Topic

When to patch vulnerabilities

Applicable to

all

History

Sep 2023

Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.

The existing control (now two controls) relating to applying patches, updates or other vendor mitigations to vulnerabilities in ‘operating systems of internet-facing services’ was amended to ‘operating systems of internet-facing servers and internet-facing network devices’ to reduce confusion as to its applicability. [ISM-1694, ISM-1877]

Sep 2023

Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.

The existing controls relating to patching, updating or applying other vendor mitigations for vulnerabilities within two weeks of release, or 48 hours of release when working exploits exist, were all split into two separate controls to allow for separate assessment of standard patching practices (i.e. within two weeks) and quick response patching practices (i.e. within 48 hours). In addition, scenarios in which vulnerabilities are assessed as critical by vendors (e.g. they facilitate remote code exploitation without user interaction, or facilitate authentication bypasses that grant privileged access) have been included within the quick response patching window. Typically, vendors or the ACSC will release ‘critical alerts’ for situations that require a quick response. [ISM-1690, ISM-1694, ISM-1697, ISM-1751, ISM-1876, ISM-1877, ISM-1878, ISM-1789]