CERT‑In Mandates 12‑Hour Patch Window for Internet‑Facing Vulnerabilities Amid AI‑Powered Exploits
What Happened — India’s national computer‑security agency (CERT‑In) released new guidance that obliges organisations to apply patches for critical, internet‑exposed flaws within 12 hours of disclosure, where “feasible”. The directive cites the rising use of artificial‑intelligence tools and large‑language‑models by threat actors to automate vulnerability discovery and exploitation.
Why It Matters for TPRM
- Accelerated patch timelines increase operational pressure on third‑party vendors, especially MSPs and cloud providers, potentially exposing supply‑chain gaps.
- AI‑assisted exploitation can target unpatched services at scale, raising the likelihood of data breach or service disruption across multiple industries.
- Failure to meet the 12‑hour window may constitute non‑compliance with contractual security clauses in many jurisdictions.
Who Is Affected – All sectors with internet‑facing assets, notably technology/SaaS, cloud infrastructure, financial services, healthcare, and government entities that rely on third‑party vendors for patch management.
Recommended Actions
- Verify that your vendors have documented processes to meet a 12‑hour patch cadence for critical CVEs.
- Incorporate the 12‑hour requirement into vendor risk questionnaires and SLAs.
- Conduct a rapid‑response tabletop exercise focused on AI‑driven exploit scenarios.
Technical Notes – The guidance does not reference a specific CVE but highlights the threat of AI‑generated exploit code that can automatically weaponise newly disclosed vulnerabilities. Attack vectors include phishing‑less, automated scanning of internet‑exposed services. Source: The Hacker News