@blamejs/exceptd-skills 0.15.6 → 0.15.8

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.15.8 — 2026-05-29
+
+Draft-curation pass 6 — Cisco network devices. Seven CISA KEV-listed Cisco CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: SD-WAN path traversal (CVE-2022-20775), multi-product improper input validation (CVE-2025-20393), IOS/IOS XE SNMP DoS+RCE (CVE-2025-20352), the Secure Firewall ASA/FTD missing-authorization (CVE-2025-20362) and buffer-overflow (CVE-2025-20333) chain, and the Identity Services Engine injection pair (CVE-2025-20337, CVE-2025-20281). The ASA and device lessons note that network-device implants survive patching without explicit recovery steps.
+
+## 0.15.7 — 2026-05-29
+
+Draft-curation pass 5 — Fortinet network appliances. Six CISA KEV-listed Fortinet CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: FortiWeb OS command injection (CVE-2025-58034), path traversal (CVE-2025-64446), and SQL injection (CVE-2025-25257); FortiOS hard-coded credentials (CVE-2019-6693); and the multi-product improper-signature-verification (CVE-2025-59718) and stack-based buffer overflow (CVE-2025-32756).
+
 ## 0.15.6 — 2026-05-29
 
 Draft-curation pass 4 — enterprise management-plane and infrastructure. Six CISA KEV-listed CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: the Cisco Catalyst SD-WAN Manager cluster — incorrect privileged-API use (CVE-2026-20122), sensitive-information exposure (CVE-2026-20133), and recoverable password storage (CVE-2026-20128) — plus Microsoft SharePoint Server improper input validation (CVE-2026-32201), Fortinet FortiClient EMS improper access control (CVE-2026-35616), and Dell RecoverPoint for VMs hard-coded credentials (CVE-2026-22769).

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-29T18:03:19.614Z",
+  "generated_at": "2026-05-29T18:43:29.131Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "de945cd44af7f0c8c05d165bbc4e4e3fa909cef74e19812f7643dc0bcf933551",
+    "manifest.json": "a122252b090e0f606e64537278dd5998f3a9d73274badd8f3a8c65145dd0d377",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "c2045b7be150b50a605e555ed3573194ce21f4cd109a99de6fee3d75e8daf2c7",
-    "data/cve-catalog.json": "70f75c1d6812d251dd4819800662dc16329856d18a5b5907912cc0cc30328a6f",
+    "data/attack-techniques.json": "2644a3fa8dd40586085126f3fc9ca120d6155da083f70d4208f57ccb0b8884ee",
+    "data/cve-catalog.json": "878f54c4589360a765dbc41173ce48b12beef73c13a04037e2bb036e828c7165",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "16d1bba0c2bde1be54c590ef5d0cf34ce5d6b012781a7a7dcb8a828e258f0bb9",
+    "data/zeroday-lessons.json": "56cf66af139d604ba955fa1b0f3d42b4baf7043bd664e20f90855fe4f1db0989",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json

@@ -301,6 +301,8 @@
       "CVE-2025-11837",
       "CVE-2025-1550",
       "CVE-2025-1753",
+      "CVE-2025-20281",
+      "CVE-2025-20337",
       "CVE-2025-23254",
       "CVE-2025-27520",
       "CVE-2025-30165",
@@ -315,6 +317,7 @@
       "CVE-2025-53773",
       "CVE-2025-54136",
       "CVE-2025-55319",
+      "CVE-2025-58034",
       "CVE-2025-60455",
       "CVE-2025-64496",
       "CVE-2025-68664",
@@ -541,6 +544,7 @@
       "CVE-2015-7755",
       "CVE-2017-7921",
       "CVE-2019-19006",
+      "CVE-2019-6693",
       "CVE-2020-10148",
       "CVE-2020-24363",
       "CVE-2021-32030",
@@ -904,6 +908,7 @@
       "CVE-2021-22681",
       "CVE-2021-26828",
       "CVE-2022-1471",
+      "CVE-2022-20775",
       "CVE-2022-36551",
       "CVE-2022-37055",
       "CVE-2022-40799",
@@ -1052,6 +1057,7 @@
       "CVE-2025-62847",
       "CVE-2025-62848",
       "CVE-2025-64328",
+      "CVE-2025-64446",
       "CVE-2025-64496",
       "CVE-2025-64513",
       "CVE-2025-6554",
@@ -2909,6 +2915,7 @@
     "last_verified": "2026-05-19",
     "notes": "Added v0.13.17 to support DoS-class KEV bulk imports.",
     "cve_refs": [
+      "CVE-2025-20352",
       "CVE-2025-30202",
       "CVE-2025-6543",
       "CVE-2026-24215",

package/data/cve-catalog.json

@@ -22748,7 +22748,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -22770,7 +22771,7 @@
       "CWE-25",
       "CWE-282"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems",
@@ -22801,11 +22802,21 @@
         "published_date": "2026-02-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-25; due date 2026-02-27. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco SD-WAN CLI contains a path traversal vulnerability that could allow an authenticated local attacker to gain elevated privileges via improper access controls on commands within the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco SD-WAN CLI contains a path traversal vulnerability that could allow an authenticated local attacker to gain elevated privileges via improper access controls on commands within the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user.",
+    "iocs": {
+      "behavioral": [
+        "Cisco SD-WAN reachable on the network at a release below the fixed version named in the Cisco advisory.",
+        "Unauthenticated requests to the SD-WAN surface consistent with a path-traversal flaw (CWE-25/CWE-282) reachable by an unauthenticated attacker.",
+        "Indicators of the exploited weakness on the SD-WAN surface — device crashes/reloads, unexpected command execution, or access to restricted endpoints — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2022-20775, CISA KEV (added 2026-02-25), and the Cisco security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-20127": {
     "name": "Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability",
@@ -27602,7 +27613,7 @@
     "cwe_refs": [
       "CWE-20"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4",
@@ -27631,11 +27642,21 @@
         "published_date": "2025-12-17"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-17; due date 2025-12-24. Notes reference: Please adhere to Cisco's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Cisco products affected by this vulnerability. Apply any f",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance.",
+    "iocs": {
+      "behavioral": [
+        "Cisco (multiple products) reachable on the network at a release below the fixed version named in the Cisco advisory.",
+        "Unauthenticated requests to the Cisco product surface consistent with improper input validation (CWE-20) reachable by an unauthenticated attacker.",
+        "Indicators of the exploited weakness on the Cisco product surface — device crashes/reloads, unexpected command execution, or access to restricted endpoints — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-20393, CISA KEV (added 2025-12-17), and the Cisco security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-59718": {
     "name": "Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability",
@@ -27698,7 +27719,7 @@
     "cwe_refs": [
       "CWE-347"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://fortiguard.fortinet.com/psirt/FG-IR-25-647",
@@ -27728,11 +27749,21 @@
         "published_date": "2025-12-16"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-16; due date 2025-12-23. Notes reference: https://fortiguard.fortinet.com/psirt/FG-IR-25-647 ; https://docs.fortinet.com/upgrade-tool/fortigate ; https://nvd.nist.gov/vuln/detail/CVE-2025-59718",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb contain an improper verification of cryptographic signature vulnerability that may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message. Please be aware that CVE-2025-59719 pertains to the same problem and is mentioned in the same vendor advisory. Ensure to apply all patches mentioned in the advisory."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb contain an improper verification of cryptographic signature vulnerability that may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message. Please be aware that CVE-2025-59719 pertains to the same problem and is mentioned in the same vendor advisory. Ensure to apply all patches mentioned in the advisory.",
+    "iocs": {
+      "behavioral": [
+        "Fortinet (multiple products) reachable on the network at a release below the fixed version named in the Fortinet PSIRT advisory.",
+        "Unauthenticated requests to the Fortinet product surface consistent with improper verification of a cryptographic signature (CWE-347), allowing an unauthenticated attacker to bypass a signature check.",
+        "Indicators of the exploited weakness on the Fortinet product surface — unexpected command/code execution, file access, or authentication with built-in credentials — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-59718, CISA KEV (added 2025-12-16), and the Fortinet PSIRT advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-14611": {
     "name": "Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability",
@@ -29123,7 +29154,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -29144,7 +29176,7 @@
     "cwe_refs": [
       "CWE-78"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://fortiguard.fortinet.com/psirt/FG-IR-25-513",
@@ -29173,11 +29205,21 @@
         "published_date": "2025-11-18"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-18; due date 2025-11-25. Notes reference: https://fortiguard.fortinet.com/psirt/FG-IR-25-513 ; https://nvd.nist.gov/vuln/detail/CVE-2025-58034",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiWeb contains an OS command Injection vulnerability that may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Fortinet FortiWeb contains an OS command Injection vulnerability that may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.",
+    "iocs": {
+      "behavioral": [
+        "Fortinet FortiWeb reachable on the network at a release below the fixed version named in the Fortinet PSIRT advisory.",
+        "Unauthenticated requests to the FortiWeb management surface consistent with OS command injection (CWE-78) giving an unauthenticated attacker command execution on the FortiWeb appliance.",
+        "Indicators of the exploited weakness on the FortiWeb management surface — unexpected command/code execution, file access, or authentication with built-in credentials — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-58034, CISA KEV (added 2025-11-18), and the Fortinet PSIRT advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-64446": {
     "name": "Fortinet FortiWeb Path Traversal Vulnerability",
@@ -29218,7 +29260,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -29239,7 +29282,7 @@
     "cwe_refs": [
       "CWE-23"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.fortiguard.com/psirt/FG-IR-25-910",
@@ -29268,11 +29311,21 @@
         "published_date": "2025-11-14"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-11-14; due date 2025-11-21. Notes reference: https://www.fortiguard.com/psirt/FG-IR-25-910 ; https://nvd.nist.gov/vuln/detail/CVE-2025-64446",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiWeb contains a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Fortinet FortiWeb contains a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.",
+    "iocs": {
+      "behavioral": [
+        "Fortinet FortiWeb reachable on the network at a release below the fixed version named in the Fortinet PSIRT advisory.",
+        "Unauthenticated requests to the FortiWeb surface consistent with a path-traversal flaw (CWE-23) on FortiWeb reachable by an unauthenticated attacker.",
+        "Indicators of the exploited weakness on the FortiWeb surface — unexpected command/code execution, file access, or authentication with built-in credentials — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-64446, CISA KEV (added 2025-11-14), and the Fortinet PSIRT advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-12480": {
     "name": "Gladinet Triofox Improper Access Control Vulnerability",
@@ -33165,7 +33218,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1499"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -33186,7 +33240,7 @@
     "cwe_refs": [
       "CWE-121"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte",
@@ -33215,11 +33269,21 @@
         "published_date": "2025-09-29"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-29; due date 2025-10-20. Notes reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte ; https://nvd.nist.gov/vuln/detail/CVE-2025-20352",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco IOS and IOS XE contains a stack-based buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow for denial of service or remote code execution. A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco IOS and IOS XE contains a stack-based buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow for denial of service or remote code execution. A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system.",
+    "iocs": {
+      "behavioral": [
+        "Cisco IOS / IOS XE reachable on the network at a release below the fixed version named in the Cisco advisory.",
+        "Unauthenticated requests to the IOS/IOS XE SNMP subsystem consistent with a stack-based overflow (CWE-121) in the SNMP subsystem, exploitable by an unauthenticated attacker for denial of service and remote code execution.",
+        "Indicators of the exploited weakness on the IOS/IOS XE SNMP subsystem — device crashes/reloads, unexpected command execution, or access to restricted endpoints — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-20352, CISA KEV (added 2025-09-29), and the Cisco security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-21311": {
     "name": "Adminer Server-Side Request Forgery Vulnerability",
@@ -33377,7 +33441,7 @@
     "cwe_refs": [
       "CWE-862"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices",
@@ -33411,11 +33475,21 @@
         "published_date": "2025-09-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-25; due date 2025-09-26. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices ; https://www.cisa.gov/news-events/directives/supplemental-d",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a missing authorization vulnerability. This vulnerability could be chained with CVE-2025-20333."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a missing authorization vulnerability. This vulnerability could be chained with CVE-2025-20333.",
+    "iocs": {
+      "behavioral": [
+        "Cisco Secure Firewall ASA / FTD reachable on the network at a release below the fixed version named in the Cisco advisory.",
+        "Unauthenticated requests to the ASA/FTD web surface consistent with a missing-authorization flaw (CWE-862) allowing an unauthenticated attacker to reach restricted URL endpoints (the ASA web-services chain).",
+        "Indicators of the exploited weakness on the ASA/FTD web surface — device crashes/reloads, unexpected command execution, or access to restricted endpoints — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-20362, CISA KEV (added 2025-09-25), and the Cisco security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-20333": {
     "name": "Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buffer Overflow Vulnerability",
@@ -33478,7 +33552,7 @@
     "cwe_refs": [
       "CWE-120"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices",
@@ -33512,11 +33586,21 @@
         "published_date": "2025-09-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-25; due date 2025-09-26. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices ; https://www.cisa.gov/news-events/directives/supplemental-d",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution. This vulnerability could be chained with CVE-2025-20362."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution. This vulnerability could be chained with CVE-2025-20362.",
+    "iocs": {
+      "behavioral": [
+        "Cisco Secure Firewall ASA / FTD reachable on the network at a release below the fixed version named in the Cisco advisory.",
+        "Unauthenticated requests to the ASA/FTD web surface consistent with a buffer overflow (CWE-120) enabling unauthenticated remote code execution (chained with the missing-authorization flaw).",
+        "Indicators of the exploited weakness on the ASA/FTD web surface — device crashes/reloads, unexpected command execution, or access to restricted endpoints — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-20333, CISA KEV (added 2025-09-25), and the Cisco security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-5086": {
     "name": "Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability",
@@ -35676,7 +35760,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -35697,7 +35782,7 @@
     "cwe_refs": [
       "CWE-74"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6",
@@ -35726,11 +35811,21 @@
         "published_date": "2025-07-28"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-28; due date 2025-08-18. Notes reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6 ; https://nvd.nist.gov/vuln/detail/CVE-2025-20337",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to exploit this vulnerability by submitting a crafted API request. Successful exploitation could allow an attacker to perform remote code execution and obtaining root privileges on an affected device."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to exploit this vulnerability by submitting a crafted API request. Successful exploitation could allow an attacker to perform remote code execution and obtaining root privileges on an affected device.",
+    "iocs": {
+      "behavioral": [
+        "Cisco Identity Services Engine (ISE) reachable on the network at a release below the fixed version named in the Cisco advisory.",
+        "Unauthenticated requests to the ISE surface consistent with an injection flaw (CWE-74) enabling unauthenticated code execution on Cisco ISE.",
+        "Indicators of the exploited weakness on the ISE surface — device crashes/reloads, unexpected command execution, or access to restricted endpoints — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-20337, CISA KEV (added 2025-07-28), and the Cisco security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-20281": {
     "name": "Cisco Identity Services Engine Injection Vulnerability (variant: CVE-2025-20281)",
@@ -35772,7 +35867,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -35793,7 +35889,7 @@
     "cwe_refs": [
       "CWE-74"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6",
@@ -35822,11 +35918,21 @@
         "published_date": "2025-07-28"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-28; due date 2025-08-18. Notes reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6 ; https://nvd.nist.gov/vuln/detail/CVE-2025-20281",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to exploit this vulnerability by submitting a crafted API request. Successful exploitation could allow an attacker to perform remote code execution and obtaining root privileges on an affected device."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to exploit this vulnerability by submitting a crafted API request. Successful exploitation could allow an attacker to perform remote code execution and obtaining root privileges on an affected device.",
+    "iocs": {
+      "behavioral": [
+        "Cisco Identity Services Engine (ISE) reachable on the network at a release below the fixed version named in the Cisco advisory.",
+        "Unauthenticated requests to the ISE surface consistent with an injection flaw (CWE-74, a variant) enabling unauthenticated code execution on Cisco ISE.",
+        "Indicators of the exploited weakness on the ISE surface — device crashes/reloads, unexpected command execution, or access to restricted endpoints — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-20281, CISA KEV (added 2025-07-28), and the Cisco security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-2775": {
     "name": "SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability",
@@ -36573,7 +36679,7 @@
     "cwe_refs": [
       "CWE-89"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://fortiguard.fortinet.com/psirt/FG-IR-25-151",
@@ -36602,11 +36708,21 @@
         "published_date": "2025-07-18"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-18; due date 2025-08-08. Notes reference: https://fortiguard.fortinet.com/psirt/FG-IR-25-151 ; https://nvd.nist.gov/vuln/detail/CVE-2025-25257",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiWeb contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Fortinet FortiWeb contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.",
+    "iocs": {
+      "behavioral": [
+        "Fortinet FortiWeb reachable on the network at a release below the fixed version named in the Fortinet PSIRT advisory.",
+        "Unauthenticated requests to the FortiWeb surface consistent with SQL injection (CWE-89) on the FortiWeb surface, reachable unauthenticated and escalating to compromise.",
+        "Indicators of the exploited weakness on the FortiWeb surface — unexpected command/code execution, file access, or authentication with built-in credentials — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-25257, CISA KEV (added 2025-07-18), and the Fortinet PSIRT advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-47812": {
     "name": "Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability",
@@ -37596,7 +37712,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 83,
     "rwep_factors": {
@@ -37617,7 +37734,7 @@
     "cwe_refs": [
       "CWE-798"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://fortiguard.com/advisory/FG-IR-19-007",
@@ -37646,11 +37763,21 @@
         "published_date": "2025-06-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-25; due date 2025-07-16. Notes reference: https://fortiguard.com/advisory/FG-IR-19-007 ; https://nvd.nist.gov/vuln/detail/CVE-2019-6693",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiOS contains a use of hard-coded credentials vulnerability that could allow an attacker to cipher sensitive data in FortiOS configuration backup file via knowledge of the hard-coded key. "
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Fortinet FortiOS contains a use of hard-coded credentials vulnerability that could allow an attacker to cipher sensitive data in FortiOS configuration backup file via knowledge of the hard-coded key. ",
+    "iocs": {
+      "behavioral": [
+        "Fortinet FortiOS reachable on the network at a release below the fixed version named in the Fortinet PSIRT advisory.",
+        "Unauthenticated requests to the FortiOS appliance consistent with use of hard-coded credentials (CWE-798) in FortiOS, allowing authentication with built-in credentials.",
+        "Indicators of the exploited weakness on the FortiOS appliance — unexpected command/code execution, file access, or authentication with built-in credentials — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2019-6693, CISA KEV (added 2025-06-25), and the Fortinet PSIRT advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-0769": {
     "name": " D-Link DIR-859 Router Path Traversal Vulnerability",
@@ -40313,7 +40440,7 @@
     "cwe_refs": [
       "CWE-124"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://fortiguard.fortinet.com/psirt/FG-IR-25-254",
@@ -40342,11 +40469,21 @@
         "published_date": "2025-05-14"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-14; due date 2025-06-04. Notes reference: https://fortiguard.fortinet.com/psirt/FG-IR-25-254 ; https://nvd.nist.gov/vuln/detail/CVE-2025-32756",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Fortinet FortiFone, FortiVoice, FortiNDR and FortiMail contain a stack-based overflow vulnerability that may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Fortinet FortiFone, FortiVoice, FortiNDR and FortiMail contain a stack-based overflow vulnerability that may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests.",
+    "iocs": {
+      "behavioral": [
+        "Fortinet (multiple products) reachable on the network at a release below the fixed version named in the Fortinet PSIRT advisory.",
+        "Unauthenticated requests to the Fortinet product surface consistent with a stack-based buffer overflow (CWE-124) across multiple Fortinet products, reachable by an unauthenticated attacker for remote code execution.",
+        "Indicators of the exploited weakness on the Fortinet product surface — unexpected command/code execution, file access, or authentication with built-in credentials — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-32756, CISA KEV (added 2025-05-14), and the Fortinet PSIRT advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-32709": {
     "name": "Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability",