Federal patch deadline beat the patch

Federal patch deadline beat the patch

Last Wednesday, CISA added CVE-2026-0300 to the Known Exploited Vulnerabilities catalog. The bug is a buffer overflow in the User-ID Authentication Portal of Palo Alto's PAN-OS firewalls: unauthenticated, root code execution, CVSS 9.3 when the portal is internet-exposed. Federal mitigation deadline: May 9.

Palo Alto's first patch ships May 13. Four days after the deadline.

This is not a paperwork mismatch. It is the explicit new model. CISA is no longer waiting for vendor fixes before locking in a remediation deadline. When exploitation is confirmed, the deadline lands on disclosure day and the burden shifts to the operator to mitigate. Restrict the portal, disable Captive Portal, isolate the firewall management plane. The patch becomes a follow-up step, not the remediation event.

Layer that on top of what was reported the same week. CISA leadership is reportedly debating cutting the standard KEV deadline from two-to-three weeks down to three days, with AI-assisted exploitation named as the rationale. The PAN-OS case is the policy ahead of the announcement: three days, with patches still pending. Federal deadlines just stopped being a function of vendor patch cadence.

For a CIO or CISO, the second-order read is operational, not regulatory. Mitigation playbooks for actively-exploited vulnerabilities used to be a sidebar, written for the rare case where vendor fixes lagged. They are now the front of the workflow. The question to answer this quarter, not next: which actively-exploited products in your stack have written, tested, currently-deployable mitigation procedures that do not require a vendor patch? For internet-facing appliances such as firewalls, ADCs, identity portals, and MFTs, the answer needs to exist before the next CISA add, not after.

Two specific implications. First, the procurement question on every internet-facing security appliance shifts. "When can the vendor patch?" was the operational SLA. The new SLA is "what is the documented mitigation when there is no patch?" Second, change-management policy needs updating. If a firewall management plane has to be restricted or a captive portal turned off in 24 hours, that is not a routine change, but it also cannot route through a normal CAB cycle. Pre-approve the playbook for KEV adds on internet-facing products, or accept that the deadline will move faster than the change ticket. The PAN-OS bug will eventually get patched; the expectation it sets will not reverse. Treat KEV adds on internet-exposed enterprise software as incidents that begin with mitigation and end with patching, in that order.

The data in this issue came from priority submissions by 5,000+ enterprise IT leaders. If you run IT or security at a $100M+ company and want to see what your peers are funding — and earn rewards for participating in vetted meetings with the vendors worth your time — apply to join DoGood.

Medtronic's class action clock reset to days

Medtronic confirmed a corporate breach on April 24. By the morning of May 7, six federal class actions had been filed in Minnesota: negligence, failure to protect PII and PHI, plaintiffs including patients on the company's cardiac devices. The breach itself, attributed to ShinyHunters, exposed roughly 9 million records. The newsworthy part is not the count. It is the velocity of the legal response. Two weeks ago a hospital-adjacent breach measured legal exposure in months. The post-breach playbook now compresses faster than the incident response one. If you run a $100M+ healthcare or medtech operation, the IR runbook needs an updated row: counsel and class-action posture briefed within 72 hours of disclosure, not 30 days.

MuddyWater hid a state operation inside a ransomware brand

Rapid7 published research this week showing that the Iranian threat group MuddyWater ran a recent intrusion campaign disguised as Chaos ransomware, using Microsoft Teams social engineering for initial access and persistence. The pattern matters because attribution drives response. A "Chaos ransomware incident" gets an insurance call, a recovery vendor, and a payment decision tree. A nation-state intrusion gets a different containment posture, different counsel, different disclosure path. If your IR playbook is still triggered by ransomware-family identification, the next state actor can buy itself days of response delay just by branding the staging directory. Add an explicit attribution-confidence step before the playbook branches.

Physical access control became IT's privilege escalation

CISA reissued an advisory May 5 for CVE-2026-21661, a DLL hijacking flaw in Johnson Controls' CEM AC2000 access control software. Standard-user-to-SYSTEM on the front-desk PC, in CEM 10.6, 11.0, and 12.0. CEM AC2000 runs at government, military, data center, and enterprise campus deployments. The point is not the bug, which is a routine search-order issue. The point is the asset class. Physical security software lives on Windows hosts, runs at high privilege, and is rarely scoped into the standard endpoint security review. Pull a list of every physical-security and badging application currently running in your environment and confirm which ones are on the EDR's allowlist and which are running unmonitored.

Three days. The window CISA gave federal agencies to mitigate the PAN-OS zero-day (KEV add May 6, deadline May 9) on a vulnerability whose patch does not ship until May 13. The number worth remembering is not the vulnerability count or the exposed firewall installs; it is the fact that the federal deadline is now decoupled from the patch. Three days is the new operational baseline for actively-exploited internet-facing software. Plan for it as a recurring event, not an outlier. Whichever team in your organization owns "what we do when there is no patch yet" is now on the critical path.

Firewall and identity-portal hygiene moved up the priority list inside the DoGood network this week. The teams ahead of this curve already had the mitigation playbook written. The rest will write it now or after the next KEV add.

The CXO Brief is powered by the DoGood network, 5,000+ IT leaders sharing what they are actually working on.

Know a CIO who needs this? Forward it and they can subscribe here.

Enterprise IT leader at a $100M+ company? Apply to join DoGood.