CERT‑IN Mandates 12‑Hour Patch Window for Critical Vulnerabilities
Patch critical internet‑exposed systems within 12 hours of detection to comply with CERT‑IN guidelines.
Configure patch management to enforce 12‑hour remediation for critical internet‑exposed vulnerabilities.
Summary
The Indian Computer Emergency Response Team (CERT‑IN) has issued new guidelines requiring organizations to patch critical security vulnerabilities in internet‑exposed systems within 12 hours of being flagged where feasible. The guidelines aim to safeguard against threat actors abusing artificial intelligence (AI) tools and large language models (LLMs) to automate vulnerability exploitation. CERT‑IN’s 12‑hour remediation window applies to all critical vulnerabilities in internet‑exposed systems. Compliance is mandatory for all organizations operating in India. Failure to meet the 12‑hour deadline may trigger enforcement actions. The guidelines emphasize the need for rapid patch management and continuous monitoring. Organizations must update their patch management processes to meet the new requirement. Immediate action is required to align with CERT‑IN’s policy.
Key changes
- CERT‑IN requires 12‑hour remediation for critical vulnerabilities
- Guidelines target internet‑exposed systems
- Focus on AI/LLM‑driven vulnerability exploitation
- Compliance applies to all organizations in India
- Failure may trigger enforcement actions
- Patch management processes must be updated to meet the 12‑hour window