PAN-OS CVE-2026-0300 — wave 2 confirmed delayed to 2026-05-28; eight build streams remain on mitigation-only for a further 11 days

If you did nothing this week: any PA-Series or VM-Series firewall running PAN-OS 12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21, or 10.2.16-h7 with User-ID Authentication Portal / Captive Portal exposed to untrusted IPs has been within CL-STA-1132's exploitation window since 2026-04-09 (W19 baseline) and will remain so until 2026-05-28 — eleven calendar days past today. The Palo Alto PSIRT advisory was updated 2026-05-16 confirming the staggered two-wave schedule (wave 1 landed 2026-05-13 for 11.2.7-h13 / 11.2.10-h6 / 11.1.4-h33 / 11.1.6-h32 / 11.1.10-h25 / 11.1.13-h5 / 10.2.10-h36 / 10.2.18-h6; wave 2 covers the remaining branches on 2026-05-28). Limited ITW exploitation continues (Palo Alto PSIRT CVE-2026-0300; daily 2026-05-14 UPDATE; daily 2026-05-13 UPDATE).

The interim mitigation remains the only available control for wave-2 build-streams: restrict User-ID Authentication Portal to trusted zones, disable Response Pages on external-facing L3 interface management profiles, and (for Threat Prevention subscribers on PAN-OS ≥ 11.1 with content version ≥ 9097-10022) enable Threat ID 510019. The retrospective-hunt artefact set documented in W19 — svc-health-check-NNNNNN rogue-admin accounts, Python implants under /var/tmp/linuxupdate, /var/tmp/linuxap, and /tmp/.c — remains the right starting point for organisations exposed during the four-and-a-half-week pre-patch window between 2026-04-09 and their eventual upgrade date.