Faster Patching Required
India’s Computer Emergency Response Team, CERT-In, has issued a new directive requiring organizations to patch high-risk vulnerabilities in internet-connected systems within 12 hours of discovery or active exploitation. The mandate targets systems already under attack and other critical external assets. This aggressive timeline is a direct response to the growing use of artificial intelligence by threat actors, who can now automate reconnaissance, exploit development, and campaign execution in a matter of hours.
The directive is part of a broader blueprint aimed at reducing exposure to AI-assisted vulnerability exploitation. CERT-In warns that the compressed kill chain makes any unpatched public-facing system a prime target, particularly in sensitive sectors such as government, banking, telecom, and healthcare.
New Remediation Timelines
Under the new framework, organizations must contain and where possible remediate vulnerabilities in internet-exposed critical systems within 12 hours. Other critical externally facing flaws must be fixed within one day. Internal critical vulnerabilities on high-value systems can take up to three days, while general high-severity issues may be resolved within five days if proper risk-based prioritization is applied.
CERT-In emphasized that periodic audits and compliance checks are no longer sufficient in an era where AI tools continuously scan for fresh weaknesses. The agency urges organizations to adopt continuous exposure management, combining asset discovery, attack surface monitoring, and recurring assessments of web, cloud, and API endpoints. These activities should feed into a central vulnerability management process that leverages exploit prediction data and known exploited vulnerability lists.
Source: Cyber Security News
