a zero-day vulnerability in cisco sd-wan (cve-2026-20245) was actively exploited to gain root-level access at major cloud service providers, with attackers creating rogue network peering, escalating privileges, establishing hidden accounts, and deploying anti-forensic techniques before mandiant was brought in to investigate. this is not a theoretical disclosure but an active, confirmed breach with sophisticated operational security by the attacker — the anti-forensic layer suggests a threat actor focused on persistence and deniability, not ransomware. sd-wan is backbone network fabric across enterprise and csp environments; root-level access with rogue peering means the attacker could silently route or inspect traffic.