@blamejs/exceptd-skills 0.15.7 → 0.15.9

package/data/cve-catalog.json

@@ -7825,7 +7825,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -7846,7 +7847,7 @@
     "cwe_refs": [
       "CWE-77"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10469",
@@ -7875,11 +7876,21 @@
         "published_date": "2026-04-24"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-04-24; due date 2026-05-08. Notes reference: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10469 ; https://nvd.nist.gov/vuln/detail/CVE-2025-29635",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "D-Link DIR-823X contains a command injection vulnerability that allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "D-Link DIR-823X contains a command injection vulnerability that allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "D-Link DIR-823X router reachable on the network at a release below the fixed firmware/version (or end-of-life with no fix).",
+        "Unauthenticated requests to the router web interface consistent with command injection (CWE-77) on the D-Link DIR-823X, giving an unauthenticated attacker command execution on the device.",
+        "Indicators of the exploited weakness on the router web interface — unexpected command execution, new accounts, malicious firmware, or botnet/C2 traffic from the device — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-29635, CISA KEV (added 2026-04-24), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2024-7399": {
     "name": "Samsung MagicINFO 9 Server Path Traversal Vulnerability",
@@ -22748,7 +22759,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1592"
+      "T1592",
+      "T1190"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -22770,7 +22782,7 @@
       "CWE-25",
       "CWE-282"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems",
@@ -22801,11 +22813,21 @@
         "published_date": "2026-02-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-02-25; due date 2026-02-27. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco SD-WAN CLI contains a path traversal vulnerability that could allow an authenticated local attacker to gain elevated privileges via improper access controls on commands within the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco SD-WAN CLI contains a path traversal vulnerability that could allow an authenticated local attacker to gain elevated privileges via improper access controls on commands within the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user.",
+    "iocs": {
+      "behavioral": [
+        "Cisco SD-WAN reachable on the network at a release below the fixed version named in the Cisco advisory.",
+        "Unauthenticated requests to the SD-WAN surface consistent with a path-traversal flaw (CWE-25/CWE-282) reachable by an unauthenticated attacker.",
+        "Indicators of the exploited weakness on the SD-WAN surface — device crashes/reloads, unexpected command execution, or access to restricted endpoints — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2022-20775, CISA KEV (added 2026-02-25), and the Cisco security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2026-20127": {
     "name": "Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability",
@@ -27602,7 +27624,7 @@
     "cwe_refs": [
       "CWE-20"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4",
@@ -27631,11 +27653,21 @@
         "published_date": "2025-12-17"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-17; due date 2025-12-24. Notes reference: Please adhere to Cisco's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Cisco products affected by this vulnerability. Apply any f",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance.",
+    "iocs": {
+      "behavioral": [
+        "Cisco (multiple products) reachable on the network at a release below the fixed version named in the Cisco advisory.",
+        "Unauthenticated requests to the Cisco product surface consistent with improper input validation (CWE-20) reachable by an unauthenticated attacker.",
+        "Indicators of the exploited weakness on the Cisco product surface — device crashes/reloads, unexpected command execution, or access to restricted endpoints — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-20393, CISA KEV (added 2025-12-17), and the Cisco security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-59718": {
     "name": "Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability",
@@ -28289,7 +28321,7 @@
     "cwe_refs": [
       "CWE-120"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10308",
@@ -28318,11 +28350,21 @@
         "published_date": "2025-12-08"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-12-08; due date 2025-12-29. Notes reference: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10308 ; https://nvd.nist.gov/vuln/detail/CVE-2022-37055",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "D-Link Routers contains a buffer overflow vulnerability that has a high impact on confidentiality, integrity, and availability. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "D-Link Routers contains a buffer overflow vulnerability that has a high impact on confidentiality, integrity, and availability. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "D-Link routers reachable on the network at a release below the fixed firmware/version (or end-of-life with no fix).",
+        "Unauthenticated requests to the router web interface consistent with a buffer overflow (CWE-120) on affected D-Link routers reachable by an unauthenticated attacker.",
+        "Indicators of the exploited weakness on the router web interface — unexpected command execution, new accounts, malicious firmware, or botnet/C2 traffic from the device — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2022-37055, CISA KEV (added 2025-12-08), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-66644": {
     "name": "Array Networks ArrayOS AG OS Command Injection Vulnerability",
@@ -33197,7 +33239,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1499"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -33218,7 +33261,7 @@
     "cwe_refs": [
       "CWE-121"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte",
@@ -33247,11 +33290,21 @@
         "published_date": "2025-09-29"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-29; due date 2025-10-20. Notes reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte ; https://nvd.nist.gov/vuln/detail/CVE-2025-20352",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco IOS and IOS XE contains a stack-based buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow for denial of service or remote code execution. A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco IOS and IOS XE contains a stack-based buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow for denial of service or remote code execution. A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system.",
+    "iocs": {
+      "behavioral": [
+        "Cisco IOS / IOS XE reachable on the network at a release below the fixed version named in the Cisco advisory.",
+        "Unauthenticated requests to the IOS/IOS XE SNMP subsystem consistent with a stack-based overflow (CWE-121) in the SNMP subsystem, exploitable by an unauthenticated attacker for denial of service and remote code execution.",
+        "Indicators of the exploited weakness on the IOS/IOS XE SNMP subsystem — device crashes/reloads, unexpected command execution, or access to restricted endpoints — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-20352, CISA KEV (added 2025-09-29), and the Cisco security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-21311": {
     "name": "Adminer Server-Side Request Forgery Vulnerability",
@@ -33409,7 +33462,7 @@
     "cwe_refs": [
       "CWE-862"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices",
@@ -33443,11 +33496,21 @@
         "published_date": "2025-09-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-25; due date 2025-09-26. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices ; https://www.cisa.gov/news-events/directives/supplemental-d",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a missing authorization vulnerability. This vulnerability could be chained with CVE-2025-20333."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a missing authorization vulnerability. This vulnerability could be chained with CVE-2025-20333.",
+    "iocs": {
+      "behavioral": [
+        "Cisco Secure Firewall ASA / FTD reachable on the network at a release below the fixed version named in the Cisco advisory.",
+        "Unauthenticated requests to the ASA/FTD web surface consistent with a missing-authorization flaw (CWE-862) allowing an unauthenticated attacker to reach restricted URL endpoints (the ASA web-services chain).",
+        "Indicators of the exploited weakness on the ASA/FTD web surface — device crashes/reloads, unexpected command execution, or access to restricted endpoints — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-20362, CISA KEV (added 2025-09-25), and the Cisco security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-20333": {
     "name": "Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buffer Overflow Vulnerability",
@@ -33510,7 +33573,7 @@
     "cwe_refs": [
       "CWE-120"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices",
@@ -33544,11 +33607,21 @@
         "published_date": "2025-09-25"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-09-25; due date 2025-09-26. Notes reference: CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices ; https://www.cisa.gov/news-events/directives/supplemental-d",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution. This vulnerability could be chained with CVE-2025-20362."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution. This vulnerability could be chained with CVE-2025-20362.",
+    "iocs": {
+      "behavioral": [
+        "Cisco Secure Firewall ASA / FTD reachable on the network at a release below the fixed version named in the Cisco advisory.",
+        "Unauthenticated requests to the ASA/FTD web surface consistent with a buffer overflow (CWE-120) enabling unauthenticated remote code execution (chained with the missing-authorization flaw).",
+        "Indicators of the exploited weakness on the ASA/FTD web surface — device crashes/reloads, unexpected command execution, or access to restricted endpoints — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-20333, CISA KEV (added 2025-09-25), and the Cisco security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-5086": {
     "name": "Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability",
@@ -35322,7 +35395,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -35343,7 +35417,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.dlink.com/productinfo.aspx?m=DCS-2530L",
@@ -35373,11 +35447,21 @@
         "published_date": "2025-08-05"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-05; due date 2025-08-26. Notes reference: https://support.dlink.com/productinfo.aspx?m=DCS-2530L ; https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10180 ; https://nvd.nist.gov/vuln/detail/CVE-2020-25078",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "D-Link DCS-2530L and DCS-2670L devices contains an unspecified vulnerability that could allow for remote administrator password disclosure. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "D-Link DCS-2530L and DCS-2670L devices contains an unspecified vulnerability that could allow for remote administrator password disclosure. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "D-Link DCS-2530L / DCS-2670L cameras reachable on the network at a release below the fixed firmware/version (or end-of-life with no fix).",
+        "Unauthenticated requests to the IP camera web interface consistent with an unauthenticated code-execution flaw (CWE-94) on the D-Link DCS-2530L/2670L network cameras.",
+        "Indicators of the exploited weakness on the IP camera web interface — unexpected command execution, new accounts, malicious firmware, or botnet/C2 traffic from the device — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2020-25078, CISA KEV (added 2025-08-05), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2020-25079": {
     "name": "D-Link DCS-2530L and DCS-2670L Command Injection Vulnerability",
@@ -35419,7 +35503,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -35440,7 +35525,7 @@
     "cwe_refs": [
       "CWE-77"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://support.dlink.com/productinfo.aspx?m=DCS-2530L",
@@ -35470,11 +35555,21 @@
         "published_date": "2025-08-05"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-05; due date 2025-08-26. Notes reference: https://support.dlink.com/productinfo.aspx?m=DCS-2530L ; https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10180 ; https://nvd.nist.gov/vuln/detail/CVE-2020-25079",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "D-Link DCS-2530L and DCS-2670L devices contains a command injection vulnerability in the cgi-bin/ddns_enc.cgi. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "D-Link DCS-2530L and DCS-2670L devices contains a command injection vulnerability in the cgi-bin/ddns_enc.cgi. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "D-Link DCS-2530L / DCS-2670L cameras reachable on the network at a release below the fixed firmware/version (or end-of-life with no fix).",
+        "Unauthenticated requests to the IP camera web interface consistent with command injection (CWE-77) on the D-Link DCS-2530L/2670L cameras, giving an unauthenticated attacker command execution.",
+        "Indicators of the exploited weakness on the IP camera web interface — unexpected command execution, new accounts, malicious firmware, or botnet/C2 traffic from the device — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2020-25079, CISA KEV (added 2025-08-05), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2022-40799": {
     "name": "D-Link DNR-322L Download of Code Without Integrity Check Vulnerability",
@@ -35537,7 +35632,7 @@
     "cwe_refs": [
       "CWE-494"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://www.dlink.com/uk/en/products/dnr-322l-cloud-network-video-recorder",
@@ -35566,11 +35661,21 @@
         "published_date": "2025-08-05"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-08-05; due date 2025-08-26. Notes reference: https://www.dlink.com/uk/en/products/dnr-322l-cloud-network-video-recorder ; https://nvd.nist.gov/vuln/detail/CVE-2022-40799",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "D-Link DNR-322L contains a download of code without integrity check vulnerability that could allow an authenticated attacker to execute OS level commands on the device. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "D-Link DNR-322L contains a download of code without integrity check vulnerability that could allow an authenticated attacker to execute OS level commands on the device. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.",
+    "iocs": {
+      "behavioral": [
+        "D-Link DNR-322L NAS reachable on the network at a release below the fixed firmware/version (or end-of-life with no fix).",
+        "Unauthenticated requests to the NAS management interface consistent with download of code without an integrity check (CWE-494) on the D-Link DNR-322L, letting an attacker supply a malicious update for code execution.",
+        "Indicators of the exploited weakness on the NAS management interface — unexpected command execution, new accounts, malicious firmware, or botnet/C2 traffic from the device — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2022-40799, CISA KEV (added 2025-08-05), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2023-2533": {
     "name": "PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability",
@@ -35708,7 +35813,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -35729,7 +35835,7 @@
     "cwe_refs": [
       "CWE-74"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6",
@@ -35758,11 +35864,21 @@
         "published_date": "2025-07-28"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-28; due date 2025-08-18. Notes reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6 ; https://nvd.nist.gov/vuln/detail/CVE-2025-20337",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to exploit this vulnerability by submitting a crafted API request. Successful exploitation could allow an attacker to perform remote code execution and obtaining root privileges on an affected device."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to exploit this vulnerability by submitting a crafted API request. Successful exploitation could allow an attacker to perform remote code execution and obtaining root privileges on an affected device.",
+    "iocs": {
+      "behavioral": [
+        "Cisco Identity Services Engine (ISE) reachable on the network at a release below the fixed version named in the Cisco advisory.",
+        "Unauthenticated requests to the ISE surface consistent with an injection flaw (CWE-74) enabling unauthenticated code execution on Cisco ISE.",
+        "Indicators of the exploited weakness on the ISE surface — device crashes/reloads, unexpected command execution, or access to restricted endpoints — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-20337, CISA KEV (added 2025-07-28), and the Cisco security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-20281": {
     "name": "Cisco Identity Services Engine Injection Vulnerability (variant: CVE-2025-20281)",
@@ -35804,7 +35920,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -35825,7 +35942,7 @@
     "cwe_refs": [
       "CWE-74"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6",
@@ -35854,11 +35971,21 @@
         "published_date": "2025-07-28"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-07-28; due date 2025-08-18. Notes reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6 ; https://nvd.nist.gov/vuln/detail/CVE-2025-20281",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to exploit this vulnerability by submitting a crafted API request. Successful exploitation could allow an attacker to perform remote code execution and obtaining root privileges on an affected device."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to exploit this vulnerability by submitting a crafted API request. Successful exploitation could allow an attacker to perform remote code execution and obtaining root privileges on an affected device.",
+    "iocs": {
+      "behavioral": [
+        "Cisco Identity Services Engine (ISE) reachable on the network at a release below the fixed version named in the Cisco advisory.",
+        "Unauthenticated requests to the ISE surface consistent with an injection flaw (CWE-74, a variant) enabling unauthenticated code execution on Cisco ISE.",
+        "Indicators of the exploited weakness on the ISE surface — device crashes/reloads, unexpected command execution, or access to restricted endpoints — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-20281, CISA KEV (added 2025-07-28), and the Cisco security advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-2775": {
     "name": "SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability",
@@ -39959,7 +40086,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1059"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39980,7 +40108,7 @@
     "cwe_refs": [
       "CWE-94"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM",
@@ -40009,11 +40137,21 @@
         "published_date": "2025-05-19"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-19; due date 2025-06-09. Notes reference: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM ; https://nvd.nist.gov/vuln/detail/CVE-2025-4428",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute arbitrary code via crafted API requests. This vulnerability results from an insecure implementation of the Hibernate Validator open-source library, as represented by CVE-2025-35036."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute arbitrary code via crafted API requests. This vulnerability results from an insecure implementation of the Hibernate Validator open-source library, as represented by CVE-2025-35036.",
+    "iocs": {
+      "behavioral": [
+        "Ivanti Endpoint Manager Mobile (EPMM) reachable on the network at a release below the fixed firmware/version (or end-of-life with no fix).",
+        "Unauthenticated requests to the EPMM management surface consistent with code injection (CWE-94) yielding unauthenticated remote code execution on the EPMM management surface (chained with the authentication bypass).",
+        "Indicators of the exploited weakness on the EPMM management surface — unexpected command execution, new accounts, malicious firmware, or botnet/C2 traffic from the device — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-4428, CISA KEV (added 2025-05-19), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-4427": {
     "name": "Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability",
@@ -40055,7 +40193,8 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1190",
+      "T1078"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -40076,7 +40215,7 @@
     "cwe_refs": [
       "CWE-288"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM",
@@ -40105,11 +40244,21 @@
         "published_date": "2025-05-19"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-05-19; due date 2025-06-09. Notes reference: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM ; https://nvd.nist.gov/vuln/detail/CVE-2025-4427",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Ivanti Endpoint Manager Mobile (EPMM) contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources without proper credentials via crafted API requests. This vulnerability results from an insecure implementation of the Spring Framework open-source library."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Ivanti Endpoint Manager Mobile (EPMM) contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources without proper credentials via crafted API requests. This vulnerability results from an insecure implementation of the Spring Framework open-source library.",
+    "iocs": {
+      "behavioral": [
+        "Ivanti Endpoint Manager Mobile (EPMM) reachable on the network at a release below the fixed firmware/version (or end-of-life with no fix).",
+        "Unauthenticated requests to the EPMM management surface consistent with an authentication bypass (CWE-288) on EPMM that, chained with the code-injection flaw, yields unauthenticated remote code execution.",
+        "Indicators of the exploited weakness on the EPMM management surface — unexpected command execution, new accounts, malicious firmware, or botnet/C2 traffic from the device — with no corresponding legitimate administrative action (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-4427, CISA KEV (added 2025-05-19), and the vendor advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-42999": {
     "name": "SAP NetWeaver Deserialization Vulnerability",