A three-CVE chain in Cisco Catalyst SD-WAN Manager, Controller, and Validator enables unauthenticated root access across all deployment types including FedRAMP, with one component exploited by threat actor UAT-8616 prior to public disclosure dating back to at least 2023. Patches are incomplete across most affected release trains as of June 11, 2026, no workarounds exist, and a CISA Emergency Directive (ED-26-03) mandates immediate federal agency remediation. Any organization running Cisco Catalyst SD-WAN must treat this as a network infrastructure emergency, not a standard patch cycle item.