DPI Deep Dive — Sunday | April 12, 2026

Focus Layer: L7 Security, Privacy & Trust (CERT-In, DPDP, TRAI)
Coverage Period: April 5-12, 2026

Executive Summary

This week, India’s cybersecurity apparatus saw significant activity on multiple fronts. CERT-In issued critical vulnerability advisories affecting Microsoft products, Adobe software, Google Chrome, SolarWinds Serv-U, and Honeywell CCTV systems—highlighting the ongoing challenge of patch management across enterprise infrastructure. Meanwhile, the Ministry of Electronics and Information Technology (MeitY) proposed amendments to IT rules that would extend content regulation to social media shares of news and political content, raising questions about the scope of platform liability. TRAI continued its consultation on direct-to-device satellite spectrum, exploring whether D2D services should use terrestrial or mobile satellite service (MSS) spectrum. Together, these developments reflect the tension between expanding digital governance and maintaining security trusts in India’s rapidly evolving DPI ecosystem.

Key Developments

1. CERT-In Issues Wave of Critical Vulnerability Advisories (April 2026)

India’s Computer Emergency Response Team (CERT-In) has been prolific this week, publishing multiple high-severity vulnerability notes covering widely-used enterprise and consumer software.

Microsoft Products Advisory (CIAD-2026-0011): CERT-In warned of multiple vulnerabilities across Microsoft Windows, Office, SQL Server, Developer Tools, System Center, and Azure. Exploits could enable attackers to gain elevated privileges on affected systems. Organizations using these Microsoft products should apply the latest security patches immediately through Windows Update or the Microsoft Update Guide. ¹

Adobe Critical Vulnerabilities (CIVN-2026-0085): A February 2026 advisory flagged multiple critical vulnerabilities across Adobe’s creative suite, including DNG SDK, Lightroom Classic, Substance 3D Modeler, Bridge, InDesign, After Effects, and Audition. Users of affected products should update to the vendor-recommended versions to mitigate remote code execution risks. ²

Google Chrome Vulnerabilities (CIVN-2026-0116): Multiple vulnerabilities in Google Chrome for Desktop (versions prior to 145.0.7632.116/117) could allow remote code execution through specially crafted webpages. CERT-In rated this HIGH severity and recommended immediate browser updates. ³

SolarWinds Serv-U (CIVN-2026-0101): Critical vulnerabilities in SolarWinds Serv-U (versions up to 15.5.3) could enable arbitrary code execution, authentication bypass, and privilege escalation—potentially leading to full system compromise. Given SolarWinds’ prominence in enterprise IT, this advisory warrants urgent attention from IT security teams. ⁴

Honeywell CCTV Security Bypass (CIVN-2026-0098): In a notable example of physical-cyber convergence, CERT-In flagged a critical authentication bypass in Honeywell CCTV products. An unauthenticated remote attacker could take over admin accounts and access video feeds—particularly concerning for organizations deploying these cameras in sensitive infrastructure. ⁵

Analysis: The breadth of this week’s CERT-In advisories—from operating systems to creative tools to physical security cameras—underscores the expanding attack surface that Indian organizations must manage. With the DPDP Act now in force, data breaches stemming from unpatched vulnerabilities could trigger both CERT-In incident reporting requirements and potential data protection violations under the new data protection framework.

2. MeitY Proposes Expanded Social Media Content Rules

The Ministry of Electronics and Information Technology (MeitY) proposed amendments to India’s IT rules that would extend the existing “code of ethics”—currently applied to registered news publishers—to social media users who share news and political content. Under the proposal, platforms would need to act on government takedown orders to maintain their “safe harbour” protections, which currently provide legal immunity from liability for user-posted content. ⁶

The timing is notable: this follows a 2025 change that strengthened the federal home ministry’s Sahyog portal, a centralized platform allowing multiple agencies to issue takedown notices with limited transparency. Digital rights advocates have raised concerns about the expansion of government content removal powers without corresponding due process safeguards.

Analysis: While the stated aim is combating misinformation, this expansion blurs the line between platforms and publishers—raising questions about how “users who are not publishers” would be defined and held accountable. For India’s DPI, this represents an expansion of trust-and-safety governance into layers previously considered outside regulatory scope. The interplay with existing DPI layers (L1 Identity for accountability, L3 Documents for verifiable information) becomes increasingly relevant as the boundaries between platforms and traditional publishers dissolve.

3. TRAI Consults on Direct-to-Device Satellite Spectrum

The Telecom Regulatory Authority of India (TRAI) released a consultation paper examining whether direct-to-device (D2D) satellite services should operate on terrestrial spectrum or mobile satellite services (MSS) spectrum. The Mobile Satellite Services Association (MSSA)—launched by Viasat in 2024—advocates for MSS spectrum, arguing it is already allocated, licensed, and regulated under existing international frameworks with no interference concerns for terrestrial networks. ⁷

However, several countries have already launched D2D services using terrestrial spectrum, creating potential regulatory asymmetry. The decision will affect device compatibility, licensing frameworks, and whether D2D services are offered directly by satellite operators or through terrestrial mobile partners.

Analysis: D2D satellite connectivity represents a potential leap in India’s communication infrastructure—particularly for remote areas where terrestrial coverage is sparse. This touches L6 Governance (regulatory frameworks for new infrastructure) and L4 Commerce (enabling new business models for rural connectivity). India’s stance on spectrum allocation could shape whether D2D becomes a DPI complement or competitor to existing terrestrial networks.

Cross-Layer Connections

This week’s Security layer developments intersect with multiple DPI layers:

• L1 Identity & Authentication: The MeitY proposals for social media accountability could create new identity verification requirements for users sharing news content—potentially linking platform accounts to verifiable identity (Aadhaar or otherwise).
• L2 Payments: The CERT-In warnings about vulnerability management become more critical as digital payments (UPI, RuPay) depend on secure endpoints. Unpatched systems handling payment data could become breach vectors.
• L3 Documents & Data Exchange: With DPDP now in effect, the SolarWinds and Microsoft vulnerabilities take on added significance—data exfiltration could now trigger both incident reporting and data protection compliance obligations.
• L6 Governance: The TRAI D2D consultation exemplifies how sectoral regulators are grappling with next-generation infrastructure that doesn’t fit legacy frameworks.

Sources