Pre-stage PAN-OS Captive Portal upgrade for the 2026-05-13 first-wave release; keep interim mitigation enforced until then

For any PA-Series / VM-Series perimeter device on PAN-OS 12.1, 11.2, 11.1, or 10.2 that has User-ID Authentication Portal or Captive Portal enabled, prepare today for the 2026-05-13 first-wave build release per Palo Alto's PSIRT advisory for CVE-2026-0300: confirm a tested rollback path, validate the change window for tomorrow, and pre-fetch release notes the moment the fixed builds publish. Until the first-wave builds ship, keep Threat Prevention signature 510019 enforced (requires Threat Prevention licence) and restrict the captive-portal listener to trusted internal source ranges. The second wave is expected around 2026-05-28 for the remaining branches (12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21, 10.2.16-h7); plan a second deployment window then. The CISA KEV deadline has expired but the operational driver here is active ITW exploitation per Unit 42 — Captive Portal Zero-Day, not the FCEB compliance date.