PAN-OS CVE-2026-0300 — active exploitation ongoing; wave 2 patch builds delayed to 2026-05-28 [SINGLE-SOURCE: Palo Alto PSIRT]

If you did nothing this week: Palo Alto PAN-OS managed firewalls running eight specific build trains remain on mitigation-only posture through 2026-05-28. This CWE-787 buffer overflow in GlobalProtect Gateway is under active exploitation per CISA KEV. Audit for rogue admin accounts created by the attacker before applying wave 2 patches, as installation may overwrite implant artefacts.

Wave 1 patched builds (available 2026-05-13) cover most build trains; wave 2 (12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21, 10.2.16-h7) are scheduled for 2026-05-28. PAN-OS is widely deployed in Swiss cantonal and federal perimeter networks. No status change from W20 end — the wave 2 schedule is unchanged.