Adobe Is Doubling Its Patch Releases — Here's Why That Matters

Starting in July, Adobe will push security fixes twice a month instead of once. Blame faster vulnerability discovery, AI-assisted research, and a threat pace that monthly updates can no longer keep up with.

ThreatVectr Newsdesk· 3 min read
Photoreal, news-editorial style, 16:9 framing, full-frame edge-to-edge composition
Share

Key points

  • Adobe will begin issuing security patches on the fourth Tuesday of each month from 14 July 2025, doubling its previous once-monthly release schedule.
  • Adobe cited the pace of AI-assisted vulnerability discovery as the direct reason for the change.
  • On 30 June 2025, Adobe issued two out-of-sequence security advisories — APSB26-28 and APSB26-29 — covering multiple critical flaws before the new schedule even launched.
  • Oracle made the same move earlier in 2025, shifting from quarterly patches to monthly ones.
  • Every advisory that includes a formally published CVE — a unique tracking number assigned to a known software flaw — requiring customer action will fall under the new twice-monthly schedule.

Adobe makes software that hundreds of millions of people use every day: Acrobat for reading documents, Photoshop for editing images, Creative Cloud for design work. When a security flaw turns up in one of those products, Adobe has to race to fix it before criminals figure out how to use it against ordinary users.

Until now, Adobe released fixes once a month, on the second Tuesday — a schedule nicknamed "Patch Tuesday" that Microsoft and SAP also follow. Starting 14 July 2025, Adobe adds a second release window: the fourth Tuesday of each month.

The company was blunt about why. "Twice-monthly bulletins will enable us to keep pace with the era of frontier AI," Adobe wrote in a blog post. "More vulnerabilities found means more fixes to deploy and a once-a-month publication window is no longer fast enough to stay ahead of our adversaries."

The phrase "frontier AI" here means the newest, most capable AI tools — which researchers and criminals alike now use to find software weaknesses faster than ever before.

Why should ordinary Adobe users care?

If you use any Adobe product and receive prompts to update it, apply those updates sooner rather than later. Each patch closes a door that criminals are actively trying to open.

The urgency is real. On 30 June 2025 — a fifth Tuesday, outside the normal schedule — Adobe already had to issue two emergency advisories (APSB26-28 and APSB26-29) covering several critical vulnerabilities, meaning flaws serious enough to let an attacker take control of an affected machine. That kind of out-of-cycle release is a fire drill. Adobe is building a bigger fire station so those drills happen on a schedule rather than as emergencies.

Adobe is not alone. Oracle, which makes widely used business database software, made a similar call earlier in 2025, moving from patches every three months to patches every month. Microsoft also released an unscheduled fix in April 2025 to react to a specific active attack.

The pattern is consistent: the old rhythms were built for a slower threat environment. First reported by CSO Online, Adobe's announcement is one of the clearer public admissions yet that AI tools are genuinely accelerating the pace of vulnerability discovery — and that vendors are scrambling to match it.

For business owners running Adobe software, the practical implication is simple: make sure automatic updates are turned on, and make sure whoever manages your computers knows the update window has doubled.

© 2026 Threat Vectr