@blamejs/exceptd-skills 0.15.35 → 0.15.37

package/data/zeroday-lessons.json

@@ -12947,35 +12947,58 @@
   },
   "CVE-2008-0015": {
     "name": " Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows Video ActiveX Control contains a remote code execution vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a memory-corruption code-execution flaw (CWE-94) in the Microsoft Video ActiveX control (msvidctl), exploitable by an attacker-controlled web page in Internet Explorer for drive-by remote code execution. CISA KEV-listed 2026-02-17 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the victim opens or processes the attacker's file/content/repository)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft update and retire end-of-life Internet Explorer / disable the vulnerable ActiveX control via kill-bit; enforce browser hardening and web-content filtering.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; the lasting controls are file-provenance enforcement, application hardening, and retiring end-of-life software, since these flaws are reached through everyday file/content handling."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR signatures for child-process execution from the browser after web-content render.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched and catches the post-exploitation drop/execution stage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch (or retire the end-of-life component), isolate exploited endpoints, remove dropped autostart/hook payloads, hunt for follow-on loaders, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; client-side execution typically establishes persistence (autorun/hooks) and leads to credential harvest, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side file/content-handling flaw; weaponized archives, web content, and repositories are delivered by email, web, and supply chain and exploited within days. Long-tail unpatched and end-of-life software (Internet Explorer / ActiveX) remains exposed for years."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client flaw, and the legacy re-listings exist because organizations still run vulnerable or end-of-life software."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 names application patching and hardening, but the load-bearing controls here are file-provenance enforcement (Mark-of-the-Web propagation to extracted files), ASR rules, disabling risky ActiveX, and hardened version-control settings (protectNTFS, disabling symlinks on clone) — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 57,
+      "basis": "Microsoft Video ActiveX control is ubiquitous on endpoints/developer machines; audited organizations that rely on patching alone — without file-provenance enforcement, ASR rules, ActiveX kill-bits, or hardened clone settings — remain exposed for this KEV-listed, actively-exploited flaw, and long-tail/EOL software widens the window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2026-2441": {
     "name": "Google Chromium CSS Use-After-Free Vulnerability",
@@ -15340,35 +15363,58 @@
   },
   "CVE-2025-6218": {
     "name": "RARLAB WinRAR Path Traversal Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a path-traversal flaw (CWE-22) in WinRAR's archive extraction, letting a crafted archive write files outside the intended directory (e.g. into a Startup/autorun location) for code execution when the victim extracts it. CISA KEV-listed 2025-12-09 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the victim opens or processes the attacker's file/content/repository)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the WinRAR update; enforce Mark-of-the-Web propagation to extracted files and ASR rules so a dropped autorun payload is blocked or flagged, and filter inbound archives.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; the lasting controls are file-provenance enforcement, application hardening, and retiring end-of-life software, since these flaws are reached through everyday file/content handling."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR detection of files written to autorun locations by an archiver and execution of newly-dropped autostart entries.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched and catches the post-exploitation drop/execution stage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch (or retire the end-of-life component), isolate exploited endpoints, remove dropped autostart/hook payloads, hunt for follow-on loaders, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; client-side execution typically establishes persistence (autorun/hooks) and leads to credential harvest, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side file/content-handling flaw; weaponized archives, web content, and repositories are delivered by email, web, and supply chain and exploited within days. Long-tail unpatched and end-of-life software (Internet Explorer / ActiveX) remains exposed for years."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client flaw, and the legacy re-listings exist because organizations still run vulnerable or end-of-life software."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 names application patching and hardening, but the load-bearing controls here are file-provenance enforcement (Mark-of-the-Web propagation to extracted files), ASR rules, disabling risky ActiveX, and hardened version-control settings (protectNTFS, disabling symlinks on clone) — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 57,
+      "basis": "RARLAB WinRAR is ubiquitous on endpoints/developer machines; audited organizations that rely on patching alone — without file-provenance enforcement, ASR rules, ActiveX kill-bits, or hardened clone settings — remain exposed for this KEV-listed, actively-exploited flaw, and long-tail/EOL software widens the window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-62221": {
     "name": "Microsoft Windows Use After Free Vulnerability",
@@ -16422,35 +16468,58 @@
   },
   "CVE-2025-41244": {
