Cisco SD-WAN 0-Day: What MSPs Should Do Now

This report reviews three high-risk themes: (1) an actively exploited CVSS 10.0 authorization-bypass in Cisco Catalyst SD-WAN controllers enabling privileged access and potential root persistence (attributed to a China-based actor); (2) a multi-package NPM supply-chain worm that harvests secrets, uses GitHub Actions for propagation, and contains AI-targeted prompt-injection and destructive failsafes; and (3) a coordinated developer-targeting campaign using fake job interviews hosted on Bitbucket that executes attacker JavaScript (via VS Code/workspace automation and other paths) to deploy in-memory loaders and backdoors — the report provides IOCs, hunting guidance, and operational mitigation recommendations.