Cisco Crosswork, NSO DoS Vulnerability (CVE-2026-20188)
A critical denial-of-service (DoS) vulnerability, CVE-2026-20188, impacts Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO), according to the National Vulnerability Database. This flaw stems from inadequate rate-limiting on incoming network connections, allowing an unauthenticated, remote attacker to exhaust connection resources.
Exploiting this vulnerability involves an attacker sending a flood of connection requests. Success renders Cisco CNC and NSO unresponsive, disrupting legitimate users and dependent services. The National Vulnerability Database highlights that recovery from this condition necessitates a manual system reboot, underscoring the severe operational impact. The CVSS score for CVE-2026-20188 is 7.5 (High).
This isn’t just a nuisance; it’s an operational paralysis. For organizations relying on Cisco’s network orchestration, this DoS isn’t a theoretical risk—it’s a direct route to network outages. Attackers are looking for low-effort, high-impact vectors, and a simple connection flood that forces a manual reboot is exactly that. Defenders need to prioritize patching or mitigation strategies immediately.
What This Means For You
- If your organization utilizes Cisco Crosswork Network Controller or Cisco Network Services Orchestrator, you must address CVE-2026-20188 immediately. This vulnerability allows an unauthenticated attacker to take down critical network infrastructure, requiring manual intervention to restore service. Assess your exposure, implement any available vendor guidance, and review network edge controls for rate-limiting capabilities.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-20188 - Cisco Crosswork/NSO Excessive Connection Attempts
title: CVE-2026-20188 - Cisco Crosswork/NSO Excessive Connection Attempts
id: scw-2026-05-06-ai-1
status: experimental
level: high
description: |
Detects a high volume of connection attempts to Cisco Crosswork Network Controller (CNC) or Network Services Orchestrator (NSO) on port 443, indicated by a 503 Service Unavailable status code. This is indicative of an attempt to exploit CVE-2026-20188 by overwhelming the system with connection requests, leading to a denial of service.
author: SCW Feed Engine (AI-generated)
date: 2026-05-06
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-20188/
tags:
- attack.impact
- attack.t1499
logsource:
category: webserver
detection:
selection:
src_ip:
- '0.0.0.0/0'
dst_port:
- '443'
sc-status:
- '503'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-20188 | DoS | Cisco Crosswork Network Controller (CNC) - inadequate rate-limiting on incoming network connections |
| CVE-2026-20188 | DoS | Cisco Network Services Orchestrator (NSO) - inadequate rate-limiting on incoming network connections |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 06, 2026 at 20:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
NanoClaw Container Vulnerability Allows Arbitrary File Access, Recursive Deletion
CVE-2026-7875 — NanoClaw contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read...
CVE-2026-42503: gopls Vulnerability Exposes Dev Environments to RCE
CVE-2026-42503 — gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value...
CVE-2026-23870: High-Severity DoS Flaw in React Server Components
CVE-2026-23870 — A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server...