@blamejs/exceptd-skills 0.15.40 → 0.15.42

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.15.42 — 2026-05-29
+
+Draft-curation pass 39 — sensitive data exposure. Three CISA KEV-listed CVEs that leak credentials and plaintext data through diagnostic surfaces are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the two TeleMessage TM SGNL flaws — a core-dump file exposed to an unauthorized control sphere (CVE-2025-48928) and an insecure-default Spring Boot Actuator `/heapdump` endpoint (CVE-2025-48927), which together leaked plaintext messages and credentials from the Signal-clone server — and the Wing FTP error-message disclosure (CVE-2025-47813). All map T1190 and T1552. The lessons make the point that an encryption-in-transit posture is undermined when the server holds and leaks plaintext through memory dumps and diagnostic endpoints, that least-functionality (disabling Actuator and core-dump generation in production) is the durable control, and that response must rotate every exposed secret and treat the disclosed data's confidentiality as already breached — a patch cannot recall data the attacker has.
+
+## 0.15.41 — 2026-05-29
+
+Draft-curation pass 38 — access-control and security-control bypass. Four CISA KEV-listed CVEs that defeat an access-enforcement mechanism are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the CrushFTP unprotected-alternate-channel admin bypass (CVE-2025-54309), the SonicWall SMA1000 missing-authorization flaw (CVE-2025-40602), the SolarWinds Web Help Desk security-control bypass (CVE-2025-40536), and the Craft CMS assumed-immutable-parameter tampering flaw (CVE-2025-35939). All map T1190; the authorization-bypass trio also maps T1078. The lessons make the point that the access-control posture (passwords, roles) is irrelevant when the enforcement mechanism itself is bypassed — restricting the management plane to a trusted network is the load-bearing compensating control — and that the parameter-tampering flaw is chained to code execution, so it requires web-shell hunting and key rotation beyond the patch.
+
 ## 0.15.40 — 2026-05-29
 
 Draft-curation pass 37 — unauthenticated upload-or-injection RCE. Six CISA KEV-listed CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: unrestricted file uploads in SmarterTools SmarterMail (CVE-2025-52691) and TeamT5 ThreatSonar (CVE-2024-7694), and command/argument injection in the React Native Community CLI Metro dev server (CVE-2025-11953), GNU InetUtils (CVE-2026-24061), the Smartbedded Meteobridge device (CVE-2025-4008), and Motex LANSCOPE Endpoint Manager (CVE-2025-61932). All map T1190; the uploads add T1505.003 (web shell) and the injections add T1059. The lessons flag the trust-inversion of a compromised security product (ThreatSonar), the supply-chain risk of an exposed developer build server (React Native CLI), and the fleet-wide reach of an endpoint manager (LANSCOPE) — each demanding downstream review beyond the patched host.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-30T05:45:36.968Z",
+  "generated_at": "2026-05-30T06:53:22.117Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "59355be76cb1ccff92a7bcf8846b2c54865e63ea83881e10d9b902f1f77db0e3",
+    "manifest.json": "78ba56b28bf1a2e3eba41ec934fdca10f12ec082bbcd14cbc01b3ecd4a2b4c7e",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "55293b8b9adc7371ba6450baf973a8e2d13ac810e709b598a2d042d41b074a37",
-    "data/cve-catalog.json": "2f63e64ac7dd3bfd08f0eaa5293b374934a90f0cad959c29e9cf7cba95f46ea8",
+    "data/attack-techniques.json": "bf0011e00427bbb2bb8c7042e9030a46e2fe02975b0eeaecc8a3a9612700dba9",
+    "data/cve-catalog.json": "f9ec57ac469e96f74edc35b0f9e245ad17e5a4c3300b81621f36548854c8b03f",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "963d7687ac5f2baafc1771731483504ec32504b50ab0ecd5b5a5fa060b241cbb",
+    "data/zeroday-lessons.json": "15d769bad95282194caf937ddda4a50e7fa05570e6bedf3cb96b2619432299f5",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json

@@ -636,9 +636,12 @@
       "CVE-2025-32975",
       "CVE-2025-34026",
       "CVE-2025-3935",
+      "CVE-2025-40536",
+      "CVE-2025-40602",
       "CVE-2025-4427",
       "CVE-2025-49706",
       "CVE-2025-54236",
+      "CVE-2025-54309",
       "CVE-2025-57819",
       "CVE-2025-61757",
       "CVE-2025-6205",
@@ -1101,11 +1104,13 @@
       "CVE-2025-4008",
       "CVE-2025-40536",
       "CVE-2025-40551",
+      "CVE-2025-40602",
       "CVE-2025-42999",
       "CVE-2025-4427",
       "CVE-2025-4428",
       "CVE-2025-4632",
       "CVE-2025-47812",
+      "CVE-2025-47813",
       "CVE-2025-47827",
       "CVE-2025-48700",
       "CVE-2025-48703",
@@ -1754,6 +1759,9 @@
       "CVE-2025-30066",
       "CVE-2025-30154",
       "CVE-2025-31125",
+      "CVE-2025-47813",
+      "CVE-2025-48927",
+      "CVE-2025-48928",
       "CVE-2025-5777",
       "CVE-2025-68664",
       "CVE-2025-68665",

package/data/cve-catalog.json

@@ -21690,7 +21690,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1005"
+      "T1005",
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -21711,7 +21713,7 @@
     "cwe_refs": [
       "CWE-209"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.wftpserver.com/serverhistory.htm",
@@ -21740,11 +21742,21 @@
         "published_date": "2026-03-16"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-16; due date 2026-03-30. Notes reference: https://www.wftpserver.com/serverhistory.htm ; https://nvd.nist.gov/vuln/detail/CVE-2025-47813",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Wing FTP Server contains a generation of error message containing sensitive information vulnerability when using a long value in the UID cookie."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Wing FTP Server contains a generation of error message containing sensitive information vulnerability when using a long value in the UID cookie.",
+    "iocs": {
+      "behavioral": [
+        "Wing FTP Server reachable on the network at a version below the fixed release named in the vendor advisory; the web interface processes a client-supplied UID session cookie.",
+        "Requests to the Wing FTP web interface (e.g. loginok.html) carrying an oversized or malformed UID session cookie that triggers an error response.",
+        "Error responses from Wing FTP Server disclosing the installation / local file path, used to map the server for a follow-on attack (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-47813, CISA KEV (added 2026-03-16), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1552 unsecured credentials/data) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-3910": {
     "name": "Google Chromium V8 Improper Restriction of Operations Within the Bounds of a Memory Buffer Vulnerability",
@@ -24793,7 +24805,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -24814,7 +24827,7 @@
     "cwe_refs": [
       "CWE-693"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm",
@@ -24844,11 +24857,21 @@
         "published_date": "2026-02-12"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-12; due date 2026-02-15. Notes reference: https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm ; https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40536 ; https://nvd",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SolarWinds Web Help Desk contains a security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "SolarWinds Web Help Desk contains a security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality.",
+    "iocs": {
+      "behavioral": [
+        "SolarWinds Web Help Desk reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Web Help Desk consistent with security-control-bypass flaw.",
+        "Access to administrative or protected functionality on the Web Help Desk with no corresponding legitimate login — sessions from unexpected sources, configuration/account changes, or admin actions without authentication (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-40536, CISA KEV (added 2026-02-12), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1078 access bypass) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-21513": {
     "name": "Microsoft MSHTML Framework Protection Mechanism Failure Vulnerability",
@@ -28288,7 +28311,9 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1068"
+      "T1068",
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -28310,7 +28335,7 @@
       "CWE-862",
       "CWE-250"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019",
@@ -28339,11 +28364,21 @@
         "published_date": "2025-12-17"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-17; due date 2025-12-24. Notes reference: Check for signs of potential compromise on all internet accessible SonicWall SMA1000 instances after applying mitigations. For more information please see: https://psirt.global.sonicwall.com/vuln-deta",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "SonicWall SMA1000 contains a missing authorization vulnerability that could allow for privilege escalation appliance management console (AMC) of affected devices."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "SonicWall SMA1000 contains a missing authorization vulnerability that could allow for privilege escalation appliance management console (AMC) of affected devices.",
+    "iocs": {
+      "behavioral": [
+        "SonicWall SMA1000 reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the SMA1000 appliance consistent with missing-authorization flaw.",
+        "Access to administrative or protected functionality on the SMA1000 appliance with no corresponding legitimate login — sessions from unexpected sources, configuration/account changes, or admin actions without authentication (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-40602, CISA KEV (added 2025-12-17), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1078 access bypass) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-20393": {
     "name": "Cisco Multiple Products Improper Input Validation Vulnerability",
@@ -37876,7 +37911,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -37897,7 +37933,7 @@
     "cwe_refs": [
       "CWE-420"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025",
@@ -37926,11 +37962,21 @@
         "published_date": "2025-07-22"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-22; due date 2025-08-12. Notes reference: https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025 ; https://nvd.nist.gov/vuln/detail/CVE-2025-54309 ",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.",
+    "iocs": {
+      "behavioral": [
+        "CrushFTP reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the CrushFTP consistent with unprotected-alternate-channel flaw.",
+        "Access to administrative or protected functionality on the CrushFTP with no corresponding legitimate login — sessions from unexpected sources, configuration/account changes, or admin actions without authentication (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-54309, CISA KEV (added 2025-07-22), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1078 access bypass) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-49704": {
     "name": "Microsoft SharePoint Code Injection Vulnerability",
@@ -39153,7 +39199,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39174,7 +39221,7 @@
     "cwe_refs": [
       "CWE-528"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://nvd.nist.gov/vuln/detail/CVE-2025-48928"
@@ -39195,11 +39242,21 @@
         "published_date": "2025-07-01"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-01; due date 2025-07-22. Notes reference: It is recommended that mitigations be applied per vendor instructions if available. If these instructions cannot be located or if mitigations are unavailable, discontinue use of the product. ; https:/",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "TeleMessage TM SGNL contains an exposure of core dump file to an unauthorized control sphere Vulnerability. This vulnerability is based on a JSP application in which the heap content is roughly equivalent to a \"core dump\" in which a password previously sent over HTTP would be included in this dump."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "TeleMessage TM SGNL contains an exposure of core dump file to an unauthorized control sphere Vulnerability. This vulnerability is based on a JSP application in which the heap content is roughly equivalent to a \"core dump\" in which a password previously sent over HTTP would be included in this dump.",
+    "iocs": {
+      "behavioral": [
+        "TeleMessage TM SGNL reachable on the network at a version below the fixed release named in the vendor advisory, with a diagnostic/dump surface or verbose errors exposed.",
+        "Unauthenticated requests to the TeleMessage (Signal clone) targeting diagnostic endpoints (/heapdump, actuator), core-dump files, or error-triggering inputs.",
+        "Retrieval of memory dumps, core files, or error output disclosing credentials or plaintext data, followed by use of the disclosed material elsewhere (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-48928, CISA KEV (added 2025-07-01), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1552 unsecured credentials/data) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-48927": {
     "name": "TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability",
@@ -39241,7 +39298,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39262,7 +39320,7 @@
     "cwe_refs": [
       "CWE-1188"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://nvd.nist.gov/vuln/detail/CVE-2025-48927"
@@ -39283,11 +39341,21 @@
         "published_date": "2025-07-01"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-01; due date 2025-07-22. Notes reference: It is recommended that mitigations be applied per vendor instructions if available. If these instructions cannot be located or if mitigations are unavailable, discontinue use of the product. ; https:/",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "TeleMessage TM SGNL contains an initialization of a resource with an insecure default vulnerability. This vulnerability relies on how the Spring Boot Actuator is configured with an exposed heap dump endpoint at a /heapdump URI."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "TeleMessage TM SGNL contains an initialization of a resource with an insecure default vulnerability. This vulnerability relies on how the Spring Boot Actuator is configured with an exposed heap dump endpoint at a /heapdump URI.",
+    "iocs": {
+      "behavioral": [
+        "TeleMessage TM SGNL reachable on the network at a version below the fixed release named in the vendor advisory, with a diagnostic/dump surface or verbose errors exposed.",
+        "Unauthenticated requests to the TeleMessage (Signal clone) targeting diagnostic endpoints (/heapdump, actuator), core-dump files, or error-triggering inputs.",
+        "Retrieval of memory dumps, core files, or error output disclosing credentials or plaintext data, followed by use of the disclosed material elsewhere (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-48927, CISA KEV (added 2025-07-01), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190 + T1552 unsecured credentials/data) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-6543": {
     "name": "Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability",
@@ -41165,7 +41233,7 @@
     "cwe_refs": [
       "CWE-472"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://github.com/craftcms/cms/pull/17220",
@@ -41194,11 +41262,21 @@
         "published_date": "2025-06-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-02; due date 2025-06-23. Notes reference: https://github.com/craftcms/cms/pull/17220 ;   https://nvd.nist.gov/vuln/detail/CVE-2025-35939",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.",
+    "iocs": {
+      "behavioral": [
+        "Craft CMS reachable on the network at a version below the fixed release named in the vendor advisory.",
+        "Unauthenticated requests to the Craft CMS consistent with external-control-of-assumed-immutable-web-parameter flaw.",
+        "Tampered or unexpected parameter values reaching the Craft CMS, followed by web shells or code execution as part of a chain (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-35939, CISA KEV (added 2025-06-02), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1190) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-56145": {
     "name": "Craft CMS Code Injection Vulnerability (variant: CVE-2024-56145)",