@blamejs/exceptd-skills 0.15.36 → 0.15.38

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/CHANGELOG.md +8 -0
  2. package/data/_indexes/_meta.json +5 -5
  3. package/data/attack-techniques.json +14 -4
  4. package/data/cve-catalog.json +135 -47
  5. package/data/zeroday-lessons.json +308 -104
  6. package/manifest.json +44 -44
  7. package/package.json +1 -1
  8. package/sbom.cdx.json +18 -18
package/data/zeroday-lessons.json CHANGED
@@ -16468,35 +16468,58 @@
16468
16468
  },
16469
16469
  "CVE-2025-41244": {
16470
16470
  "name": "Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability",
16471
- "lesson_date": "2026-05-18",
16471
+ "lesson_date": "2026-05-29",
16472
16472
  "attack_vector": {
16473
- "description": "Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.",
16474
- "privileges_required": "network attacker (no authentication required)",
16475
- "complexity": "moderate (bulk-import default)",
16476
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
16473
+ "description": "a privilege-management flaw (CWE-267) in VMware Aria Operations and VMware Tools, letting a local user in a managed guest escalate privileges. CISA KEV-listed 2025-10-30 with confirmed in-the-wild exploitation; escalation flaws of this class form the second half of an intrusion chain.",
16474
+ "privileges_required": "low (a local foothold — an unprivileged app, user, or process on the host)",
16475
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
16476
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
16477
+ },
16478
+ "defense_chain": {
16479
+ "prevention": {
16480
+ "what_would_have_worked": "Apply the VMware update; restrict the privileged collection account and segment management access — a guest LPE combined with management reach can pivot across the virtual estate.",
16481
+ "was_this_required": true,
16482
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
16483
+ "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root/SYSTEM) which a patched host shuts down, with platform hardening as the backstop."
16484
+ },
16485
+ "detection": {
16486
+ "what_would_have_worked": "EDR/auditd telemetry for unprivileged-to-elevated transitions and the escalation primitive without a legitimate trigger.",
16487
+ "was_this_required": false,
16488
+ "framework_requiring_it": null,
16489
+ "adequacy": "Backstops unpatched hosts; escalation is typically silent without endpoint/identity monitoring."
16490
+ },
16491
+ "response": {
16492
+ "what_would_have_worked": "Force the patch; for confirmed exploitation treat the host as compromised, isolate, preserve forensic state, rotate credentials, and review for follow-on persistence.",
16493
+ "was_this_required": true,
16494
+ "framework_requiring_it": "NIST 800-53 IR-4",
16495
+ "adequacy": "Mandatory; root/SYSTEM-level escalation makes the host an unreliable platform and warrants rebuild."
16496
+ }
16477
16497
  },
16478
16498
  "framework_coverage": {
16479
16499
  "NIST-800-53-SI-2": {
16480
16500
  "covered": true,
16481
16501
  "adequate": false,
16482
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
16502
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed local/host privilege-escalation flaw; paired with an initial-access primitive, attackers elevate to root/SYSTEM within hours of a foothold."
16483
16503
  },
16484
16504
  "ISO-27001-2022-A.8.8": {
16485
16505
  "covered": true,
16486
16506
  "adequate": false,
16487
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
16507
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited escalation flaw, which is the second half of nearly every intrusion chain."
16508
+ },
16509
+ "AU-ISM-1546": {
16510
+ "covered": true,
16511
+ "adequate": false,
16512
+ "gap": "Essential 8 names OS/application patching, but the load-bearing backstops are platform-specific and unnamed: least-privilege and SELinux/seccomp on Linux, MDM-enforced OTA SLAs on Android, management-account segmentation for virtualization, and SMB signing / NTLM-disablement for the reflection class (the last breaks the attack regardless of patch state)."
