
Adobe just added a second Patch Tuesday. Starting July 14, 2026, Adobe will publish security bulletins on the second and fourth Tuesday of every month. The reason is unambiguous: AI has compressed the window between vulnerability disclosure and active exploitation from days to hours, and once-a-month patching is no longer fast enough.
What Changed and When
Adobe’s new schedule puts security bulletins on the second and fourth Tuesday of each month. The first extra bulletin hits July 14. From there, organizations running Adobe products face a twice-monthly patching calendar instead of the monthly one they’ve managed for years.
The trigger was a round of emergency patches for seven CVSS 10.0 vulnerabilities across ColdFusion and Campaign Classic — maximum severity ratings that signal complete system compromise as a realistic outcome. Out-of-band patches like those are evidence that monthly was already failing. The twice-monthly announcement formalizes that reality.
“The frontier AI capabilities we are using are also available to attackers, and the window between public vulnerability disclosure and active exploitation is compressing from days to hours.”
Adobe Chief Security Officer
The N-Day Problem AI Just Made Worse
An N-day exploit targets a known, already-patched vulnerability. The attack method: reverse-engineer the patch to identify the underlying flaw, then build a working exploit. This used to take a week or more. With modern AI tools analyzing diffs and generating proof-of-concept code, sophisticated actors can compress that timeline to 12–48 hours.
The math on your current patch SLA is bleak. If you’re running a 30-day patch window — still common in enterprise environments — you’re exposed to known, working exploits for 28 of those days. That’s not a theoretical risk; it’s a structural one. Adobe isn’t changing its schedule because it wants to. It’s changing because the gap between “vulnerability exists” and “attackers are using it” has gotten short enough that monthly bulletins leave too much exposure on the table.
This Is a Trend, Not an Isolated Move
Adobe isn’t the first vendor to cite AI acceleration as the reason for tightening its patch cadence. Oracle made the same call in May 2026, moving from quarterly Critical Patch Updates to monthly ones. Oracle’s second monthly batch delivered 245 patches, roughly 120 of which were classified critical.
| Vendor | Previous Cadence | Current Cadence | Change Driver |
|---|---|---|---|
| Microsoft | Monthly | Monthly (unchanged) | — |
| Oracle | Quarterly | Monthly (May 2026) | AI vulnerability discovery |
| Adobe | Monthly | Twice-monthly (July 14, 2026) | AI vulnerability discovery |
The pattern is clear: major software vendors are implicitly acknowledging that AI changes the economics of patch timing. Adobe won’t be the last to accelerate. SAP, Cisco, and other enterprise software vendors running quarterly or semi-annual cycles are the next candidates.
What You Need to Do Before July 14
The practical adjustments aren’t complicated, but they need to happen before the new schedule kicks in:
- Update your calendar. Mark the second and fourth Tuesday of each month for Adobe security bulletins. Set reminders through the rest of 2026 now.
- Subscribe to Adobe security alerts. Adobe publishes bulletins at helpx.adobe.com/security. Pick email or RSS and enable it today.
- Audit your patch SLAs. If your organization has a 30-day window for critical patches, that policy was already questionable. For CVSS 9.0+ Adobe vulnerabilities, compress it to seven days or fewer.
- ColdFusion and Campaign Classic teams: act now. The seven CVSS 10.0 flaws from June/July 2026 are your immediate priority if you haven’t patched already. Review the patch details at Bleeping Computer.
- Reconfigure your scanning cadence. Vulnerability scanners checking Adobe CVEs on a monthly cycle need updating. Twice-monthly at minimum; weekly if your risk tolerance demands it.
The Bigger Picture
Adobe’s announcement is a data point in a larger shift. The same AI tools organizations use internally to find vulnerabilities faster are available to external researchers — and attackers. When an AI model can analyze a patch, identify the vulnerability, and generate a working exploit in hours, the implicit contract that “patched means safe for the next month” breaks down.
The logical endpoint is automated patch pipelines: scanner detects a new CVE, staging environment applies the patch, tests pass, production update triggers — all within 24 hours. That’s Chrome’s model for browser updates. Enterprise software isn’t there yet, but the direction is set.
For now: update your calendars, tighten your SLAs, and don’t treat Adobe’s July 14 effective date as someone else’s problem. Adobe products are in most enterprise stacks. The full announcement from Adobe’s security team covers the new cadence and what it includes.













