Editorial coverage · CVE-2026-0300
CISA says patch by Friday. Palo Alto's fix ships next Tuesday.
An unauthenticated RCE in PAN-OS Captive Portal, exploited in the wild since April 9. The KEV deadline says May 9. The first patch ships May 13. The four-day gap is where the editorial work lives.
What we say
The interesting thing about this CVE is not the vulnerability. It is the four-day gap between the federal patch deadline and the vendor’s earliest fix.
CISA added CVE-2026-0300 to the KEV catalog on April 30 with a May 9 remediation date. Palo Alto Networks’ first patched PAN-OS builds — 11.2.5, 11.1.7, 11.0.8, 10.2.16 — ship on May 13. Federal agencies bound by BOD 22-01 have been told to remediate something for which no patch exists, which is not unusual for a KEV listing but unusual for a vendor that knew the deadline before publishing the advisory. The published advisory and the patch schedule were not aligned at the same desk.
What that means for the rest of us is the work between May 9 and May 13 is not “wait for the patch.” It is two changes:
Change 1 (May 9 or earlier): disable Captive Portal where it is not load-bearing. Captive Portal is the User-ID feature most operators forget they enabled — common in older 802.1X-adjacent rollouts and guest-network configurations that got grandfathered in. If it is off, you are not exposed. If it is on and you are not actively depending on browser-based auth, turn it off. The mitigation breaks no production workflow most shops have noticed running.
Change 2 (May 13 or shortly after): upgrade to the patched build. This is the change that gets through the biweekly board because the vendor finally has a fix to point at.
Both changes are required if Captive Portal is load-bearing in your environment. The mitigation does not replace the upgrade — it buys four days of “the bug is not reachable” while the operator queues the patch through proper change control. A change board that meets every other Wednesday cannot run those two changes back-to-back without an emergency break-glass, so plan for one, not zero.
The score is not the story here. The story is the calendar.
What NVD says
CWE-787 — out-of-bounds write in PAN-OS User-ID Authentication Portal. CVSS 3.1 base 9.8 / CVSS 4.0 base 9.3, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. NVD's record names the unauthenticated RCE clearly. What it does not carry forward: that the bug is reachable only when Captive Portal is enabled AND Response Pages are enabled on an external-facing interface management profile. Both conditions together are the actual exposure surface.
What the vendor says
Palo Alto Networks rates the bug Critical, marks it actively exploited, and acknowledges the federal remediation deadline lands four days before the earliest patched build is available. The advisory recommends disabling Captive Portal as the mitigation, which works but breaks any User-ID workflow that depends on browser-based authentication. The vendor does not name the actor or characterize the exploitation as state-aligned — that framing comes from Unit 42's separate threat brief.
Compliance impact
- PCI DSS
- Requirement 6.3.3's one-month patch clock runs from advisory publication, not from the date the first patched build ships. The audit form has one column for 'applied vendor patch' and no column for 'applied vendor mitigation in the gap between the KEV deadline and the vendor's earliest patch.' A CDE-adjacent firewall that ran the disable-Captive-Portal mitigation from May 9 to May 13 and then upgraded reads on the QSA's change record as 'patched within window'; the same form reads identically for a shop that did neither between May 9 and May 13. The honest narrative is two changes, not one, but the form has space for one.
- FEDRAMP
- BOD 22-01's 21-day default remediation window collapses to nine days on this CVE — CISA listed it on April 30 with a May 9 due date — and the earliest patched PAN-OS build does not exist until May 13. SI-2 narrative cannot truthfully read 'patched within the federal deadline' when the patched build was not available within the deadline. The defensible narrative is 'vendor-recommended mitigation applied by May 9, patched build deployed May 13 or shortly after,' with both changes documented in the POA&M. A control assessor reading only the version field will not see the mitigation; the POA&M is where that work lives.
Sources
- Palo Alto Networks Security Advisory — CVE-2026-0300
- Unit 42 Threat Brief — Exploitation of PAN-OS Captive Portal Zero-Day
- NVD — CVE-2026-0300
- CISA BOD 22-01 — Reducing the Significant Risk of Known Exploited Vulnerabilities
Every source on this list has been read by the editorial team. We do not cite something we have not opened.
Deeper read
Coverage in PatchDay Alert
One email, every weekday morning.
You're in. Check your inbox.