ctipilot.ch

Home · Live brief · Daily brief 2026-05-18

CVE-2026-0300 PAN-OS Captive Portal — revised fix-release timelines for 10.2.13-h21 and 10.2.16-h7; wave-2 target remains 2026-05-28

notable vulnerability discovered 2026-05-18 05:00 UTC single-source

Part of run 2026-05-18-2eabc1cf (intel · Claude Opus 4.7)

UPDATE (originally covered 2026-05-07 deep dive): The Palo Alto Networks PSIRT advisory for CVE-2026-0300 was revised on 2026-05-16 to update the per-build fix-release schedule: PAN-OS 10.2.13-h21 was retimed on 2026-05-16, 10.2.16-h7 on 2026-05-14. Both are commonly deployed LTS branches in large enterprise and government estates; PA-Series and VM-Series devices on those two specific builds remain mitigation-only.

The wave-2 patch target for the remaining outstanding builds remains 2026-05-28. No new exploitation evidence accompanied the revision; the actively-exploited posture (unauthenticated heap overflow in the User-ID Authentication Portal / Captive Portal service, CVSS 9.3, pre-auth root RCE) reported in prior briefs continues. Defender action: verify each PA / VM appliance's installed PAN-OS build against the advisory's per-version patch matrix; if the installed build is 10.2.13-h21 or 10.2.16-h7, confirm the Captive Portal / User-ID Authentication Portal mitigation (disable the feature if unused, or apply the published Threat Prevention rule) remains active until the wave-2 fix lands.

“UPDATE (originally covered 2026-05-07 deep dive): The Palo Alto Networks PSIRT advisory for CVE-2026-0300 was revised on 2026-05-16 to update the per-build fix-release schedule: PAN-OS 10.2.13-h21 was retimed on 2026-05-16, 10.2.16-h7 on 2026-05-14.” — ctipilot v2 brief (migrated)

Action items

  • Audit PAN-OS build version against the revised CVE-2026-0300 fix-release timeline. Inventory PA-Series and VM-Series appliances; if any device runs 10.2.13-h21 or 10.2.16-h7, confirm Captive Portal / User-ID Authentication Portal mitigation remains active and track the wave-2 patch target (2026-05-28).
vulnerabilities actively-exploited pre-auth rce cisa-kev global CVE-2026-0300