CERT-In 12-hour KEV remediation guidance
Advisory/Mitigation
Summary
Hide ▲
Show ▼
CERT-In set a 12-hour expectation for containing or remediating known exploited vulnerabilities on internet-facing and crown-jewel systems, sharply shortening response time for exposed Indian organizations. The guidance pairs that timeline with risk-based deadlines for other exposed and high-value flaws and points defenders toward the KEV catalog and EPSS for prioritization. When no patch is available, it calls for interim controls such as isolation, access restriction, or WAF protection until remediation lands.
Related Happenings
CERT-In issues 12-hour patch guidance for Indian organizations
Public Sector Action
First: 26.05.2026 13:30
Last: 26.05.2026 13:30
Sources 1
How related:
Organizations in India have been urged to patch actively exploited internet-facing vulnerabilities within 12 hours under new guidance that responds to the speed AI now brings to cyber-attacks.
About this happening:
**CERT-In** published new guidance on **May 25** urging Indian organizations to patch **actively exploited internet-facing vulnerabilities** within **12 hours**, tightening respon...
CERT-In issues 12-hour patch guidance for Indian organizations
Public Sector ActionHow related: Organizations in India have been urged to patch actively exploited internet-facing vulnerabilities within 12 hours under new guidance that responds to the speed AI now brings to cyber-attacks.
About this happening: **CERT-In** published new guidance on **May 25** urging Indian organizations to patch **actively exploited internet-facing vulnerabilities** within **12 hours**, tightening respon...
CERT-In issues rapid patching guidelines for internet-facing systems
Public Sector Action
First: 26.05.2026 12:13
Last: 26.05.2026 12:13
Sources 1
About this happening:
**CERT-In** issued **new guidelines** requiring organizations to patch **internet-exposed critical vulnerabilities** within **12 hours** where feasible, tightening defensive timel...
CERT-In issues rapid patching guidelines for internet-facing systems
Public Sector ActionAbout this happening: **CERT-In** issued **new guidelines** requiring organizations to patch **internet-exposed critical vulnerabilities** within **12 hours** where feasible, tightening defensive timel...
CISA KEV order for Copy Fail on federal Linux devices
Public Sector Action
First: 08.05.2026 10:45
Last: 08.05.2026 10:45
Sources 1
About this happening:
**CISA** added **Copy Fail** to the **Known Exploited Vulnerabilities (KEV) Catalog**, making the Linux flaw a federal remediation priority. The agency ordered **federal agencies*...
CISA KEV order for Copy Fail on federal Linux devices
Public Sector ActionAbout this happening: **CISA** added **Copy Fail** to the **Known Exploited Vulnerabilities (KEV) Catalog**, making the Linux flaw a federal remediation priority. The agency ordered **federal agencies*...
NIST CVE/NVD prioritization shift
Public Sector Action
First: 17.04.2026 00:47
Last: 17.04.2026 00:47
Sources 1
About this happening:
**NIST** is **changing** its **CVE/NVD prioritization** so that, starting **April 15, 2026**, it will provide full details only for a **subset of CVEs**. The shift matters because...
NIST CVE/NVD prioritization shift
Public Sector ActionAbout this happening: **NIST** is **changing** its **CVE/NVD prioritization** so that, starting **April 15, 2026**, it will provide full details only for a **subset of CVEs**. The shift matters because...
NIST/NVD risk-based CVE enrichment change
Public Sector Action
First: 16.04.2026 15:43
Last: 16.04.2026 15:43
Sources 1
About this happening:
**NIST** said the **US National Vulnerability Database (NVD)** will switch to a **risk-based CVE enrichment** model to cope with backlog growth. The change will **drop enrichment...
NIST/NVD risk-based CVE enrichment change
Public Sector ActionAbout this happening: **NIST** said the **US National Vulnerability Database (NVD)** will switch to a **risk-based CVE enrichment** model to cope with backlog growth. The change will **drop enrichment...
Timeline
-
26.05.2026 13:30 2 articles · 1d ago
CERT-In sets 12-hour remediation deadline for exposed KEVs
Mitigation Patch UpdateCERT-In published guidance on May 25 for organizations in India that sets an indicative 12-hour expectation for containing or remediating known exploited vulnerabilities on internet-facing and crown-jewel systems, with staged timelines for other risk tiers and interim isolation, access restriction, or web application firewall protection when no patch exists. The guidance also points organizations toward the KEV catalog and EPSS for prioritization and reiterates the six-hour cyber-incident reporting requirement.
Show sources
- India's CERT-In Sets 12-Hour Patch Deadline for Exposed Flaws — www.infosecurity-magazine.com — 26.05.2026 13:30
- India's CERT-In Sets 12-Hour Patch Deadline for Exposed Flaws — www.infosecurity-magazine.com — 26.05.2026 13:30