PAN-OS CVE-2026-0300 — staged-patch arc spanning W19 and W20

The PAN-OS staged-patch arc began in W19 with limited-ITW exploitation against User-ID Authentication Portal exposed firewalls (CL-STA-1132 since 2026-04-09), continued into W20 with wave 1 landing on 2026-05-13 (daily 2026-05-13 UPDATE) for eight build streams, and now extends a further eleven days as the PSIRT advisory was updated 2026-05-16 confirming wave 2 delayed to 2026-05-28 for the remaining eight build streams (Palo Alto PSIRT CVE-2026-0300; daily 2026-05-14 UPDATE).

The cross-day learning for Swiss / EU defenders is that PSIRT-stated patch dates on actively-exploited bugs are still subject to slip and the operational window is what matters, not the advisory's first-quoted date. The interim mitigation remains identical (User-ID Auth Portal scoped to trusted zones, Response Pages off external L3 interfaces, Threat ID 510019 for ≥ 11.1 + content ≥ 9097-10022); the retrospective hunt for svc-health-check-NNNNNN admin accounts and Python implants under /var/tmp/linuxupdate / /var/tmp/linuxap / /tmp/.c remains the only signal a CL-STA-1132-victimised organisation will have between the pre-patch compromise and the eventual upgrade.