16488
16513
  }
16489
16514
  },
16490
16515
  "compliance_exposure_score": {
16491
- "percent_audit_passing_orgs_still_exposed": 55,
16492
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
16516
+ "percent_audit_passing_orgs_still_exposed": 69,
16517
+ "basis": "VMware Aria Operations and VMware Tools is widely deployed; audited organizations gate host/agent patches behind change windows and rarely enforce the platform-specific backstop (SELinux/seccomp, MDM OTA SLA, management-account segmentation, SMB signing), leaving the escalation chain open past the in-the-wild window.",
16493
16518
  "theater_pattern": "patch_management"
16494
16519
  },
16495
16520
  "ai_discovered_zeroday": false,
16496
- "ai_discovery_source": "unknown",
16497
- "ai_assist_factor": "none",
16498
- "_auto_imported": true,
16499
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
16521
+ "ai_discovery_source": "vendor_research",
16522
+ "ai_assist_factor": "none"
16500
16523
  },
16501
16524
  "CVE-2025-24893": {
16502
16525
  "name": "XWiki Platform Eval Injection Vulnerability",
@@ -17007,35 +17030,58 @@
17007
17030
  },
17008
17031
  "CVE-2025-33073": {
17009
17032
  "name": "Microsoft Windows SMB Client Improper Access Control Vulnerability",
17010
- "lesson_date": "2026-05-18",
17033
+ "lesson_date": "2026-05-29",
17011
17034
  "attack_vector": {
17012
- "description": "Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate.",
17013
- "privileges_required": "network attacker (no authentication required)",
17014
- "complexity": "moderate (bulk-import default)",
17015
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
17035
+ "description": "an improper-access-control flaw (CWE-284) in the Windows SMB client enabling NTLM reflection by coercing a victim host to authenticate to an attacker-controlled server, the attacker reflects the authentication back to the victim to gain SYSTEM. CISA KEV-listed 2025-10-20 with confirmed in-the-wild exploitation; escalation flaws of this class form the second half of an intrusion chain.",
17036
+ "privileges_required": "low (the ability to coerce a victim host to authenticate; no valid credentials on the target)",
17037
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
17038
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
17039
+ },
17040
+ "defense_chain": {
17041
+ "prevention": {
17042
+ "what_would_have_worked": "Apply the Microsoft update AND enforce SMB signing (and disable NTLM where possible); SMB signing breaks the reflection/relay regardless of patch state, so it is the durable control.",
17043
+ "was_this_required": true,
17044
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
17045
+ "adequacy": "Patch is necessary but SMB signing breaks the reflection regardless of patch state and is the durable control; NTLM disablement removes the primitive entirely."
17046
+ },
17047
+ "detection": {
17048
+ "what_would_have_worked": "Detection of coerced/relayed NTLM authentication: unexpected outbound SMB from servers, authentication to attacker infrastructure, and SYSTEM actions without an admin login.",
17049
+ "was_this_required": false,
17050
+ "framework_requiring_it": null,
17051
+ "adequacy": "Backstops unpatched hosts; escalation is typically silent without endpoint/identity monitoring."
17052
+ },
17053
+ "response": {
17054
+ "what_would_have_worked": "Force the patch; for confirmed exploitation treat the host as compromised, isolate, preserve forensic state, rotate credentials, and enforce SMB signing fleet-wide and hunt for relay activity.",
17055
+ "was_this_required": true,
17056
+ "framework_requiring_it": "NIST 800-53 IR-4",
17057
+ "adequacy": "Mandatory; root/SYSTEM-level escalation makes the host an unreliable platform and warrants rebuild."
17058
+ }
17016
17059
  },
17017
17060
  "framework_coverage": {
17018
17061
  "NIST-800-53-SI-2": {
17019
17062
  "covered": true,
17020
17063
  "adequate": false,
17021
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
17064
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed local/host privilege-escalation flaw; paired with an initial-access primitive, attackers elevate to root/SYSTEM within hours of a foothold."
17022
17065
  },
17023
17066
  "ISO-27001-2022-A.8.8": {
17024
17067
  "covered": true,
17025
17068
  "adequate": false,
17026
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
17069
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited escalation flaw, which is the second half of nearly every intrusion chain."
17070
+ },
17071
+ "AU-ISM-1546": {
17072
+ "covered": true,
17073
+ "adequate": false,
17074
+ "gap": "Essential 8 names OS/application patching, but the load-bearing backstops are platform-specific and unnamed: least-privilege and SELinux/seccomp on Linux, MDM-enforced OTA SLAs on Android, management-account segmentation for virtualization, and SMB signing / NTLM-disablement for the reflection class (the last breaks the attack regardless of patch state)."
