HomeIntelligenceBrief
BREACH BRIEF🟠 High Advisory

CERT‑In Mandates 12‑Hour Patch Window for Internet‑Facing Vulnerabilities Amid AI‑Powered Exploits

India’s CERT‑In now requires organisations to patch critical internet‑exposed vulnerabilities within 12 hours, citing the rise of AI‑assisted attacks that can mass‑exploit unpatched services. The guidance has immediate implications for third‑party risk management, demanding faster remediation cycles from vendors.

LiveThreat™ Intelligence · 📅 May 26, 2026· 📰 thehackernews.com
🟠
Severity
High
AD
Type
Advisory
🎯
Confidence
High
🏢
Affected
5 sector(s)
Actions
3 recommended
📰
Source
thehackernews.com

CERT‑In Mandates 12‑Hour Patch Window for Internet‑Facing Vulnerabilities Amid AI‑Powered Exploits

What Happened — India’s national computer‑security agency (CERT‑In) released new guidance that obliges organisations to apply patches for critical, internet‑exposed flaws within 12 hours of disclosure, where “feasible”. The directive cites the rising use of artificial‑intelligence tools and large‑language‑models by threat actors to automate vulnerability discovery and exploitation.

Why It Matters for TPRM

  • Accelerated patch timelines increase operational pressure on third‑party vendors, especially MSPs and cloud providers, potentially exposing supply‑chain gaps.
  • AI‑assisted exploitation can target unpatched services at scale, raising the likelihood of data breach or service disruption across multiple industries.
  • Failure to meet the 12‑hour window may constitute non‑compliance with contractual security clauses in many jurisdictions.

Who Is Affected – All sectors with internet‑facing assets, notably technology/SaaS, cloud infrastructure, financial services, healthcare, and government entities that rely on third‑party vendors for patch management.

Recommended Actions

  • Verify that your vendors have documented processes to meet a 12‑hour patch cadence for critical CVEs.
  • Incorporate the 12‑hour requirement into vendor risk questionnaires and SLAs.
  • Conduct a rapid‑response tabletop exercise focused on AI‑driven exploit scenarios.

Technical Notes – The guidance does not reference a specific CVE but highlights the threat of AI‑generated exploit code that can automatically weaponise newly disclosed vulnerabilities. Attack vectors include phishing‑less, automated scanning of internet‑exposed services. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/05/cert-in-mandates-12-hour-patching-for.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →