Cisco has published a security advisory for CVE-2026-20188, a high-severity denial-of-service vulnerability in the Crosswork Network Controller and NSO (Network Services Orchestrator) platforms. The vulnerability allows an unauthenticated remote attacker to permanently disable the affected device by exhausting connection handling resources — with no self-recovery mechanism: the platform must be physically manually rebooted to restore service.
About the Affected Products
Cisco Crosswork Network Controller is an intent-based networking automation platform used by service providers and large enterprise networks to automate network configuration, manage network services, and implement zero-touch provisioning. It provides the central control plane for large-scale network automation.
Cisco NSO (Network Services Orchestrator) — formerly Tail-f NCS — is a multi-vendor network automation and orchestration platform widely deployed by telecommunications carriers and managed service providers. NSO automates service provisioning across heterogeneous network infrastructure from multiple vendors.
Both platforms occupy a critical position in the network infrastructure they manage: a disrupted Crosswork or NSO deployment prevents automated network changes, breaks service provisioning workflows, and may cascade to affect network operations at scale.
Vulnerability Details
CVE-2026-20188 affects the connection handling layer of both platforms. An unauthenticated attacker who can reach the management interface can send a sequence of specially crafted connection requests that exhaust the platform’s connection pool. Unlike typical resource exhaustion attacks, the vulnerable code path does not release exhausted connection slots even after the attacking requests terminate — resulting in a permanent resource exhaustion state that persists until the process (or device) is restarted.
The self-recovery failure is the defining characteristic of this vulnerability. Most DoS attacks are survivable via automated watchdog recovery mechanisms, load balancer failover, or automatic process restart. CVE-2026-20188 produces a permanently degraded state that requires manual physical intervention — a significant operational consideration for platforms deployed in unmanned data centres or remote points of presence.
No authentication is required to trigger the condition. The vulnerability is exploitable by any network-reachable host.
Affected Versions and Patch
Cisco has released patches via the standard software update channels. Affected versions include:
- Cisco Crosswork Network Controller 3.x and 4.x prior to the patch release
- Cisco NSO versions prior to 6.2.7 and 6.3.x prior to 6.3.3
Apply the applicable update. For service providers with SLA obligations tied to network automation availability, coordinate the maintenance window with operations teams.
Immediate mitigation: Restrict access to the Crosswork and NSO management interfaces to authorised management network IP ranges. Neither platform’s management interface requires internet accessibility — firewall rules should block external access to the management API and UI ports (default TCP/443 and TCP/2022 for NSO NETCONF). If already restricted to trusted management networks, exposure is significantly reduced but patching remains required.
Operational Implications
For organisations running service provider or large enterprise networks:
Service continuity impact: A DoS against Crosswork or NSO does not directly disrupt existing network paths (routing and forwarding continue independently) but prevents any automated network changes during the outage. In dynamic environments where NSO provisions customer services or manages BGP configuration, the operational impact of a prolonged outage can be significant.
Physical recovery requirement: If the management interface is exposed and this vulnerability is exploited, recovery requires physical access to restart the affected server. For platforms hosted in co-location facilities or remote data centres, this may mean extended outage windows while access is arranged.
The Cisco security advisory should be reviewed against your deployment topology. Confirm whether your Crosswork or NSO management plane is accessible only from restricted management network addresses, and apply the patch within your normal critical-security-update timelines.
Share this article