Cisco Shifts to 2 Monthly Security Releases With 7-Day Notices for AI-Driven Vulnerability Surge
Updated
Updated · Cisco Blogs · Jun 2
Cisco Shifts to 2 Monthly Security Releases With 7-Day Notices for AI-Driven Vulnerability Surge
2 articles · Updated · Cisco Blogs · Jun 2
Starting in July, Cisco will publish security-hardened software on the first and third Wednesdays each month, with PSIRT giving customers a 7-day preview of affected technologies and platforms.
Cisco said AI models and agentic analysis are finding bugs across its code base faster than ad-hoc advisories can handle, while the gap between disclosure and exploitation has effectively disappeared.
Core network operating systems — including IOS XE, IOS XR, NX-OS, Firepower/ASA and SD-WAN — will be scheduled first and released quarterly, with no multiple core NOS releases on the same day.
Bundled CVEs will replace many bug-by-bug disclosures for these hardened releases, grouping fixes by weakness category, though Cisco said individually detailed CVEs will still be issued for urgent or exploited flaws.
The company framed the shift as a long-term hardening program that prioritizes systemic fixes and predictable patching over feature work, while keeping emergency out-of-cycle responses for zero-days and active exploitation.
Does a predictable 'Patch Wednesday' create a 'Target Thursday' for attackers ready to exploit newly disclosed vulnerabilities?
Will Cisco's bundled CVEs obscure critical flaws, leaving customers less informed and more at risk?
Is Cisco's shift from features to security a sign the software industry is losing the AI arms race?
From Ad-Hoc to Scheduled: Cisco’s Bi-Monthly Security Updates and the AI-Accelerated Patch Landscape
Overview
Starting July 2026, Cisco will shift from an ad-hoc, event-driven approach to a predictable, scheduled security release model. Security updates will be issued twice a month, on the first and third Wednesday, giving customers enhanced predictability and consistency. This regular cadence streamlines the patching process, allowing organizations to better plan and integrate security maintenance into their schedules. Instead of many individual advisories, multiple vulnerabilities will be consolidated into single, comprehensive releases. As a result, customers will receive bundled updates, making it easier to manage security updates and reducing operational disruptions.