What happened
Cisco has released security updates addressing a high-severity denial-of-service vulnerability in Crosswork Network Controller and Network Services Orchestrator, tracked as CVE-2026-20188, that can be exploited remotely by unauthenticated attackers to crash targeted systems. Recovery requires a manual reboot, with no automated recovery path available. Cisco’s PSIRT is not aware of active exploitation at time of publication.
The flaw stems from inadequate rate limiting on incoming network connections and can be triggered through low-complexity attacks that exhaust available connection resources, rendering CNC and NSO unresponsive to legitimate users and dependent services. Cisco has described the exploitation path as requiring no authentication and no user interaction.
Fixed releases are available for CNC version 7.2 and NSO versions 6.4.1.3 and 6.5. CNC versions 7.1 and earlier and NSO versions 6.3 and earlier require migration to a fixed release rather than an in-place patch. Cisco CNC simplifies multivendor network management and automation across large enterprise and service provider environments, while NSO provides orchestration for network device and resource management.
Cisco has previously patched several DoS vulnerabilities that were later exploited in attacks, including two flaws in ASA and FTD firewalls that were used in zero-day attacks before being leveraged to force devices into reboot loops, and vulnerabilities in Secure Email appliances and IOS XR routers that required manual intervention to recover.
Who is affected
Large enterprises and service providers running Cisco CNC or NSO in affected version ranges are directly exposed. Given these platforms’ roles as central automation and orchestration hubs for network management, a successful DoS attack could disrupt network operations across all devices and services managed through them until manual recovery is completed.
Why CISOs should care
A DoS vulnerability requiring manual reboot to recover from is operationally significant beyond a typical availability issue, particularly in CNC and NSO environments where the affected systems manage or orchestrate other network devices. Taking the orchestration layer offline forces manual management of downstream infrastructure, compounding the operational impact. In large service provider environments, that recovery burden can span many hours.
Cisco’s history with similar DoS vulnerabilities being exploited after initial disclosure also warrants attention. The ASA and FTD precedent, where patched vulnerabilities were later chained into active attack campaigns, suggests that organizations running unpatched CNC and NSO instances should treat this as a priority remediation even without current exploitation evidence.
3 practical actions
- Apply Cisco’s available patches immediately for CNC and NSO within affected version ranges: Upgrade CNC to version 7.2 and NSO to 6.4.1.3 or 6.5 using the full remediation path recommended by Cisco. Versions 7.1 and earlier for CNC and 6.3 and earlier for NSO require migration rather than a simple update, so plan accordingly.
- Restrict network access to CNC and NSO management interfaces as an interim control: Since the vulnerability is exploitable by unauthenticated remote attackers, applying network-level access controls that limit connection attempts to the affected services from trusted networks only reduces the exploitable attack surface while patching is underway.
- Develop a manual recovery runbook for CNC and NSO DoS scenarios: The requirement for manual reboot means an automated recovery path does not exist. Ensure operations teams have a documented procedure for identifying a DoS condition on these platforms, escalating appropriately, and executing a controlled recovery without compounding the disruption to dependent network services.
Also in the news today:
- CMS Provider Directory Database Found Leaking Healthcare Providers’ Social Security Numbers
- RXNT Healthcare Software Breach Exposes Patient Data Across Multiple Provider Clients
- CISA Launches CI Fortify to Prepare Critical Infrastructure for Geopolitical Cyber Conflict
- Mirai-Based xlabs_v1 Botnet Exploits Android Debug Bridge to Hijack IoT Devices
- MuddyWater Hackers Use Chaos Ransomware as a Decoy in Espionage Attacks
- Palo Alto Networks Warns of Firewall RCE Zero-Day Exploited in Attacks
