Find notable cyber news and cases, enriched with sources, timelines, and signals.

CERT-In 12-hour KEV remediation guidance

Advisory/Mitigation
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

CERT-In set a 12-hour expectation for containing or remediating known exploited vulnerabilities on internet-facing and crown-jewel systems, sharply shortening response time for exposed Indian organizations. The guidance pairs that timeline with risk-based deadlines for other exposed and high-value flaws and points defenders toward the KEV catalog and EPSS for prioritization. When no patch is available, it calls for interim controls such as isolation, access restriction, or WAF protection until remediation lands.

Related Happenings

CISA BOD 26-04 three-day remediation directive

Public Sector Action
H score36 First: 24.06.2026 17:35 Last: 24.06.2026 17:35 Sources 1

About this happening: CISA's **BOD 26-04** requires **federal agencies** to apply available security updates or vendor-recommended mitigations within **three days**, accelerating remediation for **acti...

CISA KEV update and FCEB remediation deadline

Public Sector Action
H score33 First: 10.06.2026 17:44 Last: 10.06.2026 17:44 Sources 1

About this happening: **CISA** added **three actively exploited vulnerabilities** to the **KEV catalog** and ordered **Federal Civilian Executive Branch agencies** to remediate by **June 23, 2026**. Th...

CERT-In issues 12-hour patch guidance for Indian organizations

Public Sector Action
H score38 First: 26.05.2026 13:30 Last: 26.05.2026 13:30 Sources 1

How related: Organizations in India have been urged to patch actively exploited internet-facing vulnerabilities within 12 hours under new guidance that responds to the speed AI now brings to cyber-attacks.

About this happening: **CERT-In** published new guidance on **May 25** urging Indian organizations to patch **actively exploited internet-facing vulnerabilities** within **12 hours**, tightening respon...

CERT-In issues rapid patching guidelines for internet-facing systems

Public Sector Action
H score38 First: 26.05.2026 12:13 Last: 26.05.2026 12:13 Sources 1

About this happening: **CERT-In** issued **new guidelines** requiring organizations to patch **internet-exposed critical vulnerabilities** within **12 hours** where feasible, tightening defensive timel...

Microsoft Exchange CVE-2026-42897 mitigation advisory

Advisory/Mitigation
H score44 First: 15.05.2026 12:40 Last: 15.05.2026 12:40 Sources 1

About this happening: **Microsoft** issued immediate mitigation guidance for **CVE-2026-42897**, reducing risk for **Exchange Server 2016, 2019, and Subscription Edition (SE)** on-premises servers that...

Latest development: 15.05.2026 15:35

Microsoft issued temporary mitigation guidance for CVE-2026-42897 while a patch is still in development, recommending the Exchange Emergency Mitigation (EM) Service, which is enabled by default and can be checked with the Exchange Health Checker script, or the Exchange On-premises Mitigation Tool (EOMT) for disconnected or air-gapped environments. Microsoft noted that the mitigations can disrupt features such as OWA Print Calendar and Inline images, and that servers older than March 2023 cannot receive new mitigations through EM Service.

Timeline

  1. 26.05.2026 13:30 2 articles · 1mo ago

    CERT-In sets 12-hour remediation deadline for exposed KEVs

    Mitigation Patch Update

    CERT-In published guidance on May 25 for organizations in India that sets an indicative 12-hour expectation for containing or remediating known exploited vulnerabilities on internet-facing and crown-jewel systems, with staged timelines for other risk tiers and interim isolation, access restriction, or web application firewall protection when no patch exists. The guidance also points organizations toward the KEV catalog and EPSS for prioritization and reiterates the six-hour cyber-incident reporting requirement.

    Show sources