A difficult balance
Erik Avakian, technical counselor at Info-Tech Research Group, noted that when it set the patching deadline, CISA had been operating within the guidelines laid down in Binding Operational Directive (BOD) 22-01, which requires US federalĀ agencies to patch vulnerabilities within the timelines outlined under the policy, which range from 14 to 21 days.
āIn cases of high-risk exploitation, CISA can shorten the deadline to three days,ā he said. āBut in the case of CVE-2026-32202, the CVSS score was rated at 4.3, and even though the vulnerability has been actively exploited, the rating does not meet the policy threshold for a faster patch cycle. In this case, CISA allotted a 14-day deadline, which meets its aggressive timeline standard based on the vendor rating.ā
He said that there is indeed an argument that the 14 day window to patch a vulnerability that isĀ being actively exploited in the wild is too long. But, he said, āIām assuming in this case, the reason why it was not elevated to an emergency directive type patch cycle (which would require as little as 48 to 72 hours to patch) is due to Microsoftās rating, as well as several other factorsā.
