npm - @blamejs/exceptd-skills - Versions diffs - 0.15.42 → 0.15.44 - Mend

@blamejs/exceptd-skills 0.15.42 → 0.15.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +5 -5
package/data/attack-techniques.json +10 -6
package/data/cve-catalog.json +127 -45
package/data/zeroday-lessons.json +307 -113
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +18 -18

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,13 @@
 # Changelog
+## 0.15.44 — 2026-05-30
+Draft-curation pass 41 — final pass; the bulk-imported KEV draft backlog is now fully curated. Six remaining CISA KEV-listed CVEs, each a distinct vulnerability class, are promoted from auto-imported drafts to fully-curated entries with mechanism-specific behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the WhatsApp linked-device zero-click authorization flaw used as the delivery half of a mobile-spyware chain (CVE-2025-55177, T1190), the IGEL OS expired-key Secure Boot signature bypass (CVE-2025-47827, T1553), the Windows WebDAV Internet-Shortcut remote-code-execution flaw exploited by Stealth Falcon (CVE-2025-33053, T1203 + T1204.002), a network-reachable Windows NULL-pointer dereference (CVE-2026-21525, T1190), the PaperCut NG/MF cross-site request forgery used in its exploitation chain (CVE-2023-2533, T1190), and the Multi-Router Looking Glass buffer overflow on route servers (CVE-2014-3931, T1190 + T1059). With this pass every CVE entry in the catalog carries behavioral IOCs, an ATT&CK mapping, and a defense-chain zero-day lesson.
+## 0.15.43 — 2026-05-30
+Draft-curation pass 40 — supply-chain embedded malicious code. Two CISA KEV-listed CVEs where malicious code shipped through a trusted distribution channel are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the ASUS Live Update updater (CVE-2025-59374), which executes attacker code in the trusted context of the vendor update utility, and the eslint-config-prettier npm package (CVE-2025-54313), where a maintainer-account compromise published versions carrying a malicious install-time payload that runs on developer and CI machines. Both map T1195.002 (Compromise Software Supply Chain). The lessons frame the defense as enforced signature and provenance verification (code signing, Sigstore/in-toto, SLSA), dependency pinning, and publishing-account protections — not patching — and note that response is environment-wide because the tainted code reaches every host that installed it.
 ## 0.15.42 — 2026-05-29
 Draft-curation pass 39 — sensitive data exposure. Three CISA KEV-listed CVEs that leak credentials and plaintext data through diagnostic surfaces are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the two TeleMessage TM SGNL flaws — a core-dump file exposed to an unauthorized control sphere (CVE-2025-48928) and an insecure-default Spring Boot Actuator `/heapdump` endpoint (CVE-2025-48927), which together leaked plaintext messages and credentials from the Signal-clone server — and the Wing FTP error-message disclosure (CVE-2025-47813). All map T1190 and T1552. The lessons make the point that an encryption-in-transit posture is undermined when the server holds and leaks plaintext through memory dumps and diagnostic endpoints, that least-functionality (disabling Actuator and core-dump generation in production) is the durable control, and that response must rotate every exposed secret and treat the disclosed data's confidentiality as already breached — a patch cannot recall data the attacker has.

package/data/_indexes/_meta.json CHANGED Viewed

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-30T06:53:22.117Z",
+  "generated_at": "2026-05-30T07:26:49.002Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "78ba56b28bf1a2e3eba41ec934fdca10f12ec082bbcd14cbc01b3ecd4a2b4c7e",
+    "manifest.json": "178af7478515ce7e87d7daadbecccfedc69b819058d5b49f0fd0a9595453c52c",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "bf0011e00427bbb2bb8c7042e9030a46e2fe02975b0eeaecc8a3a9612700dba9",
-    "data/cve-catalog.json": "f9ec57ac469e96f74edc35b0f9e245ad17e5a4c3300b81621f36548854c8b03f",
+    "data/attack-techniques.json": "84fad74c8497cab922ed64b814752f54aa4620c2a938cb06642ff1510e1c5cb3",
+    "data/cve-catalog.json": "4a1b5d7a722a0717211058777c7d40d0ded814d231d1cda9e8aa94517da4b905",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "15d769bad95282194caf937ddda4a50e7fa05570e6bedf3cb96b2619432299f5",
+    "data/zeroday-lessons.json": "acf9b2b001844dd2cacf1d29c7175d60db49b103847c9fddd242d2a98087541d",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json CHANGED Viewed

@@ -272,6 +272,7 @@
       "DS0017"
     ],
     "cve_refs": [
+      "CVE-2014-3931",
       "CVE-2014-6278",
       "CVE-2016-10033",
       "CVE-2017-1000353",
@@ -969,6 +970,7 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2008-4250",
+      "CVE-2014-3931",
       "CVE-2014-6278",
       "CVE-2015-7755",
       "CVE-2016-10033",
@@ -1094,7 +1096,6 @@
       "CVE-2025-3248",
       "CVE-2025-32756",
       "CVE-2025-32975",
-      "CVE-2025-33053",
       "CVE-2025-34026",
       "CVE-2025-34291",
       "CVE-2025-3466",
@@ -1111,7 +1112,6 @@
       "CVE-2025-4632",
       "CVE-2025-47812",
       "CVE-2025-47813",
-      "CVE-2025-47827",
       "CVE-2025-48700",
       "CVE-2025-48703",
       "CVE-2025-48927",
@@ -1132,7 +1132,6 @@
       "CVE-2025-54236",
       "CVE-2025-54253",
       "CVE-2025-54309",
-      "CVE-2025-54313",
       "CVE-2025-54948",
       "CVE-2025-55177",
       "CVE-2025-55182",
@@ -1142,7 +1141,6 @@
       "CVE-2025-58034",
       "CVE-2025-58360",
       "CVE-2025-59287",
-      "CVE-2025-59374",
       "CVE-2025-59389",
       "CVE-2025-59689",
       "CVE-2025-59718",
@@ -1325,6 +1323,8 @@
       "CVE-2025-32434",
       "CVE-2025-33236",
       "CVE-2025-51480",
+      "CVE-2025-54313",
+      "CVE-2025-59374",
       "CVE-2025-8747",
       "CVE-2026-31229",
       "CVE-2026-33634",
@@ -1392,7 +1392,6 @@
       "CVE-2011-3402",
       "CVE-2013-3893",
       "CVE-2013-3918",
-      "CVE-2014-3931",
       "CVE-2020-9715",
       "CVE-2021-30952",
       "CVE-2022-48503",
@@ -1406,6 +1405,7 @@
       "CVE-2025-24201",
       "CVE-2025-30397",
       "CVE-2025-31277",
+      "CVE-2025-33053",
       "CVE-2025-43200",
       "CVE-2025-43300",
       "CVE-2025-43510",
@@ -5242,7 +5242,10 @@
       "Windows"
     ],
     "stix_id": "attack-pattern--b83e166d-13d7-4b52-8677-dff90c548fd7",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2025-47827"
+    ]
   },
   "T1558": {
     "id": "T1558",
@@ -10805,6 +10808,7 @@
     "_auto_imported": true,
     "_intake_method": "mitre-attack-stix",
     "cve_refs": [
+      "CVE-2025-33053",
       "CVE-2025-48384"
     ]
   },

package/data/cve-catalog.json CHANGED Viewed

@@ -25041,7 +25041,7 @@
     "cwe_refs": [
       "CWE-476"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-30",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21525",
@@ -25070,11 +25070,21 @@
         "published_date": "2026-02-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-30",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-10; due date 2026-03-03. Notes reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21525 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21525",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows Remote Access Connection Manager contains a NULL pointer dereference that could allow an unauthorized attacker to deny service locally."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows Remote Access Connection Manager contains a NULL pointer dereference that could allow an unauthorized attacker to deny service locally.",
+    "iocs": {
+      "behavioral": [
+        "Windows at a build below the fixed version named in the Microsoft advisory, reachable on the affected network service.",
+        "Crashes or service restarts consistent with a NULL pointer dereference on the affected Windows component following crafted network input.",
+        "Unauthenticated network requests that trigger the fault, with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-21525, CISA KEV (added 2026-02-10), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-30: ATT&CK enrichment (T1190) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-21510": {
     "name": "Microsoft Windows Shell Protection Mechanism Failure Vulnerability",
@@ -27374,7 +27384,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1195.002"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -27395,7 +27405,7 @@
     "cwe_refs": [
       "CWE-506"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-30",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.npmjs.com/package/eslint-config-prettier?activeTab=versions",
@@ -27425,11 +27435,21 @@
         "published_date": "2026-01-22"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-30",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-22; due date 2026-02-12. Notes reference: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Prettier eslint-config-prettier contains an embedded malicious code vulnerability. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Prettier eslint-config-prettier contains an embedded malicious code vulnerability. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.",
+    "iocs": {
+      "behavioral": [
+        "A tainted version of eslint-config-prettier (or a sibling package compromised in the same incident) present in a project's lockfile or node_modules.",
+        "The package's install/post-install step executing unexpected code (e.g. launching a Windows DLL/payload) during npm install on developer or CI machines.",
+        "Outbound connections or process execution from an npm install step with no legitimate cause (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-54313, CISA KEV (added 2026-01-22), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-30: ATT&CK enrichment (T1195.002 software supply-chain compromise) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-20045": {
     "name": "Cisco Unified Communications Products Code Injection Vulnerability",
@@ -28216,7 +28236,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1195.002"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -28237,7 +28257,7 @@
     "cwe_refs": [
       "CWE-506"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-30",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.asus.com/support/faq/1018727/",
@@ -28266,11 +28286,21 @@
         "published_date": "2025-12-17"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-30",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-17; due date 2026-01-07. Notes reference: https://www.asus.com/support/faq/1018727/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-59374",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "ASUS Live Update contains an embedded malicious code vulnerability client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ASUS Live Update contains an embedded malicious code vulnerability client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "ASUS Live Update installed at a version flagged in the ASUS advisory on an ASUS endpoint.",
+        "The ASUS Live Update process fetching or executing an unexpected/unsigned payload, or behaving anomalously (unexpected outbound connections, unexpected child processes).",
+        "Execution of attacker code in the trusted context of the update utility with no corresponding legitimate ASUS update (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-59374, CISA KEV (added 2025-12-17), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-30: ATT&CK enrichment (T1195.002 software supply-chain compromise) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-40602": {
     "name": "SonicWall SMA1000 Missing Authorization Vulnerability",
@@ -32376,7 +32406,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1553"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -32397,7 +32427,7 @@
     "cwe_refs": [
       "CWE-324"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-30",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-47827",
@@ -32426,11 +32456,21 @@
         "published_date": "2025-10-14"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-30",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-14; due date 2025-11-04. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-47827 ; https://nvd.nist.gov/vuln/detail/CVE-2025-47827",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "IGEL OS contains a use of a key past its expiration date vulnerability that allows for Secure Boot bypass. The igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "IGEL OS contains a use of a key past its expiration date vulnerability that allows for Secure Boot bypass. The igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image.",
+    "iocs": {
+      "behavioral": [
+        "IGEL OS at a version below the fixed release named in the advisory on thin-client endpoints.",
+        "Booting of a modified or unsigned IGEL OS image, or Secure Boot reporting verification against an expired key.",
+        "Persistence or configuration changes on IGEL thin clients that survive a normal re-image, consistent with a tampered boot chain (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-47827, CISA KEV (added 2025-10-14), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-30: ATT&CK enrichment (T1553) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-24990": {
     "name": "Microsoft Windows Untrusted Pointer Dereference Vulnerability",
@@ -35707,7 +35747,7 @@
     "cwe_refs": [
       "CWE-863"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-30",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.whatsapp.com/security/advisories/2025/",
@@ -35736,11 +35776,21 @@
         "published_date": "2025-09-02"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-30",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-02; due date 2025-09-23. Notes reference: https://www.whatsapp.com/security/advisories/2025/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-55177",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Meta Platforms WhatsApp contains an incorrect authorization vulnerability due to an incomplete authorization of linked device synchronization messages. This vulnerability could allow an unrelated user to trigger processing of content from an arbitrary URL on a target’s device."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Meta Platforms WhatsApp contains an incorrect authorization vulnerability due to an incomplete authorization of linked device synchronization messages. This vulnerability could allow an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.",
+    "iocs": {
+      "behavioral": [
+        "WhatsApp at a version below the fixed build named in the Meta advisory on a device, especially a high-risk-user device.",
+        "Linked-device synchronization messages from an unrelated party that cause the device to fetch or process content from an unexpected URL with no user interaction.",
+        "Indicators of a zero-click spyware chain following inbound WhatsApp content (paired Apple ImageIO exploitation, anomalous process/network activity) on a targeted device (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-55177, CISA KEV (added 2025-09-02), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-30: ATT&CK enrichment (T1190) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-57819": {
     "name": "Sangoma FreePBX Authentication Bypass Vulnerability",
@@ -37303,7 +37353,7 @@
     "cwe_refs": [
       "CWE-352"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-30",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.papercut.com/kb/Main/SecurityBulletinJune2023",
@@ -37332,11 +37382,21 @@
         "published_date": "2025-07-28"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-30",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-28; due date 2025-08-18. Notes reference: https://www.papercut.com/kb/Main/SecurityBulletinJune2023 ; https://nvd.nist.gov/vuln/detail/CVE-2023-2533",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "PaperCut NG/MF contains a cross-site request forgery (CSRF) vulnerability, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. "
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "PaperCut NG/MF contains a cross-site request forgery (CSRF) vulnerability, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. ",
+    "iocs": {
+      "behavioral": [
+        "PaperCut NG/MF at a version below the fixed release named in the advisory with an internet-reachable admin interface.",
+        "Administrative setting changes (e.g. enabling print/device scripting or other code-execution-enabling options) that correlate with an administrator viewing external content, rather than a deliberate console action.",
+        "Configuration changes on the PaperCut server with no matching deliberate admin workflow (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2023-2533, CISA KEV (added 2025-07-28), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-30: ATT&CK enrichment (T1190) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-20337": {
     "name": "Cisco Identity Services Engine Injection Vulnerability",
@@ -38997,7 +39057,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39018,7 +39079,7 @@
     "cwe_refs": [
       "CWE-119"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-30",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://mrlg.op-sec.us/",
@@ -39047,11 +39108,21 @@
         "published_date": "2025-07-07"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-30",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-07; due date 2025-07-28. Notes reference: https://mrlg.op-sec.us/ ; https://nvd.nist.gov/vuln/detail/CVE-2014-3931",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multi-Router Looking Glass (MRLG) contains a buffer overflow vulnerability that could allow remote attackers to cause an arbitrary memory write and memory corruption."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Multi-Router Looking Glass (MRLG) contains a buffer overflow vulnerability that could allow remote attackers to cause an arbitrary memory write and memory corruption.",
+    "iocs": {
+      "behavioral": [
+        "Multi-Router Looking Glass (MRLG) at a version below the fixed release on an internet-facing looking-glass / route server.",
+        "Requests to the looking-glass CGI with oversized or malformed parameters consistent with a buffer overflow.",
+        "Unexpected process execution from the looking-glass CGI / web server, with no corresponding legitimate activity (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2014-3931, CISA KEV (added 2025-07-07), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-30: ATT&CK enrichment (T1190 + T1059) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-6554": {
     "name": "Google Chromium V8 Type Confusion Vulnerability (variant: CVE-2025-6554)",
@@ -40155,7 +40226,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1203",
+      "T1204.002"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -40176,7 +40248,7 @@
     "cwe_refs": [
       "CWE-73"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-30",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053",
@@ -40205,11 +40277,21 @@
         "published_date": "2025-06-10"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-30",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-10; due date 2025-07-01. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053 ; https://nvd.nist.gov/vuln/detail/CVE-2025-33053",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft Windows contains an external control of file name or path vulnerability that could allow an attacker to execute code from a remote WebDAV location specified by the WorkingDirectory attribute of Internet Shortcut files."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft Windows contains an external control of file name or path vulnerability that could allow an attacker to execute code from a remote WebDAV location specified by the WorkingDirectory attribute of Internet Shortcut files.",
+    "iocs": {
+      "behavioral": [
+        "Windows at a build below the fixed version named in the Microsoft advisory on an endpoint that opens attacker-supplied shortcuts.",
+        "Internet Shortcut (.url) or LNK files that reference a remote WebDAV (file://, \\\\server@SSL\\) path, delivered by email or download.",
+        "Execution of binaries from a remote WebDAV share by Explorer or trusted utilities, and outbound WebDAV/SMB connections following the open of a shortcut (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-33053, CISA KEV (added 2025-06-10), and the vendor security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-30: ATT&CK enrichment (T1203 + T1204.002) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-24016": {
     "name": "Wazuh Server Deserialization of Untrusted Data Vulnerability",