UPDATE: CVE-2026-0300 PAN-OS Captive Portal — patch wave 2 delayed to 2026-05-28 for eight high-traffic build streams; mitigation remains the only option on those builds [SINGLE-SOURCE]

UPDATE (originally covered 2026-05-07 deep dive, last updated 2026-05-13): Palo Alto Networks PSIRT updated its CVE-2026-0300 advisory on 2026-05-13 to reflect first-wave patch availability but to also disclose a second patch wave with an ETA of 2026-05-28 for eight commonly-deployed build streams: PAN-OS 12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21 and 10.2.16-h7 (Palo Alto Networks PSIRT, updated 2026-05-13). Operators running any of those builds cannot patch yet; the interim mitigation — restrict User-ID Authentication Portal to trusted zones, or disable Captive Portal if unused — is the only option until 28 May. CL-STA-1132 in-the-wild exploitation continues; the cluster's tradecraft (EarthWorm / ReverseSocks5 tunnels, AD enumeration via firewall service account, deliberate log destruction) is unchanged from prior coverage (Unit 42 — Captive Portal Zero-Day, 2026-05-06).

The CISA KEV entry was updated on 2026-05-13 to note "Palo Alto has released a variety of patches"; the FCEB remediation deadline (2026-05-09) has already expired. Per PD-13 the KEV deadline is not the operational driver in CH/EU — the active-exploitation status, the affected-build delay, and the CL-STA-1132 attribution are. The wave-2 delay specifics are documented in the vendor PSIRT advisory and were not independently corroborated by HIGH-reliability third-party reporting in window; treat the eight-build "ETA 05/28" list as vendor-primary and verify against the live PSIRT entry before any rollout planning.