     "name": "Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a privilege-management flaw (CWE-267) in VMware Aria Operations and VMware Tools, letting a local user in a managed guest escalate privileges. CISA KEV-listed 2025-10-30 with confirmed in-the-wild exploitation; escalation flaws of this class form the second half of an intrusion chain.",
+      "privileges_required": "low (a local foothold — an unprivileged app, user, or process on the host)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the VMware update; restrict the privileged collection account and segment management access — a guest LPE combined with management reach can pivot across the virtual estate.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root/SYSTEM) which a patched host shuts down, with platform hardening as the backstop."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR/auditd telemetry for unprivileged-to-elevated transitions and the escalation primitive without a legitimate trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched hosts; escalation is typically silent without endpoint/identity monitoring."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch; for confirmed exploitation treat the host as compromised, isolate, preserve forensic state, rotate credentials, and review for follow-on persistence.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; root/SYSTEM-level escalation makes the host an unreliable platform and warrants rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed local/host privilege-escalation flaw; paired with an initial-access primitive, attackers elevate to root/SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited escalation flaw, which is the second half of nearly every intrusion chain."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 names OS/application patching, but the load-bearing backstops are platform-specific and unnamed: least-privilege and SELinux/seccomp on Linux, MDM-enforced OTA SLAs on Android, management-account segmentation for virtualization, and SMB signing / NTLM-disablement for the reflection class (the last breaks the attack regardless of patch state)."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 69,
+      "basis": "VMware Aria Operations and VMware Tools is widely deployed; audited organizations gate host/agent patches behind change windows and rarely enforce the platform-specific backstop (SELinux/seccomp, MDM OTA SLA, management-account segmentation, SMB signing), leaving the escalation chain open past the in-the-wild window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-24893": {
     "name": "XWiki Platform Eval Injection Vulnerability",
@@ -16961,35 +17030,58 @@
   },
   "CVE-2025-33073": {
     "name": "Microsoft Windows SMB Client Improper Access Control Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an improper-access-control flaw (CWE-284) in the Windows SMB client enabling NTLM reflection — by coercing a victim host to authenticate to an attacker-controlled server, the attacker reflects the authentication back to the victim to gain SYSTEM. CISA KEV-listed 2025-10-20 with confirmed in-the-wild exploitation; escalation flaws of this class form the second half of an intrusion chain.",
+      "privileges_required": "low (the ability to coerce a victim host to authenticate; no valid credentials on the target)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Microsoft update AND enforce SMB signing (and disable NTLM where possible); SMB signing breaks the reflection/relay regardless of patch state, so it is the durable control.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is necessary but SMB signing breaks the reflection regardless of patch state and is the durable control; NTLM disablement removes the primitive entirely."
+      },
+      "detection": {
+        "what_would_have_worked": "Detection of coerced/relayed NTLM authentication: unexpected outbound SMB from servers, authentication to attacker infrastructure, and SYSTEM actions without an admin login.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched hosts; escalation is typically silent without endpoint/identity monitoring."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch; for confirmed exploitation treat the host as compromised, isolate, preserve forensic state, rotate credentials, and enforce SMB signing fleet-wide and hunt for relay activity.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; root/SYSTEM-level escalation makes the host an unreliable platform and warrants rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed local/host privilege-escalation flaw; paired with an initial-access primitive, attackers elevate to root/SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited escalation flaw, which is the second half of nearly every intrusion chain."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 names OS/application patching, but the load-bearing backstops are platform-specific and unnamed: least-privilege and SELinux/seccomp on Linux, MDM-enforced OTA SLAs on Android, management-account segmentation for virtualization, and SMB signing / NTLM-disablement for the reflection class (the last breaks the attack regardless of patch state)."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 69,
+      "basis": "Microsoft Windows SMB Client is widely deployed; audited organizations gate host/agent patches behind change windows and rarely enforce the platform-specific backstop (SELinux/seccomp, MDM OTA SLA, management-account segmentation, SMB signing), leaving the escalation chain open past the in-the-wild window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-61884": {
     "name": "Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability",
@@ -18092,35 +18184,58 @@
   },
   "CVE-2025-32463": {
     "name": "Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a flaw allowing inclusion of functionality from an untrusted control sphere (CWE-829) in Sudo's chroot handling, letting a local user load attacker-controlled configuration/libraries and escalate to root. CISA KEV-listed 2025-09-29 with confirmed in-the-wild exploitation; escalation flaws of this class form the second half of an intrusion chain.",
