npm - @blamejs/exceptd-skills - Versions diffs - 0.15.5 → 0.15.7 - Mend

@blamejs/exceptd-skills 0.15.5 → 0.15.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +5 -5
package/data/attack-techniques.json +7 -0
package/data/cve-catalog.json +194 -67
package/data/zeroday-lessons.json +492 -156
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +18 -18

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,13 @@
 # Changelog
+## 0.15.7 — 2026-05-29
+Draft-curation pass 5 — Fortinet network appliances. Six CISA KEV-listed Fortinet CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: FortiWeb OS command injection (CVE-2025-58034), path traversal (CVE-2025-64446), and SQL injection (CVE-2025-25257); FortiOS hard-coded credentials (CVE-2019-6693); and the multi-product improper-signature-verification (CVE-2025-59718) and stack-based buffer overflow (CVE-2025-32756).
+## 0.15.6 — 2026-05-29
+Draft-curation pass 4 — enterprise management-plane and infrastructure. Six CISA KEV-listed CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the Cisco Catalyst SD-WAN Manager cluster — incorrect privileged-API use (CVE-2026-20122), sensitive-information exposure (CVE-2026-20133), and recoverable password storage (CVE-2026-20128) — plus Microsoft SharePoint Server improper input validation (CVE-2026-32201), Fortinet FortiClient EMS improper access control (CVE-2026-35616), and Dell RecoverPoint for VMs hard-coded credentials (CVE-2026-22769).
 ## 0.15.5 — 2026-05-29
 Draft-curation pass 3 — the client-side memory-corruption class. Four CISA KEV-listed browser/document-reader RCEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, a matching zero-day lesson, and ATT&CK enrichment to T1203 (Exploitation for Client Execution) rather than the network-service T1190: Google Chrome Skia out-of-bounds write (CVE-2026-3909), Chrome Dawn/WebGPU use-after-free (CVE-2026-5281), Chrome V8 memory-buffer flaw (CVE-2026-3910), and Adobe Acrobat/Reader prototype pollution (CVE-2026-34621). The lessons frame remediation as endpoint/browser patch-SLA (same-day auto-update vs. managed change windows) rather than perimeter patching.

package/data/_indexes/_meta.json CHANGED Viewed

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-29T17:12:20.887Z",
+  "generated_at": "2026-05-29T18:21:45.248Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "90e8775a672249381101e97d139798c3066b548ad2ad654e5f9b54fb04970032",
+    "manifest.json": "6645e9bffccc3537d7762dfb4edac67d45644ad778d3e9d638691b6a1c33e4e5",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "9dfd1cfc0eafa912ac5dc7dbbe159df0ca2cbc7803e3f53fda22d8da3f4e93f5",
-    "data/cve-catalog.json": "b47297007f157d4100b9a5b84f9da82718eccd597e825232c7dad3aace2647d3",
+    "data/attack-techniques.json": "38fcd583a8cbd0d6221b6534648a2aa0f8dcd005d7adae5770b0c11b98df974a",
+    "data/cve-catalog.json": "91a69760ce819f072f72dc02016919fc3626fd76d42bfc61778171803ec5c9c5",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "0482d05de4bc26f87c92417cb99c82fd1fdcf820d766eaed5bc7eb734865ff4d",
+    "data/zeroday-lessons.json": "ff278f414aeae0787a3cdd51f51c1b2d69f26fb4b8d4dfcffc11d966206a7c1b",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json CHANGED Viewed

@@ -315,6 +315,7 @@
       "CVE-2025-53773",
       "CVE-2025-54136",
       "CVE-2025-55319",
+      "CVE-2025-58034",
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-68664",
@@ -486,6 +487,7 @@
       "CVE-2025-62215",
       "CVE-2025-62849",
       "CVE-2026-0300",
+      "CVE-2026-20122",
       "CVE-2026-31431",
       "CVE-2026-31635",
       "CVE-2026-33825",
@@ -540,6 +542,7 @@
       "CVE-2015-7755",
       "CVE-2017-7921",
       "CVE-2019-19006",
+      "CVE-2019-6693",
       "CVE-2020-10148",
       "CVE-2020-24363",
       "CVE-2021-32030",
@@ -564,6 +567,7 @@
       "CVE-2026-20127",
       "CVE-2026-20182",
       "CVE-2026-21858",
+      "CVE-2026-22769",
       "CVE-2026-23760",
       "CVE-2026-24061",
       "CVE-2026-24423",
@@ -1050,6 +1054,7 @@
       "CVE-2025-62847",
       "CVE-2025-62848",
       "CVE-2025-64328",
+      "CVE-2025-64446",
       "CVE-2025-64496",
       "CVE-2025-64513",
       "CVE-2025-6554",
@@ -1368,6 +1373,7 @@
     ],
     "cve_refs": [
       "CVE-2024-12450",
+      "CVE-2026-20133",
       "CVE-2026-21858",
       "CVE-2026-22218",
       "CVE-2026-41950"
@@ -1631,6 +1637,7 @@
       "CVE-2025-30154",
       "CVE-2025-68664",
       "CVE-2025-68665",
+      "CVE-2026-20128",
       "CVE-2026-22219",
       "CVE-2026-48027",
       "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER",

package/data/cve-catalog.json CHANGED Viewed

@@ -8212,7 +8212,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -8233,7 +8234,7 @@
     "cwe_refs": [
       "CWE-648"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems",
@@ -8264,11 +8265,21 @@
         "published_date": "2026-04-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-20; due date 2026-04-23. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.",
+    "iocs": {
+      "behavioral": [
+        "Cisco Catalyst SD-WAN Manager reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Activity against the SD-WAN Manager management plane consistent with an incorrect use of privileged APIs (CWE-648) reachable by an unauthenticated attacker, enabling privileged actions on the management plane.",
+        "Indicators of the exploited weakness on the SD-WAN Manager management plane — unexpected privileged actions, data exposure, credential use, or new accounts — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-20122, CISA KEV (added 2026-04-20), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-20133": {
     "name": "Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerability",
@@ -8310,7 +8321,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1213"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -8331,7 +8343,7 @@
     "cwe_refs": [
       "CWE-200"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems",
@@ -8362,11 +8374,21 @@
         "published_date": "2026-04-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-20; due date 2026-04-23. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Catalyst SD-WAN Manager contains an exposure of sensitive information to an unauthorized actor vulnerability that could allow remote attackers to view sensitive information on affected systems."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Catalyst SD-WAN Manager contains an exposure of sensitive information to an unauthorized actor vulnerability that could allow remote attackers to view sensitive information on affected systems.",
+    "iocs": {
+      "behavioral": [
+        "Cisco Catalyst SD-WAN Manager reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Activity against the SD-WAN Manager management plane consistent with exposure of sensitive information to an unauthorized actor (CWE-200) from the management plane.",
+        "Indicators of the exploited weakness on the SD-WAN Manager management plane — unexpected privileged actions, data exposure, credential use, or new accounts — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-20133, CISA KEV (added 2026-04-20), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-2749": {
     "name": "Kentico Xperience Path Traversal Vulnerability",
@@ -8697,7 +8719,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1552"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -8718,7 +8741,7 @@
     "cwe_refs": [
       "CWE-257"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems",
@@ -8749,11 +8772,21 @@
         "published_date": "2026-04-20"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-20; due date 2026-04-23. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Catalyst SD-WAN Manager contains a storing passwords in a recoverable format vulnerability that allows an authenticated, local attacker to gain DCA user privileges by accessing a credential file for the DCA user on the filesystem as a low-privileged user."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Catalyst SD-WAN Manager contains a storing passwords in a recoverable format vulnerability that allows an authenticated, local attacker to gain DCA user privileges by accessing a credential file for the DCA user on the filesystem as a low-privileged user.",
+    "iocs": {
+      "behavioral": [
+        "Cisco Catalyst SD-WAN Manager reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Activity against the SD-WAN Manager consistent with storage of passwords in a recoverable format (CWE-257), allowing an attacker with access to recover credentials.",
+        "Indicators of the exploited weakness on the SD-WAN Manager — unexpected privileged actions, data exposure, credential use, or new accounts — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-20128, CISA KEV (added 2026-04-20), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-32975": {
     "name": "Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability",
@@ -9214,7 +9247,7 @@
     "cwe_refs": [
       "CWE-20"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-32201",
@@ -9243,11 +9276,21 @@
         "published_date": "2026-04-14"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-14; due date 2026-04-28. Notes reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-32201 ; https://nvd.nist.gov/vuln/detail/CVE-2026-32201",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network.",
+    "iocs": {
+      "behavioral": [
+        "Microsoft SharePoint Server reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Activity against the SharePoint Server surface consistent with improper input validation (CWE-20) reachable by an unauthorized attacker, leading to compromise of the SharePoint server.",
+        "Indicators of the exploited weakness on the SharePoint Server surface — unexpected privileged actions, data exposure, credential use, or new accounts — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-32201, CISA KEV (added 2026-04-14), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2012-1854": {
     "name": "Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability",
@@ -10110,7 +10153,7 @@
     "cwe_refs": [
       "CWE-284"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://fortiguard.fortinet.com/psirt/FG-IR-26-099",
@@ -10139,11 +10182,21 @@
         "published_date": "2026-04-06"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-06; due date 2026-04-09. Notes reference: Please adhere to Fortinet's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Fortinet products affected by this vulnerability. Apply",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiClient EMS contains an improper access control vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Fortinet FortiClient EMS contains an improper access control vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.",
+    "iocs": {
+      "behavioral": [
+        "Fortinet FortiClient EMS reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Activity against the FortiClient EMS management server consistent with an improper access-control flaw (CWE-284) allowing an unauthenticated attacker to access functions or data beyond authorization.",
+        "Indicators of the exploited weakness on the FortiClient EMS management server — unexpected privileged actions, data exposure, credential use, or new accounts — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-35616, CISA KEV (added 2026-04-06), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-3502": {
     "name": "TrueConf Client Download of Code Without Integrity Check Vulnerability",
@@ -23299,7 +23352,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -23320,7 +23374,7 @@
     "cwe_refs": [
       "CWE-798"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079",
@@ -23351,11 +23405,21 @@
         "published_date": "2026-02-18"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-18; due date 2026-02-21. Notes reference: https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079 ; https://www.dell.com/support/kbdoc/en-us/000426742/recoverpoint-for-vms-apply-the-remediation-script-for-dsa ; https://cloud.google.co",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Dell RecoverPoint for Virtual Machines (RP4VMs) contains an use of hard-coded credentials vulnerability that could allow an unauthenticated remote attacker to gain unauthorized access to the underlying operating system and root-level persistence."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Dell RecoverPoint for Virtual Machines (RP4VMs) contains an use of hard-coded credentials vulnerability that could allow an unauthenticated remote attacker to gain unauthorized access to the underlying operating system and root-level persistence.",
+    "iocs": {
+      "behavioral": [
+        "Dell RecoverPoint for Virtual Machines (RP4VMs) reachable on the network at a release below the fixed version named in the vendor advisory.",
+        "Activity against the RP4VMs appliance consistent with use of hard-coded credentials (CWE-798), allowing an attacker to authenticate with built-in credentials.",
+        "Indicators of the exploited weakness on the RP4VMs appliance — unexpected privileged actions, data exposure, credential use, or new accounts — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-22769, CISA KEV (added 2026-02-18), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2020-7796": {
     "name": "Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability",
@@ -27634,7 +27698,7 @@
     "cwe_refs": [
       "CWE-347"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://fortiguard.fortinet.com/psirt/FG-IR-25-647",
@@ -27664,11 +27728,21 @@
         "published_date": "2025-12-16"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-16; due date 2025-12-23. Notes reference: https://fortiguard.fortinet.com/psirt/FG-IR-25-647 ; https://docs.fortinet.com/upgrade-tool/fortigate ; https://nvd.nist.gov/vuln/detail/CVE-2025-59718",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb contain an improper verification of cryptographic signature vulnerability that may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message. Please be aware that CVE-2025-59719 pertains to the same problem and is mentioned in the same vendor advisory. Ensure to apply all patches mentioned in the advisory."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb contain an improper verification of cryptographic signature vulnerability that may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message. Please be aware that CVE-2025-59719 pertains to the same problem and is mentioned in the same vendor advisory. Ensure to apply all patches mentioned in the advisory.",
+    "iocs": {
+      "behavioral": [
+        "Fortinet (multiple products) reachable on the network at a release below the fixed version named in the Fortinet PSIRT advisory.",
+        "Unauthenticated requests to the Fortinet product surface consistent with improper verification of a cryptographic signature (CWE-347), allowing an unauthenticated attacker to bypass a signature check.",
+        "Indicators of the exploited weakness on the Fortinet product surface — unexpected command/code execution, file access, or authentication with built-in credentials — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-59718, CISA KEV (added 2025-12-16), and the Fortinet PSIRT advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-14611": {
     "name": "Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability",
@@ -29059,7 +29133,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -29080,7 +29155,7 @@
     "cwe_refs": [
       "CWE-78"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://fortiguard.fortinet.com/psirt/FG-IR-25-513",
@@ -29109,11 +29184,21 @@
         "published_date": "2025-11-18"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-18; due date 2025-11-25. Notes reference: https://fortiguard.fortinet.com/psirt/FG-IR-25-513 ; https://nvd.nist.gov/vuln/detail/CVE-2025-58034",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiWeb contains an OS command Injection vulnerability that may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Fortinet FortiWeb contains an OS command Injection vulnerability that may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.",
+    "iocs": {
+      "behavioral": [
+        "Fortinet FortiWeb reachable on the network at a release below the fixed version named in the Fortinet PSIRT advisory.",
+        "Unauthenticated requests to the FortiWeb management surface consistent with OS command injection (CWE-78) giving an unauthenticated attacker command execution on the FortiWeb appliance.",
+        "Indicators of the exploited weakness on the FortiWeb management surface — unexpected command/code execution, file access, or authentication with built-in credentials — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-58034, CISA KEV (added 2025-11-18), and the Fortinet PSIRT advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-64446": {
     "name": "Fortinet FortiWeb Path Traversal Vulnerability",
@@ -29154,7 +29239,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -29175,7 +29261,7 @@
     "cwe_refs": [
       "CWE-23"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.fortiguard.com/psirt/FG-IR-25-910",
@@ -29204,11 +29290,21 @@
         "published_date": "2025-11-14"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-14; due date 2025-11-21. Notes reference: https://www.fortiguard.com/psirt/FG-IR-25-910 ; https://nvd.nist.gov/vuln/detail/CVE-2025-64446",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiWeb contains a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Fortinet FortiWeb contains a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.",
+    "iocs": {
+      "behavioral": [
+        "Fortinet FortiWeb reachable on the network at a release below the fixed version named in the Fortinet PSIRT advisory.",
+        "Unauthenticated requests to the FortiWeb surface consistent with a path-traversal flaw (CWE-23) on FortiWeb reachable by an unauthenticated attacker.",
+        "Indicators of the exploited weakness on the FortiWeb surface — unexpected command/code execution, file access, or authentication with built-in credentials — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-64446, CISA KEV (added 2025-11-14), and the Fortinet PSIRT advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-12480": {
     "name": "Gladinet Triofox Improper Access Control Vulnerability",
@@ -36509,7 +36605,7 @@
     "cwe_refs": [
       "CWE-89"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://fortiguard.fortinet.com/psirt/FG-IR-25-151",
@@ -36538,11 +36634,21 @@
         "published_date": "2025-07-18"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-18; due date 2025-08-08. Notes reference: https://fortiguard.fortinet.com/psirt/FG-IR-25-151 ; https://nvd.nist.gov/vuln/detail/CVE-2025-25257",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiWeb contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Fortinet FortiWeb contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.",
+    "iocs": {
+      "behavioral": [
+        "Fortinet FortiWeb reachable on the network at a release below the fixed version named in the Fortinet PSIRT advisory.",
+        "Unauthenticated requests to the FortiWeb surface consistent with SQL injection (CWE-89) on the FortiWeb surface, reachable unauthenticated and escalating to compromise.",
+        "Indicators of the exploited weakness on the FortiWeb surface — unexpected command/code execution, file access, or authentication with built-in credentials — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-25257, CISA KEV (added 2025-07-18), and the Fortinet PSIRT advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-47812": {
     "name": "Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability",
@@ -37532,7 +37638,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -37553,7 +37660,7 @@
     "cwe_refs": [
       "CWE-798"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://fortiguard.com/advisory/FG-IR-19-007",
@@ -37582,11 +37689,21 @@
         "published_date": "2025-06-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-25; due date 2025-07-16. Notes reference: https://fortiguard.com/advisory/FG-IR-19-007 ; https://nvd.nist.gov/vuln/detail/CVE-2019-6693",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiOS contains a use of hard-coded credentials vulnerability that could allow an attacker to cipher sensitive data in FortiOS configuration backup file via knowledge of the hard-coded key. "
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Fortinet FortiOS contains a use of hard-coded credentials vulnerability that could allow an attacker to cipher sensitive data in FortiOS configuration backup file via knowledge of the hard-coded key. ",
+    "iocs": {
+      "behavioral": [
+        "Fortinet FortiOS reachable on the network at a release below the fixed version named in the Fortinet PSIRT advisory.",
+        "Unauthenticated requests to the FortiOS appliance consistent with use of hard-coded credentials (CWE-798) in FortiOS, allowing authentication with built-in credentials.",
+        "Indicators of the exploited weakness on the FortiOS appliance — unexpected command/code execution, file access, or authentication with built-in credentials — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2019-6693, CISA KEV (added 2025-06-25), and the Fortinet PSIRT advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-0769": {
     "name": " D-Link DIR-859 Router Path Traversal Vulnerability",
@@ -40249,7 +40366,7 @@
     "cwe_refs": [
       "CWE-124"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://fortiguard.fortinet.com/psirt/FG-IR-25-254",
@@ -40278,11 +40395,21 @@
         "published_date": "2025-05-14"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-14; due date 2025-06-04. Notes reference: https://fortiguard.fortinet.com/psirt/FG-IR-25-254 ; https://nvd.nist.gov/vuln/detail/CVE-2025-32756",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiFone, FortiVoice, FortiNDR and FortiMail contain a stack-based overflow vulnerability that may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Fortinet FortiFone, FortiVoice, FortiNDR and FortiMail contain a stack-based overflow vulnerability that may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests.",
+    "iocs": {
+      "behavioral": [
+        "Fortinet (multiple products) reachable on the network at a release below the fixed version named in the Fortinet PSIRT advisory.",
+        "Unauthenticated requests to the Fortinet product surface consistent with a stack-based buffer overflow (CWE-124) across multiple Fortinet products, reachable by an unauthenticated attacker for remote code execution.",
+        "Indicators of the exploited weakness on the Fortinet product surface — unexpected command/code execution, file access, or authentication with built-in credentials — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-32756, CISA KEV (added 2025-05-14), and the Fortinet PSIRT advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-32709": {
     "name": "Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability",