India’s CERT-In Mandates 12-Hour Patch Fix for Critical Flaws
▼ Summary
– India’s CERT-In urges organizations to patch actively exploited internet-facing vulnerabilities within 12 hours due to AI accelerating cyber-attacks.
– The guidance sets a risk-based schedule: one day for critical external flaws, three days for critical internal flaws, and five days for high-severity issues.
– CERT-In recommends prioritizing vulnerabilities using the KEV catalog and EPSS, rather than relying solely on severity scores, but the timelines are indicative, not binding.
– The blueprint covers securing AI deployments against threats like prompt injection, model theft, and data poisoning, as well as zero-trust architecture.
– Organizations must report cyber incidents to CERT-In within six hours of detection, and are advised to implement recommendations in three phases over time.
Organizations in India now face a 12-hour remediation window for actively exploited vulnerabilities on internet-facing systems, according to updated guidance from the Indian Computer Emergency Response Team (CERT-In). The directive, issued on May 25, responds directly to the accelerating threat posed by AI-driven cyberattacks, which compress the time between vulnerability discovery and exploitation.
Attackers increasingly leverage generative AI, large language models (LLMs), and autonomous agents to speed up reconnaissance, phishing, malware development, and vulnerability discovery. This leaves defenders with a shrinking operational window, prompting CERT-In to establish a risk-based patching schedule that prioritizes speed over severity alone.
The agency sets an indicative 12-hour expectation for containing or remediating known exploited vulnerabilities (KEVs) on “internet-facing and crown-jewel systems.” For other categories, the timeline expands: one day for critical externally exposed flaws, three days for critical internal vulnerabilities on high-value systems, and five days for high-severity issues. Where patches are unavailable, CERT-In advises interim measures like isolation, access restriction, or web application firewall protection.
To guide prioritization, CERT-In directs organizations toward the KEV catalog and the Exploit Prediction Scoring System (EPSS) rather than relying solely on CVSS severity scores. Importantly, the timelines are described as indicative expectations rather than binding mandates, to be applied according to operational criticality and threat exposure.
The broader blueprint extends beyond patching to include governance, zero-trust architecture, AI-aware security operations, and supply-chain assurance through software and AI bills of materials (BOMs). It pays special attention to securing organizations’ own AI deployments, addressing risks like prompt injection, model theft, training-data poisoning, and governance of autonomous agents that operate with limited human oversight.
CERT-In also reaffirms the existing rule requiring entities to report cyber incidents within six hours of detection, a mandate in effect since 2022. The guidance recommends a three-phase rollout: a 0-7-day push on governance, exposure reduction, and multi-factor authentication (MFA); followed by operational strengthening; and finally, red teaming and adversarial AI testing.
(Source: Infosecurity Magazine)
