14JUN

CISA deadline for PAN-OS RCE lands four days early

3 min read

11:51UTC

CISA added CVE-2026-0300 to the Known Exploited Vulnerabilities catalogue on 6 May with a 9 May federal deadline. Palo Alto Networks will not ship a patch until 13 May, the first documented instance of a KEV deadline arriving before the vendor fix exists.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

A KEV deadline arriving four days before the vendor patch exposes the compliance programme's foundational assumption.

CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalogue on Wednesday 6 May, setting a federal remediation deadline of Saturday 9 May.¹ The flaw is an unauthenticated Remote Code Execution (RCE) vulnerability in Palo Alto Networks PAN-OS firewalls, carrying a Common Vulnerability Scoring System (CVSS) score of 9.3 and triggered by a crafted packet to the User-ID Authentication Portal (the captive portal used for guest-network access).² Palo Alto's own advisory states first patches will not ship until Wednesday 13 May, four days after the federal deadline.³ That four-day gap is without documented precedent in the KEV programme's history.

Federal Chief Information Security Officers face a binary. They can restrict the User-ID portal to trusted zones and disable Response Pages (the official mitigation), or they can document non-compliance. Neither constitutes a patch. The compliance machinery the programme runs on was built on the implicit assumption that a vendor fix precedes or accompanies a KEV listing. That assumption has now failed in writing, for the first time.

CISA's three-day remediation cadence, applied to Cisco Catalyst SD-WAN Manager in April and embedded in the multi-agency deadline doctrine from the IOC advisory , appears to have been applied reflexively here, without accounting for a case where no fix yet exists. Private-sector organisations that use KEV listings as a contractual service-level basis face the same structural problem in their procurement and insurance frameworks. The deadline lands on paper regardless of whether the vendor has shipped.

Deep Analysis

In plain English

CISA is the US government agency that tells federal departments which software flaws to fix, and by when. When a flaw appears on its KEV list, government agencies must fix it by the deadline or formally document why they cannot. In this case, CISA set a 9 May deadline for a critical flaw in Palo Alto's PAN-OS firewall software. But Palo Alto itself said it would not have the fix ready until 13 May. That is four days after the deadline. This has never happened before on record. Agencies are legally required to patch but physically cannot, because the patch does not exist. The only option is to apply a workaround, not a fix, and document that. The case exposes a gap in how the rules are written: the rules assumed the vendor would always have a patch ready by the time the deadline was set.

Deep Analysis

Root Causes

CISA's KEV programme operates on a policy assumption that is now exposed in print: that a vendor will have shipped, or will ship within hours, a patch for any vulnerability already under active exploitation. The Binding Operational Directive 22-01 (November 2021) sets no minimum patch-availability criterion before a deadline can be issued.

The underlying structural cause is a co-ordination gap between CISA's KEV publication pipeline and vendor patch release cycles. Large enterprise vendors such as Cisco and Fortinet have structured CERT relationships with CISA that create informal pre-publication alignment. Palo Alto Networks has such a relationship, but the CVE-2026-0300 timeline suggests the patch schedule was not factored into the deadline-setting process before publication.

The second cause is the legal architecture of KEV itself: it is a federal mandate, not a recommendation. Agencies cannot defer or document-and-skip without formal non-compliance record. The programme was designed for accountability, not flexibility, and that design leaves no compliant path when the vendor fix does not exist.

What could happen next?

Precedent
CISA will be under pressure to add a vendor-patch-availability check to the KEV publication workflow, which may slow future KEV additions for complex enterprise products.
Short term · 0.7
Risk
Private-sector organisations using KEV as a contractual SLA face ambiguous insurance posture for the nine days between the deadline and the patch ship date.
Immediate · 0.8
Consequence
Federal CISOs must now maintain a documented record of deadline-before-patch non-compliance, which creates a legally visible audit trail that future administrations or inspectors general may scrutinise.
Medium term · 0.75

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: In 2019, when Microsoft issued an emergency advisory for BlueKeep (CVE-2019-0708), CISA's predecessor agency DHS-CISA sent a Binding Operational Directive to agencies within 48 hours, with a two-week remediation window. That window aligned with the patch Microsoft shipped simultaneously with the advisory, so compliance was tractable. The KEV programme formalised that assumed alignment in 2021 without making it explicit.

Counter-parallel: The PrintNightmare (CVE-2021-34527) episode showed the reverse failure: Microsoft shipped an out-of-band patch within six days of disclosure, but initial guidance from CISA was incomplete and agencies over-patched, disabling legitimate printing infrastructure. Speed alone, without vendor co-ordination, produced operational harm even when the patch existed.

Federal agencies using Palo Alto Networks perimeter kit face immediate cost exposure: the only compliant response is to restrict the User-ID portal to trusted zones and disable Response Pages, which in practice means emergency change-control board approval, out-of-hours networking team deployment, and potential disruption to zero-trust remote access flows.

The indirect cost lands on insurance and procurement. Cyber insurers routinely use KEV non-compliance as a policy condition. Agencies that document non-compliance on a deadline-before-patch scenario face an ambiguous insurance posture: technically non-compliant, practically unable to comply. The resolution of that ambiguity will likely require CISA to publish explicit guidance on deadline-before-patch situations, a process that itself takes weeks.

Consensus view: CISA's Kathryn Kempf and Atlantic Council's Trey Herr both assess the deadline-before-patch scenario as an edge case the KEV programme's 2021 mandate never explicitly addressed: the Binding Operational Directive 22-01 instructs agencies to patch or remove, but has no provision for when the vendor cannot yet supply a patch.

Counter-view: The Heritage Foundation's Cyber Policy Center argues CISA should have checked vendor patch schedules before publishing the deadline, and that the failure reveals an internal co-ordination gap between CISA's KEV team and its Industrial Control Systems division, which routinely communicates patch timelines with vendors before advisories.

Key tension: Whether KEV should require vendor confirmation of patch availability before setting a federal deadline, or whether operational urgency justifies deadlines that force mitigation documentation even when no patch exists.

Sources:CISA·Palo Alto Networks PSIRT·Palo Alto Networks PSIRT

Mentions:CISA →Known Exploited Vulnerabilities →Common Vulnerability Scoring System →Atlantic Council →Cisco →Cisco Catalyst SD-WAN Manager →Microsoft →Heritage Foundation →CitrixBleed 3 →User-ID Authentication Portal →Palo Alto Networks →PAN-OS →

First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

CISA· 8 May 2026

Read original →

Causes and effects

Caused by

Exchange repeats the CISA deadline-before-patch trap

The Exchange CVE-2026-42897 CISA deadline-before-patch repeats the PAN-OS CVE-2026-0300 precedent from 6 May, establishing the pattern as posture rather than exception.

Occurred 15 May 2026

Read story →

This Event

CISA deadline for PAN-OS RCE lands four days early

The deadline-before-patch gap exposes a structural assumption inside the KEV programme: that a federal compliance window can only be set after a vendor fix exists.

Led to

CISA gives Cisco SD-WAN three days to patch

CISA's deadline-before-patch for PAN-OS extends the three-day standard first applied to Cisco SD-WAN Manager, where the patch existed at KEV-add time.

Occurred 20 Apr 2026

Read story →

Trump proposes $707m CISA cut, 860 jobs

CISA enforcing a deadline the vendor cannot meet while operating under a proposed $707m budget cut exposes the structural limits of compliance-led cybersecurity with reduced agency capacity.

Occurred 7 Apr 2026

Read story →

Sixteen agencies put IOC extinction in print

CISA's tightening KEV deadline cadence applied to CVE-2026-0300 is the continuation of the multi-agency deadline-enforcement doctrine named in the sixteen-agency IOC extinction advisory.

Occurred 23 Apr 2026

Read story →

WebLogic flaw revived as ransomware vector

The PAN-OS case saw a federal deadline land before the vendor's own patch existed (ID:3122); the WebLogic deadline follows the same KEV-enforcement-ahead-of-remediation pattern, here with a 21-day window rather than negative days.

Occurred 1 Jun 2026

Read story →

Arista refuses to patch KEV flaw

PAN-OS CVE-2026-0300 deadline arriving four days before the patch shipped was the first documented KEV compliance gap; Arista's formal refusal to patch is a qualitatively worse failure of the same BOD 22-01 remediation model.

Occurred 9 Jun 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.