A sophisticated threat actor chained three zero-day vulnerabilities across Cisco Catalyst SD-WAN Manager, Controller, and Validator to achieve root-level access at a communications service provider, with exploitation confirmed at least two months before public disclosure. Post-exploitation included hidden root account creation, anti-forensic cleanup, and server-side implant deployment consistent with APT-tier operational discipline. Organizations running Cisco Catalyst SD-WAN in service provider or enterprise environments must treat this as a potential active compromise, not merely a patching event.