@blamejs/exceptd-skills 0.15.36 → 0.15.38

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.15.38 — 2026-05-29
+
+Draft-curation pass 35 — path traversal file access. Four CISA KEV-listed unauthenticated path-traversal CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Ruby on Rails Action View arbitrary file read (CVE-2019-5418), Srimax Output Messenger directory traversal chained to code execution (CVE-2025-27920), ZKTeco BioTime arbitrary file read (CVE-2023-38950), and the end-of-life D-Link DIR-859 router configuration disclosure (CVE-2024-0769). All map T1190; the secret-leaking file-read variants also map T1552. The lessons stress that patching does not undo the disclosure — every secret a traversal read must be rotated — that file-write traversals require hunting for dropped payloads, and that an end-of-life device (DIR-859) can only be replaced, not patched.
+
+## 0.15.37 — 2026-05-29
+
+Draft-curation pass 34 — local and host privilege escalation. Four CISA KEV-listed escalation CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons, spanning four platforms: the Sudo chroot-handling local-to-root flaw (CVE-2025-32463), an Android Runtime privilege escalation (CVE-2025-48543), a VMware Aria Operations / VMware Tools guest privilege-management flaw (CVE-2025-41244), and the Windows SMB client NTLM-reflection-to-SYSTEM flaw (CVE-2025-33073). All map T1068; the SMB-client case also maps T1557.001 (NTLM relay). The lessons frame these as the escalation half of an intrusion chain and name the platform-specific backstops the frameworks leave unstated — SELinux/seccomp and least privilege on Linux, MDM-enforced OTA SLAs on Android, management-account segmentation for virtualization, and — most importantly — SMB signing plus NTLM disablement for the reflection class, which breaks the attack regardless of patch state.
+
 ## 0.15.36 — 2026-05-29
 
 Draft-curation pass 33 — client-side file and content handling. Four CISA KEV-listed CVEs where a victim processes attacker-supplied content are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: WinRAR archive-extraction path traversals that drop a payload into an autorun location (CVE-2025-6218, CVE-2025-8088 — the latter used by espionage actors), the Microsoft Video ActiveX (msvidctl) Internet Explorer drive-by (CVE-2008-0015), and the Git link-following flaw that lets a malicious repository write outside the working tree on clone/checkout (CVE-2025-48384). They map T1203 (exploitation for client execution) with T1547.001 for the archive autorun drops, and T1204.002 (user execution of a malicious file) for the Git repository case. The lessons name the load-bearing controls beyond patching: Mark-of-the-Web propagation to extracted files, ASR rules, ActiveX kill-bits and retiring end-of-life Internet Explorer, and hardened version-control clone settings (protectNTFS, disabling symlinks) on developer machines.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-30T04:05:55.244Z",
+  "generated_at": "2026-05-30T05:05:33.943Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "884aba4143a7e713aeb7e65d91e2cc581c9b910ad01099ba44d6bd4d44e10382",
+    "manifest.json": "a98d7f6abe573e5ba73e7e1097cc30a1703fff81ccc9922b00630341b2ade670",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "a79c8dae3527ce9b7bdb305b86d54b7939406602bb36ac49b7732f461fa9bb59",
-    "data/cve-catalog.json": "fa2ed2e00aac67bbbd053ef97a2c165f5f836c58375c279419f2192aafbd84d1",
+    "data/attack-techniques.json": "b8799721fb6d455811f555410845423ec87f2c26f70fe1222ee19088aa6e43f5",
+    "data/cve-catalog.json": "0ca079ef9ae7f74755398ad434c2c0c5fe3ee7be488549af3a5ecf2394ae0ba8",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "3d8efcdc4d8edda2f4d85ac33767ea0b471f035840c93fa8c24a3ea8c03e4962",
+    "data/zeroday-lessons.json": "adf769626f304dd6cbd700f6f3bfe8359de02282929008e16599599470377c5c",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json

@@ -531,11 +531,14 @@
       "CVE-2025-24990",
       "CVE-2025-27038",
       "CVE-2025-31277",
+      "CVE-2025-32463",
       "CVE-2025-32701",
       "CVE-2025-32706",
       "CVE-2025-32709",
+      "CVE-2025-33073",
       "CVE-2025-38352",
       "CVE-2025-40602",
+      "CVE-2025-41244",
       "CVE-2025-43300",
       "CVE-2025-48543",
       "CVE-2025-48572",
@@ -967,6 +970,7 @@
       "CVE-2017-7921",
       "CVE-2018-4063",
       "CVE-2019-19006",
+      "CVE-2019-5418",
       "CVE-2019-6693",
       "CVE-2019-9621",
       "CVE-2020-10148",
@@ -993,6 +997,7 @@
       "CVE-2023-27351",
       "CVE-2023-33538",
       "CVE-2023-3519",
+      "CVE-2023-38950",
       "CVE-2023-39780",
       "CVE-2023-43654",
       "CVE-2023-43791",
@@ -1005,6 +1010,7 @@
       "CVE-2023-6019",
       "CVE-2023-6021",
       "CVE-2023-6038",
+      "CVE-2024-0769",
       "CVE-2024-12450",
       "CVE-2024-12776",
       "CVE-2024-12987",
@@ -1066,6 +1072,7 @@
       "CVE-2025-2775",
       "CVE-2025-2776",
       "CVE-2025-27915",
+      "CVE-2025-27920",
       "CVE-2025-29635",
       "CVE-2025-30165",
       "CVE-2025-30202",
@@ -1075,12 +1082,10 @@
       "CVE-2025-32432",
       "CVE-2025-32433",
       "CVE-2025-32444",
-      "CVE-2025-32463",
       "CVE-2025-3248",
       "CVE-2025-32756",
       "CVE-2025-32975",
       "CVE-2025-33053",
-      "CVE-2025-33073",
       "CVE-2025-34026",
       "CVE-2025-34291",
       "CVE-2025-3466",
@@ -1090,7 +1095,6 @@
       "CVE-2025-4008",
       "CVE-2025-40536",
       "CVE-2025-40551",
-      "CVE-2025-41244",
       "CVE-2025-42999",
       "CVE-2025-4427",
       "CVE-2025-4428",
@@ -1730,9 +1734,12 @@
     "name": "Unsecured Credentials",
     "version": "v19",
     "cve_refs": [
+      "CVE-2019-5418",
       "CVE-2021-22681",
       "CVE-2021-43798",
+      "CVE-2023-38950",
       "CVE-2023-47117",
+      "CVE-2024-0769",
       "CVE-2024-12450",
       "CVE-2025-11371",
       "CVE-2025-14611",
@@ -14275,7 +14282,10 @@
     "stix_id": "attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e",
     "last_verified": "2026-05-19",
     "_auto_imported": true,
-    "_intake_method": "mitre-attack-stix"
+    "_intake_method": "mitre-attack-stix",
+    "cve_refs": [
+      "CVE-2025-33073"
+    ]
   },
   "T1557.002": {
     "id": "T1557.002",

package/data/cve-catalog.json

@@ -30891,7 +30891,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -30912,7 +30912,7 @@
     "cwe_refs": [
       "CWE-267"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149",
@@ -30941,11 +30941,21 @@
         "published_date": "2025-10-30"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-30; due date 2025-11-20. Notes reference: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149 ; https://nvd.nist.gov/vuln/detail/CVE-2025-41244",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.",
+    "iocs": {
+      "behavioral": [
+        "VMware Aria Operations and VMware Tools at a version below the fixed release named in the vendor advisory on a host with any local foothold.",
+        "An unprivileged user/process gaining root/elevated privilege via the affected component with no corresponding legitimate escalation.",
+        "Post-escalation activity — process/driver crashes, privilege transitions, or persistence — with no corresponding operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-41244, CISA KEV (added 2025-10-30), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-24893": {
     "name": "XWiki Platform Eval Injection Vulnerability",
@@ -31941,7 +31951,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1068",
+      "T1557.001"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -31962,7 +31973,7 @@
     "cwe_refs": [
       "CWE-284"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-33073",
@@ -31991,11 +32002,21 @@
         "published_date": "2025-10-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-20; due date 2025-11-10. Notes reference: https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-33073 ; https://nvd.nist.gov/vuln/detail/CVE-2025-33073",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft Windows SMB Client at a version below the fixed release named in the vendor advisory on a host with any local foothold or reachable for SMB coercion.",
+        "Coerced outbound SMB/NTLM authentication from a victim host to an unexpected server, followed by a SYSTEM-level action with no matching administrative login.",
+        "Use of reflected credentials — process/driver crashes, privilege transitions, or persistence — with no corresponding operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-33073, CISA KEV (added 2025-10-20), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation + T1557.001 NTLM relay) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-61884": {
     "name": "Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability",
@@ -34152,7 +34173,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -34173,7 +34194,7 @@
     "cwe_refs": [
       "CWE-829"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.sudo.ws/security/advisories/chroot_bug/",
@@ -34202,11 +34223,21 @@
         "published_date": "2025-09-29"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-29; due date 2025-10-20. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file.",
+    "iocs": {
+      "behavioral": [
+        "Sudo at a version below the fixed release named in the vendor advisory on a host with any local foothold.",
+        "An unprivileged user/process gaining root/elevated privilege via the affected component with no corresponding legitimate escalation.",
+        "Post-escalation activity — process/driver crashes, privilege transitions, or persistence — with no corresponding operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-32463, CISA KEV (added 2025-09-29), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-59689": {
     "name": "Libraesva Email Security Gateway Command Injection Vulnerability",
@@ -35027,7 +35058,7 @@
     "cwe_refs": [
       "CWE-269"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://source.android.com/docs/security/bulletin/2025-09-01",
@@ -35056,11 +35087,21 @@
         "published_date": "2025-09-04"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-04; due date 2025-09-25. Notes reference: https://source.android.com/docs/security/bulletin/2025-09-01 ; https://nvd.nist.gov/vuln/detail/CVE-2025-48543",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Android Runtime contains a use-after-free vulnerability potentially allowing a chrome sandbox escape leading to local privilege escalation."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Android Runtime contains a use-after-free vulnerability potentially allowing a chrome sandbox escape leading to local privilege escalation.",
+    "iocs": {
+      "behavioral": [
+        "Android at a version below the fixed release named in the vendor advisory on a host with any local foothold.",
+        "An unprivileged app gaining elevated on-device privilege via the affected component with no corresponding legitimate escalation.",
+        "Post-escalation activity — process/driver crashes, privilege transitions, or persistence — with no corresponding operator action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-48543, CISA KEV (added 2025-09-04), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-53690": {
     "name": "Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability",
@@ -38615,7 +38656,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -38636,7 +38679,7 @@
     "cwe_refs": [
       "CWE-22"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/",
@@ -38665,11 +38708,21 @@
         "published_date": "2025-07-07"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-07; due date 2025-07-28. Notes reference: https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/ ; https://nvd.nist.gov/vuln/detail/CVE-2019-5418",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Rails Ruby on Rails contains a path traversal vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Rails Ruby on Rails contains a path traversal vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents.",
+    "iocs": {
+      "behavioral": [
+        "Ruby on Rails reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Rails containing traversal sequences (../, encoded variants) targeting files outside the intended directory.",
+        "Reads of configuration, credential, or secret files on the Rails followed by use of the disclosed credentials elsewhere (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2019-5418, CISA KEV (added 2025-07-07), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1552 unsecured credentials) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2016-10033": {
     "name": "PHPMailer Command Injection Vulnerability",
@@ -39412,7 +39465,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1068"
+      "T1068",
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39433,7 +39488,7 @@
     "cwe_refs": [
       "CWE-22"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10371",
@@ -39462,11 +39517,21 @@
         "published_date": "2025-06-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-25; due date 2025-07-16. Notes reference: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10371 ; https://nvd.nist.gov/vuln/detail/CVE-2024-0769",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "D-Link DIR-859 routers contain a path traversal vulnerability in the file /hedwig.cgi of the component HTTP POST Request Handler. Manipulation of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml allows for the leakage of session data potentially enabling privilege escalation and unauthorized control of the device. This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "D-Link DIR-859 routers contain a path traversal vulnerability in the file /hedwig.cgi of the component HTTP POST Request Handler. Manipulation of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml allows for the leakage of session data potentially enabling privilege escalation and unauthorized control of the device. This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.",
+    "iocs": {
+      "behavioral": [
+        "D-Link DIR-859 router reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the DIR-859 router containing traversal sequences (../, encoded variants) targeting files outside the intended directory.",
+        "Reads of configuration, credential, or secret files on the DIR-859 router followed by use of the disclosed credentials elsewhere (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2024-0769, CISA KEV (added 2025-06-25), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1552 unsecured credentials) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-54085": {
     "name": "AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability",
@@ -41404,7 +41469,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -41425,7 +41492,7 @@
     "cwe_refs": [
       "CWE-22"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.zkteco.com/en/Security_Bulletinsibs",
@@ -41454,11 +41521,21 @@
         "published_date": "2025-05-19"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-19; due date 2025-06-09. Notes reference: https://www.zkteco.com/en/Security_Bulletinsibs ; https://nvd.nist.gov/vuln/detail/CVE-2023-38950",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "ZKTeco BioTime contains a path traversal vulnerability in the iclock API that allows an unauthenticated attacker to read arbitrary files via supplying a crafted payload."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ZKTeco BioTime contains a path traversal vulnerability in the iclock API that allows an unauthenticated attacker to read arbitrary files via supplying a crafted payload.",
+    "iocs": {
+      "behavioral": [
+        "ZKTeco BioTime reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the ZKTeco BioTime containing traversal sequences (../, encoded variants) targeting files outside the intended directory.",
+        "Reads of configuration, credential, or secret files on the ZKTeco BioTime followed by use of the disclosed credentials elsewhere (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2023-38950, CISA KEV (added 2025-05-19), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1552 unsecured credentials) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-27443": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability",
@@ -41607,7 +41684,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -41628,7 +41706,7 @@
     "cwe_refs": [
       "CWE-22"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.outputmessenger.com/cve-2025-27920/",
@@ -41657,11 +41735,21 @@
         "published_date": "2025-05-19"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-19; due date 2025-06-09. Notes reference: https://www.outputmessenger.com/cve-2025-27920/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-27920",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Srimax Output Messenger contains a directory traversal vulnerability that allows an attacker to access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Srimax Output Messenger contains a directory traversal vulnerability that allows an attacker to access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.",
+    "iocs": {
+      "behavioral": [
+        "Srimax Output Messenger reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Output Messenger containing traversal sequences (../, encoded variants) targeting files outside the intended directory.",
+        "Files written outside the intended directory on the Output Messenger — especially startup/autorun paths or web shells — followed by code execution (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-27920, CISA KEV (added 2025-05-19), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-11182": {
     "name": "MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability",