exploitation risk

Erik Avakian, a technical counselor at Info-Tech Research Group, discussed the patching deadlines set by the Cybersecurity and Infrastructure Security Agency (CISA) under Binding Operational Directive (BOD) 22-01, which requires U.S. federal agencies to address vulnerabilities within 14 to 21 days. CISA can expedite patching to as little as three days for high-risk exploits. The vulnerability CVE-2026-32202, rated 4.3 on the Common Vulnerability Scoring System (CVSS), was actively exploited but did not qualify for an urgent patch cycle, resulting in a 14-day deadline. Avakian noted the debate over whether this timeframe is sufficient, suggesting that Microsoft’s rating and other factors influenced the decision not to escalate to an emergency directive requiring a 48 to 72-hour response.