17027
17075
  }
17028
17076
  },
17029
17077
  "compliance_exposure_score": {
17030
- "percent_audit_passing_orgs_still_exposed": 55,
17031
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
17078
+ "percent_audit_passing_orgs_still_exposed": 69,
17079
+ "basis": "Microsoft Windows SMB Client is widely deployed; audited organizations gate host/agent patches behind change windows and rarely enforce the platform-specific backstop (SELinux/seccomp, MDM OTA SLA, management-account segmentation, SMB signing), leaving the escalation chain open past the in-the-wild window.",
17032
17080
  "theater_pattern": "patch_management"
17033
17081
  },
17034
17082
  "ai_discovered_zeroday": false,
17035
- "ai_discovery_source": "unknown",
17036
- "ai_assist_factor": "none",
17037
- "_auto_imported": true,
17038
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
17083
+ "ai_discovery_source": "vendor_research",
17084
+ "ai_assist_factor": "none"
17039
17085
  },
17040
17086
  "CVE-2025-61884": {
17041
17087
  "name": "Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability",
@@ -18138,35 +18184,58 @@
18138
18184
  },
18139
18185
  "CVE-2025-32463": {
18140
18186
  "name": "Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability",
18141
- "lesson_date": "2026-05-18",
18187
+ "lesson_date": "2026-05-29",
18142
18188
  "attack_vector": {
18143
- "description": "Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file.",
18144
- "privileges_required": "network attacker (no authentication required)",
18145
- "complexity": "moderate (bulk-import default)",
18146
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
18189
+ "description": "a flaw allowing inclusion of functionality from an untrusted control sphere (CWE-829) in Sudo's chroot handling, letting a local user load attacker-controlled configuration/libraries and escalate to root. CISA KEV-listed 2025-09-29 with confirmed in-the-wild exploitation; escalation flaws of this class form the second half of an intrusion chain.",
18190
+ "privileges_required": "low (a local foothold — an unprivileged app, user, or process on the host)",
18191
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
18192
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
18193
+ },
18194
+ "defense_chain": {
18195
+ "prevention": {
18196
+ "what_would_have_worked": "Apply the distribution Sudo update; restrict sudo configuration and avoid the chroot feature where unneeded — local-to-root escalation turns any foothold into full host compromise.",
18197
+ "was_this_required": true,
18198
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
18199
+ "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root/SYSTEM) which a patched host shuts down, with platform hardening as the backstop."
18200
+ },
18201
+ "detection": {
18202
+ "what_would_have_worked": "EDR/auditd telemetry for unprivileged-to-elevated transitions and the escalation primitive without a legitimate trigger.",
18203
+ "was_this_required": false,
18204
+ "framework_requiring_it": null,
18205
+ "adequacy": "Backstops unpatched hosts; escalation is typically silent without endpoint/identity monitoring."
18206
+ },
18207
+ "response": {
18208
+ "what_would_have_worked": "Force the patch; for confirmed exploitation treat the host as compromised, isolate, preserve forensic state, rotate credentials, and review for follow-on persistence.",
18209
+ "was_this_required": true,
18210
+ "framework_requiring_it": "NIST 800-53 IR-4",
18211
+ "adequacy": "Mandatory; root/SYSTEM-level escalation makes the host an unreliable platform and warrants rebuild."
18212
+ }
18147
18213
  },
18148
18214
  "framework_coverage": {
18149
18215
  "NIST-800-53-SI-2": {
18150
18216
  "covered": true,
18151
18217
  "adequate": false,
18152
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
18218
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed local/host privilege-escalation flaw; paired with an initial-access primitive, attackers elevate to root/SYSTEM within hours of a foothold."
18153
18219
  },
18154
18220
  "ISO-27001-2022-A.8.8": {
18155
18221
  "covered": true,
18156
18222
  "adequate": false,
18157
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
18223
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited escalation flaw, which is the second half of nearly every intrusion chain."
18224
+ },
18225
+ "AU-ISM-1546": {
18226
+ "covered": true,
18227
+ "adequate": false,
18228
+ "gap": "Essential 8 names OS/application patching, but the load-bearing backstops are platform-specific and unnamed: least-privilege and SELinux/seccomp on Linux, MDM-enforced OTA SLAs on Android, management-account segmentation for virtualization, and SMB signing / NTLM-disablement for the reflection class (the last breaks the attack regardless of patch state)."
