A tough steadiness
Erik Avakian, technical counselor at Information-Tech Analysis Group, famous that when it set the patching deadline, CISA had been working throughout the pointers laid down in Binding Operational Directive (BOD) 22-01, which requires US federal companies to patch vulnerabilities throughout the timelines outlined underneath the coverage, which vary from 14 to 21 days.
“In circumstances of high-risk exploitation, CISA can shorten the deadline to a few days,” he stated. “However within the case of CVE-2026-32202, the CVSS rating was rated at 4.3, and though the vulnerability has been actively exploited, the ranking doesn’t meet the coverage threshold for a quicker patch cycle. On this case, CISA allotted a 14-day deadline, which meets its aggressive timeline customary based mostly on the seller ranking.”
He stated that there’s certainly an argument that the 14 day window to patch a vulnerability that’s being actively exploited within the wild is just too lengthy. However, he stated, “I’m assuming on this case, the rationale why it was not elevated to an emergency directive sort patch cycle (which might require as little as 48 to 72 hours to patch) is because of Microsoft’s ranking, in addition to a number of different elements”.
