14 @@
       "CVE-2025-24990",
       "CVE-2025-27038",
       "CVE-2025-31277",
+      "CVE-2025-32463",
       "CVE-2025-32701",
       "CVE-2025-32706",
       "CVE-2025-32709",
+      "CVE-2025-33073",
       "CVE-2025-38352",
       "CVE-2025-40602",
+      "CVE-2025-41244",
       "CVE-2025-43300",
       "CVE-2025-48543",
       "CVE-2025-48572",
@@ -958,7 +961,6 @@
     "name": "Exploit Public-Facing Application",
     "version": "v19",
     "cve_refs": [
-      "CVE-2008-0015",
       "CVE-2008-4250",
       "CVE-2014-6278",
       "CVE-2015-7755",
@@ -1076,12 +1078,10 @@
       "CVE-2025-32432",
       "CVE-2025-32433",
       "CVE-2025-32444",
-      "CVE-2025-32463",
       "CVE-2025-3248",
       "CVE-2025-32756",
       "CVE-2025-32975",
       "CVE-2025-33053",
-      "CVE-2025-33073",
       "CVE-2025-34026",
       "CVE-2025-34291",
       "CVE-2025-3466",
@@ -1091,14 +1091,12 @@
       "CVE-2025-4008",
       "CVE-2025-40536",
       "CVE-2025-40551",
-      "CVE-2025-41244",
       "CVE-2025-42999",
       "CVE-2025-4427",
       "CVE-2025-4428",
       "CVE-2025-4632",
       "CVE-2025-47812",
       "CVE-2025-47827",
-      "CVE-2025-48384",
       "CVE-2025-48700",
       "CVE-2025-48703",
       "CVE-2025-48927",
@@ -1365,6 +1363,7 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2007-0671",
+      "CVE-2008-0015",
       "CVE-2009-0238",
       "CVE-2009-0556",
       "CVE-2009-1537",
@@ -1397,8 +1396,10 @@
       "CVE-2025-43529",
       "CVE-2025-4919",
       "CVE-2025-5419",
+      "CVE-2025-6218",
       "CVE-2025-6554",
       "CVE-2025-6558",
+      "CVE-2025-8088",
       "CVE-2026-20700",
       "CVE-2026-21519",
       "CVE-2026-2441",
@@ -10776,7 +10777,10 @@
     "stix_id": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
     "last_verified": "2026-05-19",
     "_auto_imported": true,
-    "_intake_method": "mitre-attack-stix"
+    "_intake_method": "mitre-attack-stix",
+    "cve_refs": [
+      "CVE-2025-48384"
+    ]
   },
   "T1204.003": {
     "id": "T1204.003",
@@ -13054,7 +13058,11 @@
     "stix_id": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
     "last_verified": "2026-05-19",
     "_auto_imported": true,
-    "_intake_method": "mitre-attack-stix"
+    "_intake_method": "mitre-attack-stix",
+    "cve_refs": [
+      "CVE-2025-6218",
+      "CVE-2025-8088"
+    ]
   },
   "T1547.002": {
     "id": "T1547.002",
@@ -14267,7 +14275,10 @@
     "stix_id": "attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e",
     "last_verified": "2026-05-19",
     "_auto_imported": true,
-    "_intake_method": "mitre-attack-stix"
+    "_intake_method": "mitre-attack-stix",
+    "cve_refs": [
+      "CVE-2025-33073"
+    ]
   },
   "T1557.002": {
     "id": "T1557.002",

package/data/cve-catalog.json CHANGED Viewed

@@ -24127,7 +24127,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -24148,7 +24148,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://web.archive.org/web/20110305211119/https://www.microsoft.com/technet/security/bulletin/ms09-032.mspx",
@@ -24177,11 +24177,21 @@
         "published_date": "2026-02-17"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-17; due date 2026-03-10. Notes reference: https://web.archive.org/web/20110305211119/https://www.microsoft.com/technet/security/bulletin/ms09-032.mspx ; https://nvd.nist.gov/vuln/detail/CVE-2008-0015",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Video ActiveX Control contains a remote code execution vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Video ActiveX Control contains a remote code execution vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Video ActiveX control at a version below the fixed release named in the vendor advisory on an endpoint that opens attacker-supplied web content.",
+        "Renderer/process crashes or memory-corruption signatures from the Video ActiveX (IE) after the victim opens attacker web content, followed by unexpected child-process execution.",
+        "Inbound delivery of weaponized web pages followed by code execution with no legitimate cause (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2008-0015, CISA KEV (added 2026-02-17), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1203) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-2441": {
     "name": "Google Chromium CSS Use-After-Free Vulnerability",
@@ -28855,7 +28865,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1203",
+      "T1547.001"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -28876,7 +28888,7 @@
     "cwe_refs": [
       "CWE-22"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=276&cHash=b5165454d983fc9717bc8748901a64f9",
@@ -28905,11 +28917,21 @@
