2026-05-01 NCSC-UK: Preparing for a ‘vulnerability patch wave’

[ahouseholder]

https://www.ncsc.gov.uk/blogs/prepare-for-vulnerability-patch-wave

Prepare to patch quickly, more often, and at scale

Building on the principles contained within our Vulnerability Management guidance, organisations should make plans to deploy software security updates quickly, more frequently, and at scale, including across their supply chains. We are expecting an influx of updates to address vulnerabilities across all severities, and expect a number to be critical.

The NCSC recommend that:

• where automatic secure ‘hot patching’ is available (that is, patching that doesn’t involve service disruption), this should be enabled as a priority
• where automatic updates are available (including for embedded devices), this should be enabled to reduce the workload on support teams
• where neither of the above are available, organisations will need to ensure that processes and risk appetites support frequent and scaled-updating, noting the operational trade-offs around disruption and safety critical systems. A risk-prioritised approach such as the Stakeholder Specific Vulnerability Categorisation (SSVC) system can be used to prioritise installing the updates

However, should a critical vulnerability be under active exploitation (especially one affecting an internet-facing system), then it is essential to accelerate the update process. Organisations can refer to the NCSC’s new guidance on ‘Responding to active exploitation of vulnerabilities’ for more information.

To summarise, you should put in place a policy to ‘update by default’ where you always apply software updates as soon as possible, and ideally automatically. This should be at the core of your update management process, but we recognise that it may not apply in some circumstances (such as for safety-critical systems or operational technology).

Additional coverage:
https://www.infosecurity-magazine.com/news/ncsc-warns-aifuelled-vulnerability/

[ahouseholder]

Too bad they linked to CISA's SSVC page and not https://certcc.github.io/SSVC