CERT-In Urges 12-Hour Patching for Exploited Bugs, Citing AI-Accelerated Attacks
India's CERT-In recommends patching exploited n-day vulnerabilities within 12 hours for internet-facing systems, warning that AI tools like agentic agents and frontier models are compressing the attack timeline.
India's Computer Emergency Response Team (CERT-In) has issued new guidance urging defenders to patch or mitigate exploited n-day vulnerabilities affecting internet-facing or crown-jewel systems within 12 hours, citing the accelerating effect of AI-assisted cyberattacks. The recommendation, part of a broader report on AI-enabled threats, reflects a growing recognition that traditional patching timelines are no longer sufficient when attackers can weaponize and exploit flaws in hours.
CERT-In's report warns that AI-assisted cyber exploitation dramatically reduces the time adversaries need for reconnaissance, weaponization, and exploitation. The agency specifically highlights the rise of agentic AI—autonomous systems that can make significant system changes—and frontier models such as Anthropic's Mythos and OpenAI's GPT-5.5, which it describes as "certified cyber workhorses" capable of uncovering and exploiting critical vulnerabilities at unprecedented speed. These tools, combined with consumer-grade platforms like OpenClaw, are lowering the barrier for non-technical attackers.
Under the new guidelines, defenders must patch, mitigate, or remove exposure within 12 hours for exploited bugs on internet-facing or crown-jewel systems. For other critical flaws (CVSS 9.0+) or exploited bugs on internal systems, a 24-hour window is advised. The guidance explicitly allows temporary mitigations—such as isolation, access restriction, or disablement—as an alternative to full patching within the tight window.
Security practitioners interviewed by The Register questioned the feasibility of the 12-hour timeline, given the complexity of testing and deploying patches without breaking production systems. Dray Agha, senior manager of security operations at Huntress, noted that the caveat allowing temporary mitigations makes the guidance more realistic. "By explicitly encouraging temporary mitigations, such as isolation, access restriction, or disablement until a patch is ready, this turns the patching deadline into a highly feasible and necessary containment strategy," Agha said.
Agha added that AI-assisted attacks are already compressing exploitation timelines in the wild, with vulnerabilities sometimes exploited within hours of disclosure. He pointed to the recent PraisonAI authentication bypass (CVE-2026-44338), which was exploited less than four hours after public advisory, as a case in point. "Defenders must fundamentally reshape their operations to focus on quicker mitigations," he said.
The CERT-In guidance arrives amid a broader trend of AI reshaping both offensive and defensive cybersecurity. CISA's Known Exploited Vulnerabilities catalog typically sets patching deadlines of two to three weeks for federal agencies, though the most serious flaws may get shorter windows. The new Indian recommendations are among the most aggressive globally, reflecting the heightened threat environment.
CERT-In's report also emphasizes the cascading risk from interconnected supply chains, where a single vulnerability can propagate across cloud ecosystems, software supply chains, and operational technologies. The agency calls for a shift from compliance-driven security to a continuous defensive posture, integrating enterprise functions beyond IT into the response process.
While the 12-hour window may seem daunting, the underlying message is clear: the era of leisurely patching cycles is over. As AI tools continue to evolve, defenders must adopt faster, more flexible mitigation strategies—or risk being outpaced by adversaries who can exploit vulnerabilities before a patch is even tested.