Full Report
Check out NIST’s effort to further mesh its privacy and cyber frameworks. Plus, learn why code-writing GenAI tools can put developers at risk of package-confusion attacks. Also, find out what Tenable webinar attendees said about identity security. And get the latest on the MITRE CVE program and on attacks against edge routers.Dive into five things that are top of mind for the week ending April 18.1 - NIST updates Privacy Framework, tailoring it to the Cybersecurity Framework and adding an AI sectionRecognizing the data protection and cyberattack prevention overlap and are deeply intertwined, the U.S. government is aligning two foundational privacy and cybersecurity frameworks.This week, the U.S. National Institute of Standards and Technology (NIST) released a draft update of its Privacy Framework (PFW) that more closely interconnects it with the popular Cybersecurity Framework (CSF), which was updated in 2024.Although the PFW can be used on its own, this updated version makes its use with the CSF “seamless” so that organizations can leverage the two frameworks “to manage the full spectrum of privacy and cybersecurity risks,” Julie Chua, Director of NIST’s Applied Cybersecurity Division, said in a statement.Both frameworks have a “Core” section, which outlines detailed activities and outcomes aimed at helping organizations discuss risk management. “The PFW 1.1 Public Draft Core is realigned with the CSF 2.0 Core in many places, making life easier on users,” NIST said in the statement.The “NIST Privacy Framework 1.1 Initial Public Draft” also adds a new section about the risks to data privacy from artificial intelligence. Specifically, organizations can use it to “ensure that organizational privacy values are reflected in the development and use of AI systems,” the PFW draft reads.NIST first published the PFW in 2020, with the goal of helping organizations mitigate the privacy risks associated with the processing of personal data in their computer systems. It outlines five core functions:Identify, which includes inventorying the organization’s data-processing scenarios and conducting privacy risk assessmentsGovern, which involves the creation and adoption of the organization’s governance structure for data privacyControl, which addresses the organization’s development and implementation of appropriate data-management activitiesCommunicate, which includes sharing publicly how the organization processes personal data and manages privacy risksProtect, which touches on the organization’s data security processes aimed at preventing cyber breachesThe PFW 1.1 draft is open for public comment until June 13, 2025. NIST plans to publish a final version later this year.For more information about data privacy and data security, check out these Tenable resources:“What Makes This “Data Privacy Day” Different?” (blog)“Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?” (on-demand webinar)“Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)“The Data-Factor: Why Integrating DSPM Is Key to Your CNAPP Strategy” (blog)“Data Security in Healthcare: How Tenable Cloud Security Can Help” (blog)2 - GenAI code-generation hallucinations open the door for package-confusion attacks Here’s a warning for developers who use generative AI to write code: Generative AI tools may prompt you to download software packages that are infected with malware.That’s the main finding from the study “We Have a Package for You! A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs” by researchers from the University of Texas at San Antonio, the University of Oklahoma and Virginia Tech.How can this happen? When prompted to write code, generative AI tools powered by large language models (LLMs) often suggest that developers download software packages from public repositories.However, in many cases, the software packages the generative AI tools mention don’t exist. The tools invent names for non-existent software packages and falsely say the packages are located in specific software repositories.Best case scenario is that the developer goes looking for the imagined software package and doesn’t find it. Unfortunately, cyberattackers are taking note. They’re baptizing their malicious packages with the made-up names and storing them in repositories, hoping developers will inadvertently download them thinking they’re legit. “These hallucinations, which arise from fact-conflicting errors when generating code using LLMs, represent a novel form of package confusion attack that poses a critical threat to the integrity of the software supply chain,” the researchers wrote.The researchers generated 576,000 code samples in Python and JavaScript using 16 generative AI tools and two unique prompt datasets. Here are some key findings:The incidence of package hallucination was an average of 5.2% for commercial tools and 21.7% for open-source tools.The tools generated about 205,000 unique hallucinated package names.“Our experiments and findings highlight package hallucinations as a persistent and systemic phenomenon while using state-of-the-art LLMs for code generation, and a significant challenge which deserves the research community’s urgent attention,” the researchers wrote.The researchers also tested several mitigation techniques that helped reduce the incidence of software-package hallucinations, including retrieval augmented generation; self refinement; and fine tuning.For more information about AI security and the risks of using generative AI for writing code:“Cybersecurity Risks of AIGenerated Code” (Georgetown University)“AI-generated code risks: What CISOs need to know” (ITPro)“The risks of AI-generated code are real — here’s how enterprises can manage the risk” (Venturebeat)“Gen AI could speed up coding, but businesses should still consider risks” (ZDNet)“AI coding agents come with legal risk” (CIO)3 - Tenable polls webinar attendees on identity securityDuring our recent webinar “Three Reasons Why It's Time to Embrace Identity as Part of Exposure Management,” we polled attendees about identity security topics, such as their ability to correlate identity incidents with broader attack paths. Check out what they said.(119 webinar attendees polled by Tenable, March 2025)(110 webinar attendees polled by Tenable, March 2025)(144 webinar attendees polled by Tenable, March 2025)Check out this on-demand webinar to learn how you can adopt a more proactive identity security strategy as part of your exposure management program. 4 - Canada’s cyber agency warns about spike in router hacking Nation-state attackers associated with China’s government, including the cyber espionage group Salt Typhoon, are ramping up attacks on network edge routers of critical infrastructure organizations.The Canadian Centre for Cyber Security issued the warning this week via an advisory titled “People’s Republic of China activity targeting network edge routers: Observations and mitigation strategies” which details the threat and offers mitigation recommendations.Compromised network edge routers can allow attackers to breach a network and then monitor, modify, and exfiltrate network traffic, and even move deeper into the victim’s network, according to the advisory.A key insight: The attackers are feasting on low-hanging fruit: misconfigured and unpatched routing devices. The best and simplest prevention? Patch these products as soon as possible. “Threat actors often compromise network perimeter defenses by exploiting known vulnerabilities in edge devices. These security weaknesses are usually already identified, and patches are available to fix them. However, breaches occur because these patches are not consistently applied or implemented in a timely manner,” the advisory reads.The Cyber Centre has also observed router compromises stemming from basic security mistakes, such as the use of default and weak passwords, and of default security settings.Other mitigation recommendations include:Disable unnecessary network edge services, especially unsecured ones such as HTTP.Remove direct internet access to device management interfaces, restricting admins to internal and secure management networks.Protect all administrative access with phishing-resistant multi-factor authentication.Use modern encryption standards.Keep firmware updated.Adopt secure, centralized logging, encrypt logging traffic and store logs offsite.For more information about Salt Typhoon:“Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor” (Tenable)“China’s Salt Typhoon Spies Are Still Hacking Telecoms—Now by Exploiting Cisco Routers” (Wired)“New CISA Hardening Guidance Provides Valuable Insights for Network Security Engineers” (Tenable)“What Should the US Do About Salt Typhoon?” (Dark Reading)“What is Salt Typhoon? A security expert explains the Chinese hackers and their attack on US telecommunications networks”5 - CVE program renewed for one year, but questions about its future lingerA collective gasp was heard around the cybersecurity world on Tuesday, when news broke that the MITRE Common Vulnerabilities and Exposures (CVE) program might be in imminent danger of shutting down.Fortunately, this scenario didn’t materialize, after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) came to the rescue and extended the program’s funding for one year just as it was set to expire. Naturally, concerns remain about the MITRE CVE program and the critical services it provides, given the close call it experienced and the limited one-year extension it obtained.Speaking to The Wall Street Journal, Tenable Chief Security Officer and Head of Research Bob Huber said efforts to reform the CVE program will likely yield a public-private partnership of some sort. “Most of the companies that operate in this place are well-known amongst each other, as are the people responsible for those programs. I think there’s an opportunity here to improve that partnership and spread the responsibility,” Huber told the Journal.As of the end of 2024, the CVE program had published more than 250,000 CVEs. Launched in 1999, the CVE program provides a foundational, common taxonomy for tracking vulnerabilities and exposures.To get all the details and insights about this issue, check out these two Tenable blogs:“MITRE CVE Program Funding Extended For One Year”“Frequently Asked Questions About the MITRE CVE Program Expiration and Renewal”
Analysis Summary
# Industry News: CISA Rescues MITRE CVE Program, Highlighting Funding Instability Risk
## Summary
The critical MITRE Common Vulnerabilities and Exposures (CVE) program narrowly avoided shutdown after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) provided a one-year funding extension. This event has spurred discussion among industry experts, including Tenable's CSO, about the urgent need to reform the CVE system, likely toward a more robust public-private partnership model to ensure the stability of this foundational vulnerability taxonomy.
## Key Details
- Date: News broke regarding the extension around April 18, 2025 (implied context date).
- Companies Involved: MITRE, U.S. Cybersecurity and Infrastructure Security Agency (CISA), Tenable (providing industry commentary).
- Category: Government/Regulatory Action & Industry Infrastructure Stability.
## The Story
The MITRE CVE Program, which serves as the essential common language for tracking over 250,000 disclosed vulnerabilities since 1999, faced imminent closure due to expiring funding. CISA intervened by granting a necessary one-year extension. This close call has exposed systemic fragility in the maintenance of fundamental cybersecurity infrastructure. Bob Huber, CSO and Head of Research at Tenable, suggested to The Wall Street Journal that the resolution will likely involve redefining the program as a public-private partnership, spreading operational responsibility across key industry stakeholders.
## Business Impact
### For the Companies Involved
- **CISA:** Proactively mitigated a national security risk by ensuring continuity for a crucial data source used across government and private sectors.
- **MITRE:** Gained immediate breathing room but faces intense pressure to finalize a sustainable long-term funding and operational model within the next 12 months.
### For Competitors
- Major vulnerability management and security firms (Tenable’s peers) benefit from the continued existence of the CVE standard, as it underpins much of their product intelligence and reporting capabilities. Instability in CVE would negatively impact the entire ecosystem.
### For Customers
- Customers relying on accurate vulnerability tracking (which is almost every enterprise) avoid immediate disruption. However, the underlying uncertainty means customers should brace for potential changes in how CVE data is managed, prioritized, or accessed in the future.
### For the Market
- The incident highlights a significant systemic risk: critical, foundational cybersecurity data infrastructure is dependent on volatile, short-term appropriations. This mandates a strategic shift toward models that ensure consistent funding for public goods in the security space.
## Technical Implications
The CVE program provides the common taxonomy required for asset inventory, risk prioritization, and automated patching across the industry. Its discontinuation or significant delay would immediately degrade the efficacy of vulnerability scanners, threat intelligence feeds, and governance reporting tools globally.
## Strategic Analysis
- Market Positioning: The focus now shifts to organizations best positioned to contribute meaningfully to a future public-private CVE structure. Tenable's timely commentary suggests market leaders are already positioning themselves for this shift.
- Competitive Advantage: Firms that can quickly adapt their vulnerability intelligence ingestion processes to evolving governance models (whether established by CISA or a new partnership) will maintain a competitive edge.
- Challenges: Shifting governance models for a decades-old, globally adopted standard is fraught with complexity, including consensus building, funding structure agreement, and maintaining data integrity during transition.
## Industry Reactions
- **Analyst opinions:** Analysts will likely view this as an opportunity for much-needed modernization of vulnerability identification standards, but also as a warning signal regarding core public safety infrastructure budgeting.
- **Expert commentary:** Bob Huber’s call for a public-private partnership reflects a growing industry sentiment that foundational infrastructure maintenance cannot remain solely reliant on specific grants or short-term government funding cycles.
- **Market response:** A general sense of relief, tempered by persistent anxiety over the one-year timeline for establishing a permanent solution.
## Future Outlook
- **Predictions and expectations:** We should expect increased lobbying and working sessions between CISA, MITRE, and major security vendors over the next few quarters to hammer out the framework for the proposed public-private partnership.
- **What to watch for:** Legislative action or formal agency announcements detailing the transition plan for CVE funding and management structure beyond April 2026.
## For Security Professionals
Security teams must remain aware that the source of truth for vulnerability tracking might undergo procedural changes. They should prioritize mapping their internal risk management processes to ensure they are resilient to potential transitional hiccups in the speed or format of CVE assignment and dissemination.