         "published_date": "2025-12-09"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-09; due date 2025-12-30. Notes reference: https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=276&cHash=b5165454d983fc9717bc8748901a64f9 ; https://nvd.nist.gov/vuln/detail/CVE-2025-6218",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user.",
+    "iocs": {
+      "behavioral": [
+        "RARLAB WinRAR at a version below the fixed release named in the vendor advisory on an endpoint that opens attacker-supplied archives.",
+        "Files written by WinRAR outside the chosen extraction directory — especially into Startup/autorun locations — and execution of those files at next logon.",
+        "Inbound delivery of weaponized archives (email/download) followed by code execution with no legitimate cause (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-6218, CISA KEV (added 2025-12-09), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1203 + T1547.001) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-62221": {
     "name": "Microsoft Windows Use After Free Vulnerability",
@@ -30869,7 +30891,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -30890,7 +30912,7 @@
     "cwe_refs": [
       "CWE-267"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149",
@@ -30919,11 +30941,21 @@
         "published_date": "2025-10-30"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-30; due date 2025-11-20. Notes reference: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149 ; https://nvd.nist.gov/vuln/detail/CVE-2025-41244",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.",
+    "iocs": {
+      "behavioral": [
+        "VMware Aria Operations and VMware Tools at a version below the fixed release named in the vendor advisory on a host with any local foothold.",
+        "An unprivileged user/process gaining root/elevated privilege via the affected component with no corresponding legitimate escalation.",
+        "Post-escalation activity — process/driver crashes, privilege transitions, or persistence — with no corresponding operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-41244, CISA KEV (added 2025-10-30), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-24893": {
     "name": "XWiki Platform Eval Injection Vulnerability",
@@ -31919,7 +31951,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1068",
+      "T1557.001"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -31940,7 +31973,7 @@
     "cwe_refs": [
       "CWE-284"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-33073",
@@ -31969,11 +32002,21 @@
         "published_date": "2025-10-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-20; due date 2025-11-10. Notes reference: https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-33073 ; https://nvd.nist.gov/vuln/detail/CVE-2025-33073",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Windows SMB Client at a version below the fixed release named in the vendor advisory on a host with any local foothold or reachable for SMB coercion.",
+        "Coerced outbound SMB/NTLM authentication from a victim host to an unexpected server, followed by a SYSTEM-level action with no matching administrative login.",
+        "Use of reflected credentials — process/driver crashes, privilege transitions, or persistence — with no corresponding operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-33073, CISA KEV (added 2025-10-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation + T1557.001 NTLM relay) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-61884": {
     "name": "Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability",
@@ -34130,7 +34173,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -34151,7 +34194,7 @@
     "cwe_refs": [
       "CWE-829"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.sudo.ws/security/advisories/chroot_bug/",
@@ -34180,11 +34223,21 @@
         "published_date": "2025-09-29"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-29; due date 2025-10-20. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file.",
+    "iocs": {
+      "behavioral": [
+        "Sudo at a version below the fixed release named in the vendor advisory on a host with any local foothold.",
+        "An unprivileged user/process gaining root/elevated privilege via the affected component with no corresponding legitimate escalation.",
+        "Post-escalation activity — process/driver crashes, privilege transitions, or persistence — with no corresponding operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-32463, CISA KEV (added 2025-09-29), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-59689": {
     "name": "Libraesva Email Security Gateway Command Injection Vulnerability",
@@ -35005,7 +35058,7 @@
     "cwe_refs": [
       "CWE-269"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://source.android.com/docs/security/bulletin/2025-09-01",
@@ -35034,11 +35087,21 @@
         "published_date": "2025-09-04"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-04; due date 2025-09-25. Notes reference: https://source.android.com/docs/security/bulletin/2025-09-01 ; https://nvd.nist.gov/vuln/detail/CVE-2025-48543",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Android Runtime contains a use-after-free vulnerability potentially allowing a chrome sandbox escape leading to local privilege escalation."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Android Runtime contains a use-after-free vulnerability potentially allowing a chrome sandbox escape leading to local privilege escalation.",
+    "iocs": {
+      "behavioral": [
+        "Android at a version below the fixed release named in the vendor advisory on a host with any local foothold.",
+        "An unprivileged app gaining elevated on-device privilege via the affected component with no corresponding legitimate escalation.",
+        "Post-escalation activity — process/driver crashes, privilege transitions, or persistence — with no corresponding operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-48543, CISA KEV (added 2025-09-04), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-53690": {
     "name": "Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability",
@@ -35819,7 +35882,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1204.002"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -35841,7 +35904,7 @@
       "CWE-59",
       "CWE-436"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9",
@@ -35874,11 +35937,21 @@
         "published_date": "2025-08-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-25; due date 2025-09-15. Notes reference: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/git/git/security/advisori",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Git contains a link following vulnerability that stems from Git’s inconsistent handling of carriage return characters in configuration files."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Git contains a link following vulnerability that stems from Git’s inconsistent handling of carriage return characters in configuration files.",
+    "iocs": {
+      "behavioral": [
+        "Git at a version below the fixed release named in the vendor advisory on an endpoint that opens attacker-supplied repositories.",
+        "Files written outside the working tree on clone/checkout (hooks, config) and execution of repository-supplied scripts.",
+        "Inbound delivery of weaponized repositories (links/clones) followed by code execution with no legitimate cause (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-48384, CISA KEV (added 2025-08-25), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1204.002) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-8068": {
     "name": "Citrix Session Recording Improper Privilege Management Vulnerability",
@@ -36453,7 +36526,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1203",
+      "T1547.001"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -36474,7 +36549,7 @@
     "cwe_refs": [
       "CWE-35"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=283&cHash=a64b4a8f662d3639dec8d65f47bc93c5",
@@ -36503,11 +36578,21 @@
         "published_date": "2025-08-12"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-12; due date 2025-09-02. Notes reference: https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=283&cHash=a64b4a8f662d3639dec8d65f47bc93c5 ; https://nvd.nist.gov/vuln/detail/CVE-2025-8088",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary code by crafting malicious archive files."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary code by crafting malicious archive files.",
+    "iocs": {
+      "behavioral": [
+        "RARLAB WinRAR at a version below the fixed release named in the vendor advisory on an endpoint that opens attacker-supplied archives.",
+        "Files written by WinRAR outside the chosen extraction directory — especially into Startup/autorun locations — and execution of those files at next logon.",
+        "Inbound delivery of weaponized archives (email/download) followed by code execution with no legitimate cause (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-8088, CISA KEV (added 2025-08-12), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (client-side T1203 + T1547.001) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2007-0671": {
     "name": "Microsoft Office Excel Remote Code Execution Vulnerability",