When a critical vulnerability is being actively exploited by threat actors, the first step should be to invoke the incident response plan. This plan will guide the information security team through a structured response process, ensuring that all necessary actions are taken in an organized manner. This involves identifying and containing the threat, and minimizing damage, and can potentially include notifying senior management, isolating the affected systems, and applying patches or other controls. Invoking the incident response plan ensures a comprehensive and coordinated approach to addressing the incident.