Cisco network management products have a flaw that lets attackers crash them remotely - victims need to manually reboot the device to recover (CVE-2026-20188)

Cisco patched a high-severity denial-of-service flaw in Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) that lets unauthenticated remote attackers exhaust connection resources and force the system into an unresponsive state. CVE-2026-20188. Recovery requires manual reboot. Cisco's PSIRT has not seen exploitation in the wild yet, but Cisco previously patched similar DoS bugs (CVE-2025-20362, CVE-2025-20333) that ended up being weaponized to force ASA and FTD firewalls into reboot loops, which CISA addressed with an emergency directive in November 2025.

Check

Inventory Cisco CNC and Cisco NSO instances. Check whether their management interfaces are reachable from untrusted networks. Set up monitoring alerts for connection-resource exhaustion on these systems.

Affected

Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) running unpatched versions. CVE-2026-20188, high severity. The DoS condition requires manual reboot to recover, meaning a successful attack creates extended outages. Service-provider and enterprise customers using Cisco network orchestration are in scope.

Fix

Upgrade Cisco CNC and NSO to fixed versions per Cisco's advisory. Restrict management interfaces to trusted internal networks. Implement rate limiting at the network edge to throttle connection attempts to CNC/NSO ports. Document recovery procedures including console access for manual reboot - a remote-only management plan fails if the box itself becomes unreachable.