CERT-In Tightens AI-Era Cyber Patch Rules Arabian Post

(MENAFN- The Arabian Post) clearfix">Cybersecurity teams across India face a compressed response window after CERT-In urged organisations to fix actively exploited internet-facing vulnerabilities within 12 hours wherever feasible, marking a sharper regulatory push as artificial intelligence accelerates cyber-attack cycles.

The guidance, issued on May 25 in a 38-page blueprint, reflects growing official concern that attackers are using generative AI, large language models and autonomous tools to discover exposed systems, weaponise flaws, craft phishing lures and scale malware operations faster than conventional security programmes can respond. The document places rapid remediation, continuous monitoring and exposure reduction at the centre of enterprise cyber defence.

CERT-In's most stringent timeline applies to known exploited vulnerabilities affecting internet-facing and critical systems, including applications, identity platforms, cloud assets, APIs, operational technology and systems supporting essential business functions. Organisations are advised to patch, mitigate or isolate such weaknesses within 12 hours where feasible. Critical externally exposed vulnerabilities should be addressed within one day, while known exploited flaws inside internal systems should be fixed within one day unless compensating controls are implemented and documented.

The blueprint also recommends that critical internal vulnerabilities affecting high-value systems be remediated within three days, and high-severity vulnerabilities within five days based on risk prioritisation. Where patches are unavailable, organisations are expected to use temporary protections such as isolation, access restrictions, web application firewalls, API shields, feature disabling and enhanced monitoring until permanent fixes are deployed.

The directive signals a shift from audit-driven cybersecurity to continuous exposure management. CERT-In has warned that organisations can no longer depend on periodic assessments or reactive incident response when automated tools can identify weak credentials, misconfigured systems, insecure APIs and vulnerable internet-facing services at machine speed. The approach requires security teams to maintain live inventories of assets, prioritise exposed systems and test whether controls work under attack conditions.

See also Rupee weakens as oil pressure returns

AI is changing both sides of the cyber equation. Attackers can use it to automate reconnaissance, write exploit code, refine phishing messages, generate synthetic identities and adapt malicious software. Defenders are being pushed to use similar capabilities for anomaly detection, threat hunting, automated triage and faster containment. The risk, however, is that poorly governed AI systems can themselves become attack surfaces through prompt injection, data leakage, model manipulation, poisoned training data, model theft and compromised orchestration pipelines.

The guidance gives particular weight to organisations operating in banking, financial services, telecom, healthcare, government, energy, transport, cloud services and other critical infrastructure-linked sectors. These environments often rely on interconnected digital systems, third-party software, outsourced technology providers and legacy platforms, creating wider exposure when a single flaw is weaponised quickly.

Global breach data has reinforced the urgency behind faster patching. Software vulnerability exploitation has overtaken stolen credentials as a leading breach entry point in major datasets, while ransomware remains a high-impact threat. Security teams also face growing pressure from supply-chain compromise, shadow AI usage, cloud misconfiguration and business email compromise. Unauthorised use of public AI tools has become a data governance issue as employees may upload source code, business documents, credentials or customer information into platforms outside corporate oversight.

CERT-In's blueprint calls for a zero-trust approach, least-privilege access, layered controls and secure-by-design practices across applications, infrastructure and AI workflows. It urges organisations to maintain visibility into AI deployments, restrict sensitive data uploads to public AI platforms, log AI activity, conduct adversarial testing and keep human approval for critical autonomous actions.

See also Bond forwards move towards screen trading

Software supply-chain visibility is another major focus. Organisations are encouraged to use software bills of materials and related inventories for AI models, cryptographic assets and hardware components to understand dependencies, validate provenance and coordinate remediation when vulnerabilities emerge in third-party products.

The new expectations build on India's existing cyber incident reporting framework, under which specified cyber incidents must be reported to CERT-In within six hours. The latest blueprint does not merely extend compliance obligations; it raises operational expectations for boards, chief information security officers and technology vendors by linking resilience to the speed of response.

Smaller organisations may struggle with the 12-hour benchmark because patch testing, downtime concerns, legacy dependencies and staffing shortages often slow remediation. The guidance therefore recognises feasible mitigation as part of the response, but it also makes clear that unmanaged exposure is no longer acceptable when attackers can exploit public-facing weaknesses within hours.

MENAFN27052026000152002308ID1111176715