CISA set May 9, 2026 as the hard deadline for Federal Civilian Executive Branch agencies to remediate CVE-2026-0300, the critical PAN-OS vulnerability enabling unauthenticated root-level remote code execution that has been under active exploitation since before May 6. Palo Alto Networks has now confirmed that full patches are targeted for May 13, meaning the CISA deadline has passed without a patch being available. Agencies and organizations must rely on interim mitigations: restricting the User-ID Authentication Portal to trusted internal zones only, or disabling the portal entirely if not required. This status shift from "no patch, deadline approaching" to "deadline passed, patches still days away" raises the urgency for any organization running affected PAN-OS versions. Threat actors are actively exploiting this vulnerability in the wild, and CISA inclusion in the KEV catalog combined with the missed patch window makes network-level controls and portal disablement the only viable short-term defenses. Patch to the May 13 release as soon as it ships.