Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
30APR

CISA deadline for PAN-OS RCE lands four days early

3 min read
08:16UTC

CISA added CVE-2026-0300 to the Known Exploited Vulnerabilities catalogue on 6 May with a 9 May federal deadline. Palo Alto Networks will not ship a patch until 13 May, the first documented instance of a KEV deadline arriving before the vendor fix exists.

TechnologyDeveloping
Key takeaway

A KEV deadline arriving four days before the vendor patch exposes the compliance programme's foundational assumption.

CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalogue on Wednesday 6 May, setting a federal remediation deadline of Saturday 9 May.1 The flaw is an unauthenticated remote code execution (RCE) vulnerability in Palo Alto Networks PAN-OS firewalls, carrying a Common Vulnerability Scoring System (CVSS) score of 9.3 and triggered by a crafted packet to the User-ID Authentication Portal (the captive portal used for guest-network access).2 Palo Alto's own advisory states first patches will not ship until Wednesday 13 May, four days after the federal deadline.3 That four-day gap is without documented precedent in the KEV programme's history.

Federal Chief Information Security Officers face a binary. They can restrict the User-ID portal to trusted zones and disable Response Pages (the official mitigation), or they can document non-compliance. Neither constitutes a patch. The compliance machinery the programme runs on was built on the implicit assumption that a vendor fix precedes or accompanies a KEV listing. That assumption has now failed in writing, for the first time.

CISA's three-day remediation cadence, applied to Cisco Catalyst SD-WAN Manager in April and embedded in the multi-agency deadline doctrine from the IOC advisory , appears to have been applied reflexively here, without accounting for a case where no fix yet exists. Private-sector organisations that use KEV listings as a contractual service-level basis face the same structural problem in their procurement and insurance frameworks. The deadline lands on paper regardless of whether the vendor has shipped.

Deep Analysis

In plain English

CISA is the US government agency that tells federal departments which software flaws to fix, and by when. When a flaw appears on its KEV list, government agencies must fix it by the deadline or formally document why they cannot. In this case, CISA set a 9 May deadline for a critical flaw in Palo Alto's PAN-OS firewall software. But Palo Alto itself said it would not have the fix ready until 13 May. That is four days after the deadline. This has never happened before on record. Agencies are legally required to patch but physically cannot, because the patch does not exist. The only option is to apply a workaround, not a fix, and document that. The case exposes a gap in how the rules are written: the rules assumed the vendor would always have a patch ready by the time the deadline was set.

Deep Analysis
Root Causes

CISA's KEV programme operates on a policy assumption that is now exposed in print: that a vendor will have shipped, or will ship within hours, a patch for any vulnerability already under active exploitation. The Binding Operational Directive 22-01 (November 2021) sets no minimum patch-availability criterion before a deadline can be issued.

The underlying structural cause is a co-ordination gap between CISA's KEV publication pipeline and vendor patch release cycles. Large enterprise vendors such as Cisco and Fortinet have structured CERT relationships with CISA that create informal pre-publication alignment. Palo Alto Networks has such a relationship, but the CVE-2026-0300 timeline suggests the patch schedule was not factored into the deadline-setting process before publication.

The second cause is the legal architecture of KEV itself: it is a federal mandate, not a recommendation. Agencies cannot defer or document-and-skip without formal non-compliance record. The programme was designed for accountability, not flexibility, and that design leaves no compliant path when the vendor fix does not exist.

What could happen next?
  • Precedent

    CISA will be under pressure to add a vendor-patch-availability check to the KEV publication workflow, which may slow future KEV additions for complex enterprise products.

    Short term · 0.7
  • Risk

    Private-sector organisations using KEV as a contractual SLA face ambiguous insurance posture for the nine days between the deadline and the patch ship date.

    Immediate · 0.8
  • Consequence

    Federal CISOs must now maintain a documented record of deadline-before-patch non-compliance, which creates a legally visible audit trail that future administrations or inspectors general may scrutinise.

    Medium term · 0.75
First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

CISA· 8 May 2026
Read original
Causes and effects
This Event
CISA deadline for PAN-OS RCE lands four days early
The deadline-before-patch gap exposes a structural assumption inside the KEV programme: that a federal compliance window can only be set after a vendor fix exists.
Led to
CISA gives Cisco SD-WAN three days to patch
CISA's deadline-before-patch for PAN-OS extends the three-day standard first applied to Cisco SD-WAN Manager, where the patch existed at KEV-add time.
Occurred 20 Apr 2026
Read story →
Trump proposes $707m CISA cut, 860 jobs
CISA enforcing a deadline the vendor cannot meet while operating under a proposed $707m budget cut exposes the structural limits of compliance-led cybersecurity with reduced agency capacity.
Occurred 7 Apr 2026
Read story →
Sixteen agencies put IOC extinction in print
CISA's tightening KEV deadline cadence applied to CVE-2026-0300 is the continuation of the multi-agency deadline-enforcement doctrine named in the sixteen-agency IOC extinction advisory.
Occurred 23 Apr 2026
Read story →
WebLogic flaw revived as ransomware vector
The PAN-OS case saw a federal deadline land before the vendor's own patch existed (ID:3122); the WebLogic deadline follows the same KEV-enforcement-ahead-of-remediation pattern, here with a 21-day window rather than negative days.
Occurred 1 Jun 2026
Read story →
Arista refuses to patch KEV flaw
PAN-OS CVE-2026-0300 deadline arriving four days before the patch shipped was the first documented KEV compliance gap; Arista's formal refusal to patch is a qualitatively worse failure of the same BOD 22-01 remediation model.
Occurred 9 Jun 2026
Read story →
CISA tears up its KEV deadline rules
CISA setting a PAN-OS KEV deadline four days before the patch shipped exposed BOD 22-01's structural flaw, contributing to the decision to replace it.
Occurred 10 Jun 2026
Read story →
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.