A troublesome steadiness
Erik Avakian, technical counselor at Data-Tech Analysis Group, famous that when it set the patching deadline, CISA had been working throughout the tips laid down in Binding Operational Directive (BOD) 22-01, which requires US federal businesses to patch vulnerabilities throughout the timelines outlined beneath the coverage, which vary from 14 to 21 days.
“In instances of high-risk exploitation, CISA can shorten the deadline to a few days,” he mentioned. “However within the case of CVE-2026-32202, the CVSS rating was rated at 4.3, and regardless that the vulnerability has been actively exploited, the score doesn’t meet the coverage threshold for a sooner patch cycle. On this case, CISA allotted a 14-day deadline, which meets its aggressive timeline normal based mostly on the seller score.”
He mentioned that there’s certainly an argument that the 14 day window to patch a vulnerability that’s being actively exploited within the wild is simply too lengthy. However, he mentioned, “I’m assuming on this case, the explanation why it was not elevated to an emergency directive kind patch cycle (which might require as little as 48 to 72 hours to patch) is because of Microsoft’s score, in addition to a number of different components”.
