CybersecurityVulnerability Management

Cisco Discloses High-Severity DoS Flaw Requiring Manual Reboot

Analyst 207||Source: BleepingComputer
Network equipment setup with a large router or switch on a rack, surrounded by cables and gear.

"A successful exploit could allow the attacker to exhaust available connection resources, causing Cisco CNC and Cisco NSO to become unresponsive and resulting in a DoS condition for legitimate users and dependent services. A manual reboot of the system is required to recover from this condition," Cisco explained in a Wednesday advisory.

CVE-2026-20188: the technical fault and its immediate risk

The newly disclosed vulnerability, tracked as CVE-2026-20188, stems from inadequate rate limiting on incoming network connections. According to Cisco, an unauthenticated attacker can exploit the weakness remotely and with low complexity to exhaust available connection resources. The consequence is a denial-of-service (DoS) condition in which targeted Cisco Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO) systems become unresponsive and require a manual reboot to restore normal operation.

Cisco rates the flaw as high severity and emphasizes that upgrading to the fixed software listed in its advisory is the recommended route to fully remediate the issue and avoid future exposure.

Cisco Crosswork Network Controller and Network Services Orchestrator: why these products matter

Large enterprises and service providers use the Crosswork Network Controller software suite to simplify multivendor network management and to automate network operations. Cisco NSO, the Network Services Orchestrator, manages network devices and resources across vendor lines. The advisory frames the vulnerability in the context of these platforms’ roles: when controllers and orchestrators are forced unresponsive, dependent services and the users that rely on them are directly affected.

Cisco's remediation guidance and current exploitation status

Cisco's Product Security Incident Response Team (PSIRT) said it is not aware of active exploitation of CVE-2026-20188 in the wild. Nonetheless, the company "strongly recommends that customers upgrade to the fixed software indicated in this advisory" to fully remediate the vulnerability and prevent future exposure. The advisory highlights that recovery from a successful exploit requires a manual system reboot.

Recent history: prior DoS flaws and operational impact

The advisory situates this disclosure against several recent Cisco DoS incidents. In November 2025, Cisco warned that two vulnerabilities — CVE-2025-20362 and CVE-2025-20333 — had been used in zero-day attacks that forced ASA and FTD firewalls into reboot loops. When those vulnerabilities were patched in September, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive ordering federal agencies to secure their Cisco firewalls against the exploit chain within 24 hours.

Cisco also previously patched vulnerabilities (CVE-2022-20653 and CVE-2024-20401) that could permanently crash Secure Email appliances using crafted email messages; customers were advised at the time to contact Cisco's Technical Assistance Center (TAC) for manual recovery. Last year Cisco patched CVE-2025-20115, a DoS that allowed an attacker to crash the Border Gateway Protocol (BGP) process on IOS XR routers with a single BGP update message. Those precedents underscore the operational reality that some DoS flaws require human intervention to restore services.

What this means for technologists, large enterprises, and procurement leaders

  • Technologists and security teams: The immediate priority is identification of affected CNC and NSO instances and installation of the fixed software Cisco specifies. Because recovery from an exploited condition requires a manual reboot, incident response playbooks must account for controlled restarts and potential service interruptions.
  • Large enterprises and service providers: Organizations that rely on CNC and NSO for multivendor orchestration should evaluate exposure windows, schedule upgrades in maintenance windows, and prepare for manual intervention if an incident occurs. The advisory’s reminder that unauthenticated remote attacks are low complexity elevates the risk profile for production deployments accessible to untrusted networks.
  • Procurement and operations planners: The recurrence of Cisco DoS patches that have required manual recovery — across firewalls, email appliances, and routers — reinforces the need to factor direct operational costs and recovery procedures into vendor risk assessments and service-level planning.

For now, Cisco reports no active attacks exploiting CVE-2026-20188, but the advisory’s specifics — unauthenticated remote abuse, low attack complexity, and mandatory manual reboot for recovery — make this a practical, near-term operational concern for any organization running Crosswork CNC or NSO. The immediate action Cisco prescribes is straightforward: upgrade to the fixed software the company lists and be prepared to manually reboot systems if an exploit renders them unresponsive.

Original story: New Cisco DoS flaw requires manual reboot to revive devices — BleepingComputer

CiscoEmerging ThreatsNetwork SecurityDenial Of ServiceHigh-Severity VulnerabilityNetwork VulnerabilityCVE-2026-20188Dos FlawManual Reboot
Related Intelligence

Continue Reading

Close-up of a smartphone's circuit board with blurred background, components out of focus.

BootROM Exploit Targets Millions of iPhones

Millions of iPhones are vulnerable to a newly discovered BootROM exploit, known as "usbliter8", that can't be fixed with software updates because it's embedded in the device's hardware. This means iPhones with A12 and A13 processors will be at risk for the rest of their lifespan.

Analyst 207
Blurred laptop screen on office table surrounded by coworkers.

AI Agents Emerge as Unchecked Identities in Enterprise Security

The equation for enterprise security is no longer simple: with AI agents now connected to critical business services, controlling identities is no longer enough to control risk. These emerging insiders have quietly become privileged - and potentially invisible - attack paths that security and identity programs must urgently address.

Analyst 207
Security analysts work at computer workstations and a large wall screen in a brightly-lit operations center.

AI Shifts Threat Management from Reactive to Proactive Stance

With a sprawling security stack of 40+ tools, enterprise teams are drowning in overlapping alerts and manual handoffs, leaving gaping holes for adversaries to exploit. This disjointed approach leaves teams scrambling to respond to threats, with attackers enjoying a lengthy 43-day window to wreak havoc.

Analyst 207
Windows desktop with Recycle Bin open, showing a file and a confirmation dialog with a partially obscured filename.

Microsoft Updates Trigger Recycle Bin Filename Glitch

Microsoft just revealed a frustrating glitch in the Recycle Bin that displays a confusing filename when you permanently delete an item, showing a cryptic code instead of the file's original name. Luckily, the issue only affects the deletion confirmation dialog and doesn't change the file's name in the Recycle Bin or when it's restored.

Analyst 207