The 38-page framework also recommends one-day remediation for critical externally exposed vulnerabilities, three days for critical internal vulnerabilities affecting high-value systems, and five days for high-severity flaws based on risk prioritization.
CERT-In said threat actors are increasingly using AI to accelerate reconnaissance, vulnerability discovery, phishing, malware generation, and automated exploitation workflows.
“Exploitation timelines are reducing significantly,” the agency warned in the advisory, adding that attacks are expected to become “increasingly autonomous.”
An operationally disruptive target
Security analysts said the headline 12-hour expectation is likely to force enterprises to rethink traditional weekly or monthly patching cycles, but cautioned that the guidance is more nuanced than a blanket patch mandate.