18158
18229
  }
18159
18230
  },
18160
18231
  "compliance_exposure_score": {
18161
- "percent_audit_passing_orgs_still_exposed": 55,
18162
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
18232
+ "percent_audit_passing_orgs_still_exposed": 69,
18233
+ "basis": "Sudo is widely deployed; audited organizations gate host/agent patches behind change windows and rarely enforce the platform-specific backstop (SELinux/seccomp, MDM OTA SLA, management-account segmentation, SMB signing), leaving the escalation chain open past the in-the-wild window.",
18163
18234
  "theater_pattern": "patch_management"
18164
18235
  },
18165
18236
  "ai_discovered_zeroday": false,
18166
- "ai_discovery_source": "unknown",
18167
- "ai_assist_factor": "none",
18168
- "_auto_imported": true,
18169
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
18237
+ "ai_discovery_source": "vendor_research",
18238
+ "ai_assist_factor": "none"
18170
18239
  },
18171
18240
  "CVE-2025-59689": {
18172
18241
  "name": "Libraesva Email Security Gateway Command Injection Vulnerability",
@@ -18590,35 +18659,58 @@
18590
18659
  },
18591
18660
  "CVE-2025-48543": {
18592
18661
  "name": "Android Runtime Use-After-Free Vulnerability",
18593
- "lesson_date": "2026-05-18",
18662
+ "lesson_date": "2026-05-29",
18594
18663
  "attack_vector": {
18595
- "description": "Android Runtime contains a use-after-free vulnerability potentially allowing a chrome sandbox escape leading to local privilege escalation.",
18596
- "privileges_required": "unprivileged local user",
18597
- "complexity": "moderate (bulk-import default)",
18598
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
18664
+ "description": "a use-after-free / privilege-management flaw (CWE-269) in the Android Runtime, exploited by a local app to escalate privileges on the device (the local-escalation step after an initial-access primitive in a mobile exploit chain). CISA KEV-listed 2025-09-04 with confirmed in-the-wild exploitation; escalation flaws of this class form the second half of an intrusion chain.",
18665
+ "privileges_required": "low (a local foothold — an unprivileged app, user, or process on the host)",
18666
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
18667
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
18668
+ },
18669
+ "defense_chain": {
18670
+ "prevention": {
18671
+ "what_would_have_worked": "Apply the Android Security Bulletin OTA update and enforce update SLAs via MDM; mobile-threat-defense backstops devices pending the fix.",
18672
+ "was_this_required": true,
18673
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
18674
+ "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root/SYSTEM) which a patched host shuts down, with platform hardening as the backstop."
18675
+ },
18676
+ "detection": {
18677
+ "what_would_have_worked": "Mobile-threat-defense telemetry for unprivileged-to-elevated transitions and the escalation primitive without a legitimate trigger.",
18678
+ "was_this_required": false,
18679
+ "framework_requiring_it": null,
18680
+ "adequacy": "Backstops unpatched hosts; escalation is typically silent without endpoint/identity monitoring."
18681
+ },
18682
+ "response": {
18683
+ "what_would_have_worked": "Force the patch; for confirmed exploitation treat the host as compromised, isolate, preserve forensic state, rotate credentials, and review for follow-on persistence.",
18684
+ "was_this_required": true,
18685
+ "framework_requiring_it": "NIST 800-53 IR-4",
18686
+ "adequacy": "Mandatory; root/SYSTEM-level escalation makes the host an unreliable platform and warrants rebuild."
18687
+ }
18599
18688
  },
18600
18689
  "framework_coverage": {
18601
18690
  "NIST-800-53-SI-2": {
18602
18691
  "covered": true,
18603
18692
  "adequate": false,
18604
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
18693
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed local/host privilege-escalation flaw; paired with an initial-access primitive, attackers elevate to root/SYSTEM within hours of a foothold."
18605
18694
  },
18606
18695
  "ISO-27001-2022-A.8.8": {
18607
18696
  "covered": true,
18608
18697
  "adequate": false,
18609
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
18698
+ "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited escalation flaw, which is the second half of nearly every intrusion chain."
18699
+ },
18700
+ "AU-ISM-1546": {
18701
+ "covered": true,
18702
+ "adequate": false,
18703
+ "gap": "Essential 8 names OS/application patching, but the load-bearing backstops are platform-specific and unnamed: least-privilege and SELinux/seccomp on Linux, MDM-enforced OTA SLAs on Android, management-account segmentation for virtualization, and SMB signing / NTLM-disablement for the reflection class (the last breaks the attack regardless of patch state)."