+      "privileges_required": "low (a local foothold — an unprivileged app, user, or process on the host)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the distribution Sudo update; restrict sudo configuration and avoid the chroot feature where unneeded — local-to-root escalation turns any foothold into full host compromise.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root/SYSTEM) which a patched host shuts down, with platform hardening as the backstop."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR/auditd telemetry for unprivileged-to-elevated transitions and the escalation primitive without a legitimate trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched hosts; escalation is typically silent without endpoint/identity monitoring."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch; for confirmed exploitation treat the host as compromised, isolate, preserve forensic state, rotate credentials, and review for follow-on persistence.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; root/SYSTEM-level escalation makes the host an unreliable platform and warrants rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed local/host privilege-escalation flaw; paired with an initial-access primitive, attackers elevate to root/SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited escalation flaw, which is the second half of nearly every intrusion chain."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 names OS/application patching, but the load-bearing backstops are platform-specific and unnamed: least-privilege and SELinux/seccomp on Linux, MDM-enforced OTA SLAs on Android, management-account segmentation for virtualization, and SMB signing / NTLM-disablement for the reflection class (the last breaks the attack regardless of patch state)."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 69,
+      "basis": "Sudo is widely deployed; audited organizations gate host/agent patches behind change windows and rarely enforce the platform-specific backstop (SELinux/seccomp, MDM OTA SLA, management-account segmentation, SMB signing), leaving the escalation chain open past the in-the-wild window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-59689": {
     "name": "Libraesva Email Security Gateway Command Injection Vulnerability",
@@ -18544,35 +18659,58 @@
   },
   "CVE-2025-48543": {
     "name": "Android Runtime Use-After-Free Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Android Runtime contains a use-after-free vulnerability potentially allowing a chrome sandbox escape leading to local privilege escalation.",
-      "privileges_required": "unprivileged local user",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a use-after-free / privilege-management flaw (CWE-269) in the Android Runtime, exploited by a local app to escalate privileges on the device (the local-escalation step after an initial-access primitive in a mobile exploit chain). CISA KEV-listed 2025-09-04 with confirmed in-the-wild exploitation; escalation flaws of this class form the second half of an intrusion chain.",
+      "privileges_required": "low (a local foothold — an unprivileged app, user, or process on the host)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Android Security Bulletin OTA update and enforce update SLAs via MDM; mobile-threat-defense backstops devices pending the fix.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root/SYSTEM) which a patched host shuts down, with platform hardening as the backstop."
+      },
+      "detection": {
+        "what_would_have_worked": "Mobile-threat-defense telemetry for unprivileged-to-elevated transitions and the escalation primitive without a legitimate trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched hosts; escalation is typically silent without endpoint/identity monitoring."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch; for confirmed exploitation treat the host as compromised, isolate, preserve forensic state, rotate credentials, and review for follow-on persistence.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; root/SYSTEM-level escalation makes the host an unreliable platform and warrants rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed local/host privilege-escalation flaw; paired with an initial-access primitive, attackers elevate to root/SYSTEM within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited escalation flaw, which is the second half of nearly every intrusion chain."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 names OS/application patching, but the load-bearing backstops are platform-specific and unnamed: least-privilege and SELinux/seccomp on Linux, MDM-enforced OTA SLAs on Android, management-account segmentation for virtualization, and SMB signing / NTLM-disablement for the reflection class (the last breaks the attack regardless of patch state)."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 69,
+      "basis": "Android is widely deployed; audited organizations gate host/agent patches behind change windows and rarely enforce the platform-specific backstop (SELinux/seccomp, MDM OTA SLA, management-account segmentation, SMB signing), leaving the escalation chain open past the in-the-wild window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-53690": {
     "name": "Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability",
@@ -18968,35 +19106,58 @@
   },
   "CVE-2025-48384": {
     "name": "Git Link Following Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Git contains a link following vulnerability that stems from Git’s inconsistent handling of carriage return characters in configuration files.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a link-following flaw (CWE-59/CWE-436) in Git, letting a malicious repository write files outside the working tree on clone/checkout (e.g. a hook), leading to code execution when the victim works with the repository. CISA KEV-listed 2025-08-25 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the victim opens or processes the attacker's file/content/repository)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Git update; enable hardened clone settings (core.protectNTFS, core.symlinks=false where appropriate) and avoid cloning untrusted repositories on sensitive hosts — repository content is attacker-controlled.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; the lasting controls are file-provenance enforcement, application hardening, and retiring end-of-life software, since these flaws are reached through everyday file/content handling."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR/version-control monitoring for files written outside the working tree on clone and execution of repository hooks.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched and catches the post-exploitation drop/execution stage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch (or retire the end-of-life component), isolate exploited endpoints, remove dropped autostart/hook payloads, hunt for follow-on loaders, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; client-side execution typically establishes persistence (autorun/hooks) and leads to credential harvest, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side file/content-handling flaw; weaponized archives, web content, and repositories are delivered by email, web, and supply chain and exploited within days. Long-tail unpatched and end-of-life software (Internet Explorer / ActiveX) remains exposed for years."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client flaw, and the legacy re-listings exist because organizations still run vulnerable or end-of-life software."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 names application patching and hardening, but the load-bearing controls here are file-provenance enforcement (Mark-of-the-Web propagation to extracted files), ASR rules, disabling risky ActiveX, and hardened version-control settings (protectNTFS, disabling symlinks on clone) — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 57,
+      "basis": "Git is ubiquitous on endpoints/developer machines; audited organizations that rely on patching alone — without file-provenance enforcement, ASR rules, ActiveX kill-bits, or hardened clone settings — remain exposed for this KEV-listed, actively-exploited flaw, and long-tail/EOL software widens the window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2024-8068": {
     "name": "Citrix Session Recording Improper Privilege Management Vulnerability",
@@ -19299,36 +19460,59 @@
     "ai_assist_factor": "none"
   },
   "CVE-2025-8088": {
-    "name": "RARLAB WinRAR Path Traversal Vulnerability",
-    "lesson_date": "2026-05-18",
+    "name": "RARLAB WinRAR Path Traversal Vulnerability (variant: CVE-2025-8088)",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary code by crafting malicious archive files.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a path-traversal flaw (CWE-35) in WinRAR's archive extraction (a variant), letting a crafted archive write to autorun locations for code execution on extraction — used in the wild by espionage actors. CISA KEV-listed 2025-08-12 with confirmed in-the-wild exploitation.",
+      "privileges_required": "none (the victim opens or processes the attacker's file/content/repository)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the WinRAR update; enforce Mark-of-the-Web propagation to extracted files and ASR rules so a dropped autorun payload is blocked or flagged, and filter inbound archives.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive on a managed estate; the lasting controls are file-provenance enforcement, application hardening, and retiring end-of-life software, since these flaws are reached through everyday file/content handling."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR detection of files written to autorun locations by an archiver and execution of newly-dropped autostart entries.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet patched and catches the post-exploitation drop/execution stage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the patch (or retire the end-of-life component), isolate exploited endpoints, remove dropped autostart/hook payloads, hunt for follow-on loaders, and review for credential theft.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; client-side execution typically establishes persistence (autorun/hooks) and leads to credential harvest, which a bare patch does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited client-side file/content-handling flaw; weaponized archives, web content, and repositories are delivered by email, web, and supply chain and exploited within days. Long-tail unpatched and end-of-life software (Internet Explorer / ActiveX) remains exposed for years."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited client flaw, and the legacy re-listings exist because organizations still run vulnerable or end-of-life software."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 names application patching and hardening, but the load-bearing controls here are file-provenance enforcement (Mark-of-the-Web propagation to extracted files), ASR rules, disabling risky ActiveX, and hardened version-control settings (protectNTFS, disabling symlinks on clone) — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 57,
+      "basis": "RARLAB WinRAR is ubiquitous on endpoints/developer machines; audited organizations that rely on patching alone — without file-provenance enforcement, ASR rules, ActiveX kill-bits, or hardened clone settings — remain exposed for this KEV-listed, actively-exploited flaw, and long-tail/EOL software widens the window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2007-0671": {
     "name": "Microsoft Office Excel Remote Code Execution Vulnerability",