CERT-IN's 12-hour patch window is not arbitrary

CERT-IN issued an advisory recommending Indian organisations patch internet-facing vulnerabilities within 12 hours of vendor disclosure. The driver named in the advisory is AI-assisted exploitation. The window is not arbitrary. It reflects the observed compression between CVE publication and weaponised proof-of-concept availability - a compression that LLM-aided reverse engineering has accelerated past what enterprise change management was designed to absorb.

The exploitation timeline has three measurable stages. Disclosure to public PoC. Public PoC to weaponised exploit. Weaponised exploit to mass scanning. Through 2022 the median time from disclosure to functional PoC for high-severity internet-facing CVEs sat in the multi-day range. Citrix Bleed, CVE-2023-4966, CVSS 7.5 - public exploitation began roughly two months after Citrix’s NetScaler advisory but mass exploitation accelerated within days of the first working PoC drop. Ivanti Connect Secure, CVE-2023-46805 chained with CVE-2024-21887, CVSS 8.2 and 9.1 - exploitation in the wild preceded patch availability and PoCs followed within 48 hours of vendor acknowledgement. PAN-OS GlobalProtect, CVE-2024-3400, CVSS 10.0, command injection in the telemetry feature - weaponised exploitation observed within hours of the advisory’s expansion to confirm unauthenticated RCE.

The pattern is consistent. The patch diff is the disclosure. Once a vendor ships a binary or configuration change, attackers diff the patched and unpatched versions, locate the modified code path, and reconstruct the vulnerability. This work used to require a vulnerability researcher with reverse engineering skill and time. The skill bar has moved. Diffing tools paired with LLMs that can read disassembled C, Go, or PHP and produce hypothesis-driven analysis of which condition the patch is closing have shortened the reconstruction window from days to hours. The attacker does not need to fully understand the bug class. The attacker needs to reach the vulnerable condition reliably.

The bug classes driving 12-hour exploitation are not novel. Command injection in management interfaces. Path traversal in file handlers. Authentication bypass through header confusion or session token forgery. Server-side template injection in configuration consoles. Deserialization of untrusted input in Java- or .NET-backed admin panels. SSRF chained to metadata service abuse on cloud-deployed appliances. Each of these is a known primitive with public exploitation methodology. What AI-assisted analysis changes is not the primitive - it is the localisation cost. Reading a patch and identifying the precise endpoint, parameter, and condition required to reach the vulnerable code is the slow step. That step is now cheap.

MITRE T1190, exploit public-facing application, is the technique that operationalises this. The attacker enumerates exposed assets through Shodan, Censys, or BinaryEdge, fingerprints version banners, and feeds vulnerable-version inventories into mass scanning infrastructure. Once a working exploit exists, the cost of attempting it against the entire IPv4 space is hours of compute. The economics favour the attacker by design. The defender patches one fleet. The attacker scans every fleet.

The 12-hour recommendation accepts a defensive reality. For internet-facing infrastructure - VPN concentrators, load balancers, application delivery controllers, mail security gateways, identity providers, file transfer appliances - the assumption that a 30-day patch SLA provides coverage is wrong. MOVEit Transfer, CVE-2023-34362, CVSS 9.8, SQL injection leading to RCE - the Cl0p ransomware affiliate exploited this against hundreds of organisations within days. Many victims were inside their standard patch window. The standard patch window was the exposure window.

The operational difficulty with 12-hour patching is not technical. It is process. Enterprise change management for edge infrastructure typically requires change advisory board approval, maintenance window scheduling, rollback planning, and post-deployment validation. A perimeter firewall reboot during business hours triggers incident response in most operations centres. The 12-hour target requires pre-authorised emergency patching procedures for a defined class of asset. Internet-facing, externally reachable, CVSS 9.0 or higher, vendor-confirmed exploitation or imminent exploitation. Anything matching that profile bypasses standard change control. That decision has to be made before the CVE drops, not after.