18610
18704
  }
18611
18705
  },
18612
18706
  "compliance_exposure_score": {
18613
- "percent_audit_passing_orgs_still_exposed": 55,
18614
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
18707
+ "percent_audit_passing_orgs_still_exposed": 69,
18708
+ "basis": "Android is widely deployed; audited organizations gate host/agent patches behind change windows and rarely enforce the platform-specific backstop (SELinux/seccomp, MDM OTA SLA, management-account segmentation, SMB signing), leaving the escalation chain open past the in-the-wild window.",
18615
18709
  "theater_pattern": "patch_management"
18616
18710
  },
18617
18711
  "ai_discovered_zeroday": false,
18618
- "ai_discovery_source": "unknown",
18619
- "ai_assist_factor": "none",
18620
- "_auto_imported": true,
18621
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
18712
+ "ai_discovery_source": "vendor_research",
18713
+ "ai_assist_factor": "none"
18622
18714
  },
18623
18715
  "CVE-2025-53690": {
18624
18716
  "name": "Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability",
@@ -20493,35 +20585,63 @@
20493
20585
  },
20494
20586
  "CVE-2019-5418": {
20495
20587
  "name": "Rails Ruby on Rails Path Traversal Vulnerability",
20496
- "lesson_date": "2026-05-18",
20588
+ "lesson_date": "2026-05-29",
20497
20589
  "attack_vector": {
20498
- "description": "Rails Ruby on Rails contains a path traversal vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents.",
20499
- "privileges_required": "network attacker (no authentication required)",
20500
- "complexity": "moderate (bulk-import default)",
20501
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
20590
+ "description": "a path-traversal flaw (CWE-22) in Ruby on Rails Action View (crafted Accept header), letting an unauthenticated attacker read arbitrary files including configuration and secrets. CISA KEV-listed 2025-07-07 with confirmed in-the-wild exploitation.",
20591
+ "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application/device interface)",
20592
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
20593
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
20594
+ },
20595
+ "defense_chain": {
20596
+ "prevention": {
20597
+ "what_would_have_worked": "Apply the Rails update; rotate any credentials, secret_key_base, and data-source passwords the file read could disclose, and restrict the app's filesystem access.",
20598
+ "was_this_required": true,
20599
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
20600
+ "adequacy": "Patch is necessary but insufficient alone — any secret the traversal disclosed survives the patch and must be rotated; an EOL device must be replaced."
20601
+ },
20602
+ "detection": {
20603
+ "what_would_have_worked": "Monitoring on the Rails: requests containing traversal sequences, reads of credential/secret files and subsequent use of disclosed secrets.",
20604
+ "was_this_required": false,
20605
+ "framework_requiring_it": null,
20606
+ "adequacy": "Necessary to catch exploitation and the secret-disclosure or file-write consequence after patching."
20607
+ },
20608
+ "response": {
20609
+ "what_would_have_worked": "Patch (or replace an EOL device); rotate every secret reachable through the file read, and review for follow-on access using disclosed material.",
20610
+ "was_this_required": true,
20611
+ "framework_requiring_it": "NIST 800-53 IR-4",
20612
+ "adequacy": "Mandatory; patch-in-place without secret rotation / file cleanup leaves the attacker with a usable foothold."
20613
+ }
20502
20614
  },
20503
20615
  "framework_coverage": {
20504
20616
  "NIST-800-53-SI-2": {
20505
20617
  "covered": true,
20506
20618
  "adequate": false,
20507
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
20619
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated path-traversal flaw; arbitrary file read leaks secrets that enable follow-on access, and EOL devices (DIR-859) cannot be patched at all."
20508
20620
  },
20509
20621
  "ISO-27001-2022-A.8.8": {
20510
20622
  "covered": true,
20511
20623
  "adequate": false,
20512
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
20624
+ "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing application or device, and the disclosed-secret exposure persists until the secrets are rotated."
20625
+ },
20626
+ "NIS2-Art21-network-security": {
20627
+ "covered": true,
20628
+ "adequate": false,
20629
+ "gap": "Treats internet-facing applications/devices as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the secret-rotation cleanup a file-read flaw needs or the replacement an EOL device needs."
20630
+ },
20631
+ "PCI-DSS-4.0-6.3.3": {
20632
+ "covered": true,
20633
+ "adequate": false,
20634
+ "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing application/device whose file-read can disclose CDE-adjacent secrets."
20513
20635
  }
20514
20636
  },
20515
20637
  "compliance_exposure_score": {
20516
- "percent_audit_passing_orgs_still_exposed": 55,
20517
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
20638
+ "percent_audit_passing_orgs_still_exposed": 73,
20639
+ "basis": "Internet-facing Ruby on Rails is run by audited organizations on a standard patch SLA and is exploited within days; the required secret rotation (or EOL-device replacement) is rarely part of the documented patch procedure, leaving disclosed credentials usable.",
20518
20640
  "theater_pattern": "patch_management"
20519
20641
  },
20520
20642
  "ai_discovered_zeroday": false,
20521
- "ai_discovery_source": "unknown",
20522
- "ai_assist_factor": "none",
20523
- "_auto_imported": true,
20524
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
20643
+ "ai_discovery_source": "vendor_research",
20644
+ "ai_assist_factor": "none"
20525
20645
  },
20526
20646
  "CVE-2016-10033": {
20527
20647
  "name": "PHPMailer Command Injection Vulnerability",
@@ -20856,35 +20976,63 @@
20856
20976
  },
20857
20977
  "CVE-2024-0769": {
20858
20978
  "name": " D-Link DIR-859 Router Path Traversal Vulnerability",
20859
- "lesson_date": "2026-05-18",
20979
+ "lesson_date": "2026-05-29",
20860
20980
  "attack_vector": {
20861
- "description": "D-Link DIR-859 routers contain a path traversal vulnerability in the file /hedwig.cgi of the component HTTP POST Request Handler. Manipulation of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml allows for the leakage of session data potentially enabling privilege escalation and unauthorized control of the device. This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.",
20862
- "privileges_required": "unprivileged local user",
20863
- "complexity": "moderate (bulk-import default)",
20864
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
20981
+ "description": "a path-traversal flaw (CWE-22) on the D-Link DIR-859 router, letting an attacker read sensitive files including credentials from the device configuration. CISA KEV-listed 2025-06-25 with confirmed in-the-wild exploitation.",
20982
+ "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application/device interface)",
20983
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
20984
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
20985
+ },
20986
+ "defense_chain": {
20987
+ "prevention": {
20988
+ "what_would_have_worked": "The DIR-859 is end-of-life; replace it. Where still deployed, restrict management access and rotate device/Wi-Fi credentials — EOL routers are recruited into botnets via flaws like this.",
20989
+ "was_this_required": true,
20990
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
20991
+ "adequacy": "Patch is necessary but insufficient alone — any secret the traversal disclosed survives the patch and must be rotated; an EOL device must be replaced."
20992
+ },
20993
+ "detection": {
20994
+ "what_would_have_worked": "Monitoring on the DIR-859 router: requests containing traversal sequences, reads of credential/secret files and subsequent use of disclosed secrets.",
20995
+ "was_this_required": false,
20996
+ "framework_requiring_it": null,
20997
+ "adequacy": "Necessary to catch exploitation and the secret-disclosure or file-write consequence after patching."
20998
+ },
20999
+ "response": {
21000
+ "what_would_have_worked": "Patch (or replace an EOL device); rotate every secret reachable through the file read, and review for follow-on access using disclosed material.",
21001
+ "was_this_required": true,
21002
+ "framework_requiring_it": "NIST 800-53 IR-4",
21003
+ "adequacy": "Mandatory; patch-in-place without secret rotation / file cleanup leaves the attacker with a usable foothold."
21004
+ }
20865
21005
  },
20866
21006
  "framework_coverage": {
20867
21007
  "NIST-800-53-SI-2": {
20868
21008
  "covered": true,
20869
21009
  "adequate": false,
20870
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
21010
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated path-traversal flaw; arbitrary file read leaks secrets that enable follow-on access, and EOL devices (DIR-859) cannot be patched at all."
20871
21011
  },
20872
21012
  "ISO-27001-2022-A.8.8": {
20873
21013
  "covered": true,
20874
21014
  "adequate": false,
20875
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
21015
+ "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing application or device, and the disclosed-secret exposure persists until the secrets are rotated."
21016
+ },
21017
+ "NIS2-Art21-network-security": {
21018
+ "covered": true,
21019
+ "adequate": false,
21020
+ "gap": "Treats internet-facing applications/devices as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the secret-rotation cleanup a file-read flaw needs or the replacement an EOL device needs."
21021
+ },
21022
+ "PCI-DSS-4.0-6.3.3": {
21023
+ "covered": true,
21024
+ "adequate": false,
21025
+ "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing application/device whose file-read can disclose CDE-adjacent secrets."
20876
21026
  }
20877
21027
  },
20878
21028
  "compliance_exposure_score": {
20879
- "percent_audit_passing_orgs_still_exposed": 55,
20880
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
21029
+ "percent_audit_passing_orgs_still_exposed": 73,
21030
+ "basis": "Internet-facing D-Link DIR-859 router is run by audited organizations on a standard patch SLA and is exploited within days; the required secret rotation (or EOL-device replacement) is rarely part of the documented patch procedure, leaving disclosed credentials usable.",
20881
21031
  "theater_pattern": "patch_management"
20882
21032
  },
20883
21033
  "ai_discovered_zeroday": false,
20884
- "ai_discovery_source": "unknown",
20885
- "ai_assist_factor": "none",
20886
- "_auto_imported": true,
20887
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
21034
+ "ai_discovery_source": "vendor_research",
21035
+ "ai_assist_factor": "none"
20888
21036
  },
20889
21037
  "CVE-2024-54085": {
20890
21038
  "name": "AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability",
@@ -21854,35 +22002,63 @@
21854
22002
  },
21855
22003
  "CVE-2023-38950": {
21856
22004
  "name": "ZKTeco BioTime Path Traversal Vulnerability",
21857
- "lesson_date": "2026-05-18",
22005
+ "lesson_date": "2026-05-29",
21858
22006
  "attack_vector": {
21859
- "description": "ZKTeco BioTime contains a path traversal vulnerability in the iclock API that allows an unauthenticated attacker to read arbitrary files via supplying a crafted payload.",
21860
- "privileges_required": "network attacker (no authentication required)",
21861
- "complexity": "moderate (bulk-import default)",
21862
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
22007
+ "description": "a path-traversal flaw (CWE-22) in ZKTeco BioTime, letting an unauthenticated attacker read arbitrary files on the biometric time-attendance server. CISA KEV-listed 2025-05-19 with confirmed in-the-wild exploitation.",
22008
+ "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application/device interface)",
22009
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
22010
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
22011
+ },
22012
+ "defense_chain": {
22013
+ "prevention": {
22014
+ "what_would_have_worked": "Apply the ZKTeco BioTime update; rotate database and application credentials the read could disclose, and restrict access to the management interface — biometric data is sensitive.",
22015
+ "was_this_required": true,
22016
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
22017
+ "adequacy": "Patch is necessary but insufficient alone — any secret the traversal disclosed survives the patch and must be rotated; an EOL device must be replaced."
