A difficult balance
Erik Avakian, a technical counselor at Info-Tech Research Group, recently shared insights regarding the patching deadlines set by the Cybersecurity and Infrastructure Security Agency (CISA). These deadlines are guided by the Binding Operational Directive (BOD) 22-01, which mandates that U.S. federal agencies address vulnerabilities within specified timeframes, typically ranging from 14 to 21 days.
In instances where high-risk exploitation is identified, CISA has the authority to expedite the patching process to as little as three days. However, in the case of CVE-2026-32202, the Common Vulnerability Scoring System (CVSS) rated the vulnerability at 4.3. Despite its active exploitation, this score did not meet the threshold necessary for a more urgent patch cycle. Consequently, CISA assigned a 14-day deadline, aligning with its established aggressive timeline standards based on vendor assessments.
Avakian acknowledged the ongoing debate surrounding the adequacy of a 14-day window for patching vulnerabilities that are currently being exploited. He remarked, “While one could argue that this timeframe is too lengthy, it appears that the decision not to escalate this to an emergency directive patch cycle—potentially requiring a response within 48 to 72 hours—was influenced by Microsoft’s rating and several other considerations.”
