CERT-In orders 12-hour patching for internet-facing flaws

India’s Computer Emergency Response Team (CERT-In) published a 38-page blueprint on Monday that directs organizations to remediate known critical vulnerabilities on internet-facing systems within 12 hours where feasible. The agency cited the use of artificial intelligence and large language models by threat actors to accelerate vulnerability discovery and exploitation.

CERT-In said adversaries are using AI to automate attack surface mapping, exploit analysis, phishing content creation and malware generation, which shortens the time between flaw discovery and active exploitation. The agency added that AI-driven workflows can bypass some traditional security controls and scale attacks quickly.

The guidance requires continuous, risk-based vulnerability and patch management and prioritizes fixes for known exploited vulnerabilities affecting internet-facing and critical systems within 12 hours where applicable. It sets other remediation targets: one day for critical externally exposed vulnerabilities and for known exploited internal flaws when compensating mitigations are not documented; three days for critical internal vulnerabilities affecting high-value systems; and up to five days for high-severity issues based on risk prioritization.

When patches are not available, the blueprint recommends temporary mitigations such as isolating affected systems, restricting access, deploying web application firewalls or API protections, increasing monitoring, or disabling vulnerable features until a fix is released. The document also stresses maintaining operational continuity and protecting sensitive data during incidents.

Technical controls and operational practices in the blueprint include an “assume breach” posture with rapid detection, containment and recovery; enforcing Zero Trust with continuous verification and least-privilege access; and using defense-in-depth to avoid single points of failure. The agency advises embedding secure-by-design principles into systems, applications and AI workflows and reducing supply-chain risk through software bills of materials, provenance checks and third-party assessments. Regular red teaming, penetration testing and independent audits are recommended to validate controls.

CERT-In highlighted specific risks to AI systems, including prompt injection, data leakage, model manipulation, training-data poisoning, model theft and compromises of orchestration pipelines. The blueprint calls for formal governance of AI use and better visibility into models, integrations and operational behavior. “Organizations should implement layered, risk-based, and continuously validated technical controls to reduce exposure to AI-assisted cyber threats,” the document states.

The blueprint follows an advisory issued last month that warned advanced AI models from firms including Anthropic and OpenAI could lower the barrier to entry for malicious actors and speed automation of exploitation workflows. CERT-In framed the new timelines and procedures as part of a shift to faster, risk-driven security operations to address a shrinking window between vulnerability disclosure and exploit.