CISA Orders Federal Agencies to Patch Critical Vulnerabilities Within Three Days as AI Speeds Up Attacks

The Cybersecurity and Infrastructure Security Agency issued a directive in June 2026 requiring civilian federal agencies to patch critical software vulnerabilities within three days of disclosure, a sharp reduction from the previous 15-day window.

CISA said the change was necessary because AI tools are allowing attackers to identify and exploit software flaws far faster than traditional patch cycles were designed to handle. The agency said threat actors are now able to develop working exploits within hours of a vulnerability being made public.

The directive applies to all civilian executive branch agencies and covers vulnerabilities rated as critical under the Common Vulnerability Scoring System. Agencies that cannot patch within three days must implement compensating controls and report to CISA.

The announcement came alongside a warning about an active exploitation campaign targeting a high-severity vulnerability, designated CVE-2026-5027, in the Langflow AI development platform. CISA said the flaw was being used to gain unauthorized access to systems running the platform.

Separately, Meta disclosed that attackers had hijacked approximately 34,000 Instagram accounts by exploiting an AI-driven customer support system. The breach allowed attackers to bypass standard account recovery processes by manipulating the AI system into granting access.

CISA also released new guidance on securing agentic AI systems, which are AI programs that can take actions autonomously without human approval for each step. The guidance warns that agentic AI introduces new attack surfaces and calls on agencies to implement strict access controls and monitoring.

Security experts said the three-day patching requirement will be difficult for many agencies to meet and called for additional resources to help smaller agencies comply.