Three chained CVEs in Cisco Catalyst SD-WAN Controller, Manager, and Validator allow an unauthenticated remote attacker to escalate to root and push unauthorized configuration changes across an entire SD-WAN fabric. Cisco PSIRT has confirmed exploitation across multiple customer deployments since at least 2023, and CISA issued Emergency Directive 26-03 mandating federal agency remediation. All deployment models are affected, including FedRAMP.