CERT-In: Patch Critical Vulnerabilities in Systems Within

CERT-In, India’s national computer emergency response agency, has instructed enterprises to patch high-risk vulnerabilities on internet-facing and critical systems within a strict 12-hour window following discovery or active exploitation.

The directive comes as AI-assisted attacks continue to reduce exploitation timelines, increasing pressure on organizations to respond faster.

According to CERT-In’s new “Blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerabilities Exploitation in Digital Infrastructure,”

Threat actors are increasingly using generative AI, large language models, and autonomous agents to automate reconnaissance, vulnerability discovery, and exploit development across exposed services, APIs, and cloud assets.

AI tooling allows attackers to chain flaws, generate malicious code, and launch semi‑autonomous campaigns, cutting the time between disclosure and exploitation from days to mere hours.

CERT-In warns that this compressed kill chain makes any unpatched internet‑facing system a high‑value target, especially in sectors such as government, banking, telecom, healthcare, and digital public infrastructure.

CERT-In Asks 12-Hour Patching

To counter this acceleration, the blueprint lays out risk‑based remediation timelines, with the most aggressive expectation reserved for internet‑exposed systems that are already under active attack.

For known exploited flaws affecting internet-facing or critical assets, organizations are urged to contain the threat and, where possible, immediately remediate it within 12 hours.

The goal is to close the window before automated exploitation campaigns can rapidly scale attacks.

Other critical externally exposed vulnerabilities must be fixed within one day. In contrast, critical internal flaws on high‑value systems can take up to three days to resolve.

General high‑severity issues up to five days, provided risk‑based prioritization is in place.

CERT-In stresses that periodic assessments and compliance‑driven audits are no longer sufficient when AI can constantly scan the internet for fresh weaknesses.

Instead, it urges organizations to adopt continuous exposure management, combining asset discovery, attack‑surface monitoring, and recurring internet‑facing assessments for web, cloud, and API endpoints.

These activities should feed into a central vulnerability management process that uses known‑exploited‑vulnerability lists, exploit-prediction scores, and business-criticality to drive prioritized remediation.

Beyond patching, the blueprint calls for AI‑aware governance and zero‑trust principles to contain the blast radius when attackers do break in.

Recommended measures include stronger leadership oversight of cyber and AI risks, as well as enforcement of multi-factor authentication and least-privilege access controls.

Organizations are also advised to implement micro-segmentation to limit lateral movement from compromised internet-facing systems.

CERT-In also urged organizations to modernize SOC operations using AI for telemetry correlation, behavioral analytics, and threat hunting.

The agency further recommended deepfake-aware training to help employees defend against AI-driven phishing and impersonation attacks.

The blueprint ties rapid patching to broader resilience obligations, emphasizing regular backup testing, incident simulations, and red‑team exercises to validate that controls actually work under AI‑enabled attack conditions.

Entities are reminded that they must report qualifying cyber incidents to CERT-In within six hours under existing directions, enabling coordinated response and sector‑wide intelligence sharing.

Overall, CERT-In describes the 12-hour patching mandate for exploited internet-facing systems as a baseline requirement in today’s AI-driven threat landscape.

It also urges Indian organizations to treat exposure reduction as a continuous security practice rather than a periodic compliance task.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.