The 48-Hour Critical CVE Playbook: What to Do When a New Exploit Drops and You Have Two Days to Act

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
A critical CVE drops on a Tuesday morning. By Tuesday afternoon, proof-of-concept exploit code is publicly available. By Wednesday, threat actors are actively scanning for vulnerable infrastructure. Your change management system requires a two-week approval cycle, a rollback plan, a test environment validation, and a change advisory board sign-off.
This tension — between exploit timelines measured in hours and patch processes measured in weeks — is the most common vulnerability management failure mode. Organizations that have not pre-established an emergency patch track discover, under pressure, that they have no process for moving faster than normal change management allows.
This playbook covers the hour-by-hour decisions from CVE disclosure to patched or documented compensating controls. It does not replace your vulnerability management program — it gives your emergency track structure that can be executed without improvising.
Hours 0-2: Scope and exposure assessment
The most important action in the first two hours is understanding whether the vulnerability affects anything in your environment — not reading about it, not forwarding alerts, and not scheduling a meeting. Assess exposure first.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Hours 2-6: Compensating controls while patches are prepared
The patch is unlikely to be deployed in the first 6 hours regardless of urgency. Compensating controls reduce your exposure during the gap between disclosure and remediation.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Hours 6-24: Emergency change process
Deploying a patch outside normal change management requires a pre-established emergency change track. Organizations that have not defined this track in advance face the choice between waiting for normal approval (days to weeks) or bypassing controls entirely (risky and undocumented). A pre-defined emergency track eliminates both risks.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Hours 24-48: Patch deployed or exception documented
At the 48-hour mark, your organization should be in one of two documented states: patched and monitored, or in documented exception with compensating controls in place.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The decision matrix: patch now vs. wait for testing
The most contested decision in emergency patching is whether to deploy immediately or wait for regression testing. Neither answer is universally correct — the decision is a function of exploitation timeline versus operational risk.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
The organizations that handle critical CVEs well are not the ones that patch the fastest — they are the ones with a pre-defined emergency change track that allows them to move faster than normal change management when exploitation timelines demand it, without bypassing controls or creating undocumented risk. An emergency patch track defined when there is no active CVE crisis is executed with discipline when one arrives. One defined under pressure while an active exploit is circulating produces inconsistent outcomes.
Frequently asked questions
What qualifies as a critical CVE that triggers emergency patching?
Operationally, a CVE warrants emergency patching when it meets two criteria: CVSS 9.0 or above (or equivalent severity scoring), and either confirmed exploitation in the wild (CISA KEV listing) or publicly available proof-of-concept exploit code for internet-exposed systems in your environment. CVSS score alone is insufficient — 61% of CVEs score High or Critical, but only a fraction are actively exploited. CISA KEV listing is the most reliable signal for actual exploitation.
What is CISA's Known Exploited Vulnerabilities catalog and how do I use it?
CISA's KEV catalog (cisa.gov/known-exploited-vulnerabilities-catalog) lists vulnerabilities with confirmed in-the-wild exploitation, with mandatory remediation deadlines for federal agencies and recommended timelines for all organizations. Checking a new critical CVE against KEV should be the first step in any emergency patch assessment. CISA updates the catalog regularly — subscribe to email notifications or use the KEV JSON feed to integrate into your vulnerability management platform.
How do I handle emergency patching for operational technology (OT) systems that can't be taken offline?
OT environments with availability constraints require pre-established compensating controls that can be applied without downtime: network segmentation to isolate affected systems from general IT networks, protocol filtering at the IT/OT boundary, and application whitelisting if the OT environment supports it. Document these compensating controls as the exception record for each OT system that cannot be patched on emergency timelines. Work with the OT vendor on their patch timeline and plan a maintenance window patch as soon as operationally feasible.
What is virtual patching and does it provide real protection?
Virtual patching uses WAF or IPS rules to block known exploit patterns for a vulnerability before a code-level patch is applied. It provides meaningful protection against known exploit signatures — the initial PoC code that attackers use at scale. It does not protect against novel bypass techniques that skilled attackers develop after initial public exploit code becomes available. Virtual patching is a valid short-term compensating control, not a substitute for an actual patch.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
