{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/network-services-orchestrator/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Crosswork Network Controller","Network Services Orchestrator"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","cisco","network"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eCisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) are susceptible to a denial-of-service (DoS) vulnerability due to inadequate rate-limiting on incoming network connections. Exploitation involves an unauthenticated, remote attacker sending a large number of connection requests to an affected system. This can exhaust available connection resources, rendering Cisco CNC and Cisco NSO unresponsive, leading to a DoS condition for legitimate users and dependent services. Recovery requires a manual reboot of the affected system. Cisco has released software updates to address this vulnerability, and no workarounds are available. This vulnerability is identified as CVE-2026-20188.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Cisco Crosswork Network Controller or Network Services Orchestrator instance exposed to the network.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes multiple TCP connections to the targeted system.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a high volume of connection requests to the targeted system over the established connections.\u003c/li\u003e\n\u003cli\u003eThe targeted system inadequately rate-limits the incoming connection requests.\u003c/li\u003e\n\u003cli\u003eThe flood of connection requests exhausts the available connection resources on the system.\u003c/li\u003e\n\u003cli\u003eCisco CNC and Cisco NSO become unresponsive due to resource exhaustion.\u003c/li\u003e\n\u003cli\u003eLegitimate users and dependent services experience a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eThe system requires a manual reboot to restore normal operation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition, rendering Cisco Crosswork Network Controller and Cisco Network Services Orchestrator unresponsive. Legitimate users are unable to access the services, and dependent services are disrupted. Recovery requires a manual reboot of the affected system, leading to downtime and potential data loss. The scope of impact depends on the criticality of CNC and NSO within the affected network infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest software updates provided by Cisco to patch CVE-2026-20188 on all affected Cisco Crosswork Network Controller and Cisco Network Services Orchestrator instances.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to Cisco Crosswork Network Controller and Cisco Network Services Orchestrator using the \u0026quot;Cisco NSO/CNC Excessive Connections\u0026quot; Sigma rule to detect potential DoS attacks.\u003c/li\u003e\n\u003cli\u003eImplement rate-limiting mechanisms on network devices and firewalls to restrict the number of connections from a single source IP address to Cisco Crosswork Network Controller and Cisco Network Services Orchestrator.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any suspicious IP addresses identified by the \u0026quot;Cisco NSO/CNC Single Source Connections\u0026quot; Sigma rule exhibiting unusually high connection attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T12:00:00Z","date_published":"2026-05-07T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cisco-nso-dos/","summary":"An unauthenticated remote attacker can cause a denial-of-service condition on Cisco Crosswork Network Controller and Network Services Orchestrator by exhausting connection resources via a high volume of connection requests.","title":"Cisco Crosswork Network Controller and Network Services Orchestrator Connection Exhaustion Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-05-cisco-nso-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Network Services Orchestrator","version":"https://jsonfeed.org/version/1.1"}