India gives defenders 12 hours to act on exploited security flaws
CERT-In is tightening the operational window for exploited vulnerabilities.📷 AI-generated image / TECH&SPACE
- ★CERT-In is setting a 12-hour target for patching, mitigation, or isolation of internet-facing and critical systems.
- ★The measure is a regulatory response to faster vulnerability exploitation, including AI-assisted attacks.
- ★For critical infrastructure operators, it means tighter monitoring, faster decisions, and clearer procedures for disconnecting risky systems.
India’s CERT-In is putting a tighter clock on security teams: when a vulnerability is already being exploited, internet-facing or critical systems should be patched, mitigated, or cut off within 12 hours where feasible. According to The Register, this is not a soft best-practice note. It is an operational response to attacks that now move quickly from vulnerability disclosure to real-world compromise.
The key phrase is “patched, mitigated, or cut off.” That is broader than simply demanding faster patch installation. CERT-In is acknowledging the reality of production networks: a system may be old, tied to a vendor, essential to operations, or too risky to update immediately. But if it cannot be patched, exposure must be reduced. If exposure cannot be reduced safely enough, the system has to be isolated.
That is a sharper posture than the traditional patch model, where maintenance windows often run on weekly or monthly cycles. For actively exploited flaws, that rhythm no longer matches the threat. Attackers do not need large manual teams for every target. Automation and AI-assisted workflows can help triage exposed systems, adapt exploit attempts, and scale campaigns before an organization has even finished its internal prioritization meeting.
CERT-In wants internet-facing and critical systems patched, mitigated, or disconnected within half a day where feasible.
For critical systems, patching is not the only option: exposure must be reduced fast.📷 AI-generated image / TECH&SPACE
For India, the measure matters because it touches a broad layer of digital infrastructure, from public-facing services to enterprise systems that sit continuously on the internet. CERT-In already acts as a national incident coordination body, and this message shifts expectations from “report and remediate” toward “decide immediately what is allowed to remain online.” In practice, a 12-hour target requires a current asset inventory, clear ownership of applications, and pre-approved authority to restrict or disconnect risky services.
The hardest part will not always be the patch itself. It will be exception handling. If an organization says patching is not feasible, it needs to know the compensating control: access blocking, edge filtering, temporary service shutdown, or another mitigation that a security team can justify. Otherwise, “not feasible” becomes an empty phrase rather than a defensible operational decision.
This is not a story about AI magically transforming cybersecurity. It is a story about time. When tools accelerate the attacker’s side, defenders can no longer treat a known exploited vulnerability as routine administration. For operators of critical systems in India, CERT-In’s message leaves less room for procedural drift and more need for rehearsed incident playbooks, backed by sources such as CERT-In advisories and technical vulnerability references like CVE.