What compensating controls actually buy time is narrower than commonly claimed. A WAF rule blocking the specific exploitation pattern is useful where the pattern is stable. Command injection through a known parameter with a known character set can be filtered. A path traversal with a fixed prefix can be matched. The controls fail where the exploit can be re-encoded, fragmented across requests, or moved to an alternative endpoint exposed by the same vulnerable code path. CVE-2024-3400 was reachable through multiple URI patterns. The first WAF signatures issued by vendors covered the initial PoC and missed variants. Geo-blocking provides reduction not prevention. Most mass scanning originates from compromised infrastructure inside the geographies organisations are most reluctant to block.

Telemetry on edge appliances is the second structural gap. EDR coverage on Windows endpoints is broad. EDR coverage on a network appliance running a hardened Linux variant with a vendor-locked package manager is typically zero. The visibility surface is the appliance’s own logs, syslog forwarding to a SIEM, and netflow or packet capture from infrastructure positioned to see the appliance’s traffic. What this means in practice. A web shell dropped on a Citrix NetScaler after CVE-2023-4966 exploitation does not generate Sysmon Event ID 1 because Sysmon is not running. It does not generate an EDR process creation alert because no EDR agent exists. It generates entries in the appliance’s HTTP access log, if logging is configured to capture POST bodies, which by default it is not. The detection burden shifts to network telemetry - anomalous outbound connections from the appliance management interface, unexpected JA3 or JA4 fingerprints on outbound TLS, DNS queries from the appliance’s resolver to domains not in the vendor’s update infrastructure.

The SIEM correlation rules that fire on this are rules the defender has to build. They are not in the default ruleset. Outbound connections from a load balancer to a non-vendor IP on a non-vendor port at an unusual hour. HTTP POST traffic to administrative endpoints from source IPs outside the management VLAN. Configuration changes on the appliance without a corresponding change ticket. Each of these requires baseline knowledge of the appliance’s normal behaviour and a feed of authoritative change data to correlate against. The organisations that detect edge exploitation early are the organisations that built this instrumentation before the CVE existed.

The AI-assisted dimension extends past exploit reconstruction. Reconnaissance has scaled. LLMs are used to parse vendor documentation, identify authentication bypass conditions described in release notes, and generate scanning logic at the rate of fleet inventory churn. Initial access brokers are running continuous discovery against the IPv4 space with version-fingerprinting payloads narrow enough to evade simple network IDS while broad enough to identify exploitable hosts. The output is a sellable list. The list is on offer within hours of CVE disclosure. The buyer is the ransomware affiliate who runs the exploitation phase.

The post-patch residual is the part the advisory does not address directly. A 12-hour patch closes the vulnerable condition. It does not address pre-patch exploitation. For any internet-facing system that was unpatched and reachable during the exposure window - which under the new model is hours, not days - the assumption has to be that exploitation attempts occurred. Compromise assessment is the follow-on. Check for unauthorised configuration changes, persistence mechanisms in the appliance’s writable filesystem, additional administrative accounts, scheduled tasks or cron entries created during the window, and outbound connections from the device in the relevant period. Volexity’s analysis of Ivanti Connect Secure post-exploitation showed attackers planting webshells, modifying integrity check scripts, and establishing persistence that survived patching. The patch installed without compromise assessment is the patch that leaves the implant in place.

The 12-hour target is not aspirational. It is the floor for organisations whose threat model includes opportunistic exploitation of edge infrastructure. The compression of the exploitation timeline is observable in CVE-to-exploitation telemetry from vendors who track it - Mandiant, Cisco Talos, GreyNoise. The pre-conditions for meeting the target are organisational. Asset inventory of internet-facing systems accurate to the version. Pre-authorised emergency change procedures for a defined CVSS and exposure profile. Detection coverage on the assets themselves through network telemetry where endpoint telemetry is unavailable. A defined post-patch compromise assessment workflow triggered by exploitation in the window. The advisory names the response. The implementation gap is where the residual exposure lives.

---

#ad Contains an affiliate link.