22018
+ },
22019
+ "detection": {
22020
+ "what_would_have_worked": "Monitoring on the ZKTeco BioTime: requests containing traversal sequences, reads of credential/secret files and subsequent use of disclosed secrets.",
22021
+ "was_this_required": false,
22022
+ "framework_requiring_it": null,
22023
+ "adequacy": "Necessary to catch exploitation and the secret-disclosure or file-write consequence after patching."
22024
+ },
22025
+ "response": {
22026
+ "what_would_have_worked": "Patch (or replace an EOL device); rotate every secret reachable through the file read, and review for follow-on access using disclosed material.",
22027
+ "was_this_required": true,
22028
+ "framework_requiring_it": "NIST 800-53 IR-4",
22029
+ "adequacy": "Mandatory; patch-in-place without secret rotation / file cleanup leaves the attacker with a usable foothold."
22030
+ }
21863
22031
  },
21864
22032
  "framework_coverage": {
21865
22033
  "NIST-800-53-SI-2": {
21866
22034
  "covered": true,
21867
22035
  "adequate": false,
21868
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
22036
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated path-traversal flaw; arbitrary file read leaks secrets that enable follow-on access, and EOL devices (DIR-859) cannot be patched at all."
21869
22037
  },
21870
22038
  "ISO-27001-2022-A.8.8": {
21871
22039
  "covered": true,
21872
22040
  "adequate": false,
21873
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
22041
+ "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing application or device, and the disclosed-secret exposure persists until the secrets are rotated."
22042
+ },
22043
+ "NIS2-Art21-network-security": {
22044
+ "covered": true,
22045
+ "adequate": false,
22046
+ "gap": "Treats internet-facing applications/devices as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the secret-rotation cleanup a file-read flaw needs or the replacement an EOL device needs."
22047
+ },
22048
+ "PCI-DSS-4.0-6.3.3": {
22049
+ "covered": true,
22050
+ "adequate": false,
22051
+ "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing application/device whose file-read can disclose CDE-adjacent secrets."
21874
22052
  }
21875
22053
  },
21876
22054
  "compliance_exposure_score": {
21877
- "percent_audit_passing_orgs_still_exposed": 55,
21878
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
22055
+ "percent_audit_passing_orgs_still_exposed": 73,
22056
+ "basis": "Internet-facing ZKTeco BioTime is run by audited organizations on a standard patch SLA and is exploited within days; the required secret rotation (or EOL-device replacement) is rarely part of the documented patch procedure, leaving disclosed credentials usable.",
21879
22057
  "theater_pattern": "patch_management"
21880
22058
  },
21881
22059
  "ai_discovered_zeroday": false,
21882
- "ai_discovery_source": "unknown",
21883
- "ai_assist_factor": "none",
21884
- "_auto_imported": true,
21885
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
22060
+ "ai_discovery_source": "vendor_research",
22061
+ "ai_assist_factor": "none"
21886
22062
  },
21887
22063
  "CVE-2024-27443": {
21888
22064
  "name": "Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability",
@@ -21946,35 +22122,63 @@
21946
22122
  },
21947
22123
  "CVE-2025-27920": {
21948
22124
  "name": "Srimax Output Messenger Directory Traversal Vulnerability",
21949
- "lesson_date": "2026-05-18",
22125
+ "lesson_date": "2026-05-29",
21950
22126
  "attack_vector": {
21951
- "description": "Srimax Output Messenger contains a directory traversal vulnerability that allows an attacker to access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.",
21952
- "privileges_required": "network attacker (no authentication required)",
21953
- "complexity": "moderate (bulk-import default)",
21954
- "ai_factor": "Bulk-imported AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
22127
+ "description": "a directory-traversal flaw (CWE-22) in Srimax Output Messenger, letting an unauthenticated attacker read or write files outside the intended directory (used in the wild to write to startup paths for code execution). CISA KEV-listed 2025-05-19 with confirmed in-the-wild exploitation.",
22128
+ "privileges_required": "none (the flaw is reachable by an unauthenticated attacker on the application/device interface)",
22129
+ "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
22130
+ "ai_factor": "No AI involvement documented in discovery or weaponization."
22131
+ },
22132
+ "defense_chain": {
22133
+ "prevention": {
22134
+ "what_would_have_worked": "Apply the Output Messenger update; hunt for files written to startup/autorun paths and web shells, and rotate server credentials — the traversal was chained to code execution.",
22135
+ "was_this_required": true,
22136
+ "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
22137
+ "adequacy": "Patch is necessary but insufficient alone — files the traversal wrote (startup payloads, web shells) survive the patch and require explicit cleanup."
22138
+ },
22139
+ "detection": {
22140
+ "what_would_have_worked": "Monitoring on the Output Messenger: requests containing traversal sequences, files written outside the intended directory and execution of newly-dropped payloads.",
22141
+ "was_this_required": false,
22142
+ "framework_requiring_it": null,
22143
+ "adequacy": "Necessary to catch exploitation and the secret-disclosure or file-write consequence after patching."
22144
+ },
22145
+ "response": {
22146
+ "what_would_have_worked": "Patch (or replace an EOL device); remove files written via the traversal and hunt for web shells, and review for follow-on access using disclosed material.",
22147
+ "was_this_required": true,
22148
+ "framework_requiring_it": "NIST 800-53 IR-4",
22149
+ "adequacy": "Mandatory; patch-in-place without secret rotation / file cleanup leaves the attacker with a usable foothold."
22150
+ }
21955
22151
  },
21956
22152
  "framework_coverage": {
21957
22153
  "NIST-800-53-SI-2": {
21958
22154
  "covered": true,
21959
22155
  "adequate": false,
21960
- "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
22156
+ "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, unauthenticated path-traversal flaw; arbitrary file read leaks secrets that enable follow-on access, and EOL devices (DIR-859) cannot be patched at all."
21961
22157
  },
21962
22158
  "ISO-27001-2022-A.8.8": {
21963
22159
  "covered": true,
21964
22160
  "adequate": false,
21965
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
22161
+ "gap": "'Appropriate timescales' is undefined; the standard 30-day reading is unsafe for an actively-exploited, internet-facing application or device, and the disclosed-secret exposure persists until the secrets are rotated."
22162
+ },
22163
+ "NIS2-Art21-network-security": {
22164
+ "covered": true,
22165
+ "adequate": false,
22166
+ "gap": "Treats internet-facing applications/devices as essential-function infrastructure but lacks a CISA-KEV-style compressed remediation SLA, and does not require the secret-rotation cleanup a file-read flaw needs or the replacement an EOL device needs."
22167
+ },
22168
+ "PCI-DSS-4.0-6.3.3": {
22169
+ "covered": true,
22170
+ "adequate": false,
22171
+ "gap": "The 30-day critical-patch window is exploitation acceptance for an internet-facing application/device whose file-read can disclose CDE-adjacent secrets."
21966
22172
  }
21967
22173
  },
21968
22174
  "compliance_exposure_score": {
21969
- "percent_audit_passing_orgs_still_exposed": 55,
21970
- "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
22175
+ "percent_audit_passing_orgs_still_exposed": 73,
22176
+ "basis": "Internet-facing Srimax Output Messenger is run by audited organizations on a standard patch SLA and is exploited within days; the required secret rotation (or EOL-device replacement) is rarely part of the documented patch procedure, leaving disclosed credentials usable.",
21971
22177
  "theater_pattern": "patch_management"
21972
22178
  },
21973
22179
  "ai_discovered_zeroday": false,
21974
- "ai_discovery_source": "unknown",
21975
- "ai_assist_factor": "none",
21976
- "_auto_imported": true,
21977
- "_intake_method": "v0.13.17-bulk-cisa-kev-import"
22180
+ "ai_discovery_source": "vendor_research",
22181
+ "ai_assist_factor": "none"
21978
22182
  },
21979
22183
  "CVE-2024-11182": {
21980
22184
  "name": "MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability",