CERT-In Mandates 12-Hour Patch Window for Critical Bugs

New Patching Directive from India's Cybersecurity Agency

According to recent reports, the Indian Computer Emergency Response Team (CERT-In) has released updated guidelines that demand organizations fix critical security vulnerabilities in internet-exposed systems within a 12-hour window, whenever feasible. This accelerated timeline aims to counter the growing threat of cyberattacks enhanced by artificial intelligence.

Rationale Behind the 12-Hour Rule

The directive highlights how threat actors are increasingly leveraging AI tools and large language models (LLMs) to automate vulnerability exploitation. By reducing the patching window, CERT-In seeks to minimize the attack surface before adversaries can weaponize these flaws at scale.

Implications for Organizations

Entities operating internet-facing services must now prioritize rapid patch deployment. The guideline applies to critical vulnerabilities that could lead to remote code execution, data breaches, or system compromise. While the 12-hour target is described as "feasible" rather than mandatory, organizations are expected to align their incident response processes accordingly.

AI-Assisted Attacks on the Rise

The advisory underscores a broader trend: cybercriminals are adopting AI to accelerate reconnaissance, exploit development, and attack automation. LLMs can generate malicious code or craft convincing phishing lures, making traditional patching cycles obsolete. CERT-In's move reflects an urgent need to adapt defensive postures to this evolving threat landscape.

What This Means for Security Teams

Security operations centers must streamline vulnerability management workflows, automate patch testing, and maintain close coordination with IT teams. The 12-hour benchmark may require pre-approved change windows, robust rollback plans, and continuous monitoring to ensure patches don't introduce new issues.

As AI-driven attacks become more sophisticated, timely patching remains one of the most effective defenses. CERT-In's guideline serves as a wake-up call for organizations to reevaluate their vulnerability response timelines.