UK NCSC

Preparing for a ‘vulnerability patch wave’

Building on the principles contained within our Vulnerability Management guidance, organizations should make plans to deploy software security updates quickly, more frequently, and at scale, including across their supply chains. We are expecting an influx of updates to address vulnerabilities across all severities, and anticipate that a number will be critical.

The NCSC recommends that:

  • where automatic secure ‘hot patching’ is available (that is, patching that doesn’t involve service disruption), this should be enabled as a priority
  • where automatic updates are available (including for embedded devices), this should be enabled to reduce the workload on support teams
  • where neither of the above is available, organizations will need to ensure that processes and risk appetites support frequent and scaled-updating, noting the operational trade-offs around disruption and safety-critical systems. A risk-prioritized approach such as the Stakeholder Specific Vulnerability Categorization (SSVC) system can be used to prioritize installing the updates

However, should a critical vulnerability be under active exploitation (especially one affecting an internet-facing system), it is essential to accelerate the update process. Organizations can refer to the NCSC’s new guidance on ‘Responding to active exploitation of vulnerabilities’ for more information.

To summarize, you should implement a policy to ‘update by default’ where you always apply software updates as soon as possible, and ideally automatically. This should be at the core of your update management process, but we recognize that it may not apply in some circumstances (such as for safety-critical systems or operational technology).

Source: UK NCSC (Cyber) (1 May 2026)

Related Articles

Back to top button