India’s Computer Emergency Response Team (CERT-In) is pushing organizations to dramatically accelerate patch cycles, issuing new guidance that calls for critical vulnerabilities in internet-facing systems to be fixed within 12 hours of being flagged “where feasible” in light of rapidly evolving, AI-assisted exploitation.
The advisory raises the bar for vulnerability management across Indian enterprises and service providers, effectively asking security teams to treat critical flaws on exposed assets as near-emergency events rather than items for the next scheduled maintenance window. While the 12-hour target is tempered by a feasibility caveat, it sits alongside CERT-In’s existing requirement to report certain cyber incidents within six hours of detection, reinforcing the government’s expectation of faster detection, disclosure and remediation.
In the guidance, CERT-In warns that threat actors are increasingly abusing artificial intelligence tools and large language models to automate reconnaissance, accelerate bug discovery and generate exploit code, shrinking the window between disclosure of a flaw and mass scanning at internet scale. Public proof-of-concept exploits and weaponized code for widely used technologies now routinely appear on platforms tracked by sources such as the NVD and security researchers within days or even hours of a vulnerability becoming public, as seen in recent campaigns exploiting issues like CVE-2021-44228 in Log4j and other high-impact bugs in VPNs, web gateways and collaboration software.
For defenders, a 12-hour expectation on critical internet-facing vulnerabilities raises practical challenges. Many organizations still lack a complete, continuously updated inventory of exposed assets, rely on manual change-control processes, or depend on vendors and managed service providers to roll out fixes. Complex environments, legacy systems that cannot be easily patched, and business uptime requirements can all make rapid patching difficult, even when security teams agree on the urgency.
Security practitioners say meeting CERT-In’s target will require tighter integration between asset discovery, vulnerability scanning and change management, along with greater use of automation to roll out patches or configuration changes at scale. Where direct patching within 12 hours is genuinely not possible, the guidance underscores the need for compensating controls such as web application firewalls, intrusion prevention systems, access restrictions, rapid monitoring for exploitation attempts and, in some cases, temporary exposure reduction by taking services offline.
The agency’s focus on AI-enabled threats also cuts both ways for defenders. While attackers are using generative AI to scale up phishing, malware customization and exploit development, organizations can apply similar technologies to prioritize vulnerabilities based on exploitability, predict which newly disclosed flaws are most likely to be targeted, and streamline patch testing and deployment. CERT-In’s new stance signals that, in an era where machine-speed exploitation is becoming the norm, traditional patch cycles measured in weeks or months are increasingly out of step with the threat landscape.
