Cisco released security updates to fix a Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO) denial-of-service (DoS) vulnerability that requires manually rebooting targeted systems for recovery.
Large enterprises and service providers leverage the CNC software suite to simplify multivendor network management and operations handling with automation, while the NSO orchestration platform helps them manage network devices and resources.
Tracked as CVE-2026-20188, this high-severity security flaw stems from inadequate rate limiting on incoming network connections and can be exploited remotely by unauthenticated threat actors to crash unpatched Cisco CNC and Cisco NSO systems through low-complexity attacks.
“A successful exploit could allow the attacker to exhaust available connection resources, causing Cisco CNC and Cisco NSO to become unresponsive and resulting in a DoS condition for legitimate users and dependent services. A manual reboot of the system is required to recover from this condition,” Cisco explained in a Wednesday advisory.
“To fully remediate this vulnerability and avoid future exposure as described in this advisory, Cisco strongly recommends that customers upgrade to the fixed software indicated in this advisory.”
While CVE-2026-20188 can be abused to permanently crash targeted systems until manual intervention, Cisco’s Product Security Incident Response Team (PSIRT) is not aware of ongoing exploitation.
| Cisco CNC Release | First Fixed Release |
|---|---|
| 7.1 and earlier | Migrate to a fixed release. |
| 7.2 | Not vulnerable. |
| Cisco NSO Release | First Fixed Release |
|---|---|
| 6.3 and earlier | Migrate to a fixed release. |
| 6.4 | 6.4.1.3 |
| 6.5 | Not vulnerable. |
CVE-2026-20188 has not been exploited in the wild yet, but Cisco has previously patched other DoS vulnerabilities that were exploited in attacks.
For instance, in November 2025, it warned that two security flaws (CVE-2025-20362 and CVE-2025-20333) previously exploited in zero-day attacks were now being used to force ASA and FTD firewalls into reboot loops.
In September, when Cisco patched the two vulnerabilities, CISA issued an emergency directive ordering federal agencies to secure their Cisco firewalls against attacks using this exploit chain within 24 hours.
Cisco also addressed vulnerabilities (CVE-2022-20653 and CVE-2024-20401) that could allow attackers to permanently crash Secure Email appliances using maliciously crafted email messages.
The company advised customers at the time to contact its Technical Assistance Center (TAC) to have them brought back online, as this required manual intervention.
Last year, Cisco patched another DoS vulnerability (CVE-2025-20115) that allowed attackers to crash the Border Gateway Protocol (BGP) process on IOS XR routers with a single BGP update message.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
