Three chained zero-days in Cisco Catalyst SD-WAN were actively exploited against a communications service provider, achieving root-level access across the Manager (vManage), Controller (vSmart), and Validator (vBond) components. The attack chain combined an authentication bypass, privilege escalation, and malicious file upload with systematic anti-forensic log deletion, limiting defenders’ ability to establish compromise scope. Any organization running Cisco Catalyst SD-WAN in service provider or enterprise WAN contexts should treat this as an active threat requiring immediate management-plane lockdown and patch application.