Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability in the connection-handling mechanism of Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system.
This vulnerability is due to an inadequate implementation of rate-limiting on incoming network connections. An attacker could exploit this vulnerability by sending a large number of connection requests to an affected system. A successful exploit could allow the attacker to exhaust available connection resources, causing Cisco CNC and Cisco NSO to become unresponsive and resulting in a DoS condition for legitimate users and dependent services. A manual reboot of the system is required to recover from this condition.
AnalysisAI
Denial of service in Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) allows remote unauthenticated attackers to exhaust connection resources by flooding the system with connection requests, forcing a manual reboot to restore service. CVSS 7.5 (High) with network vector and no authentication required. No public exploit code identified at time of analysis, and EPSS data not available. The vulnerability stems from inadequate rate-limiting on incoming connections (CWE-400), affecting critical network orchestration infrastructure used for automation and service provisioning.
Technical ContextAI
This vulnerability affects Cisco's network orchestration platforms: Crosswork Network Controller (CNC), which automates network change management and configuration, and Network Services Orchestrator (NSO), a service lifecycle automation framework. Both products handle incoming network connections for orchestration tasks, API requests, and management operations. The root cause is classified as CWE-400 (Uncontrolled Resource Consumption), indicating the connection-handling mechanism fails to implement adequate rate-limiting or connection throttling on incoming requests. Without proper resource quotas or connection pooling limits, an attacker can trivially consume all available connection handlers, file descriptors, or memory buffers allocated for connection management. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is a network-accessible service with low attack complexity requiring no credentials, making it exploitable from the internet if these orchestration platforms are exposed.
RemediationAI
Apply vendor-released patches referenced in Cisco Security Advisory cisco-sa-nso-dos-7Egqyc available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-dos-7Egqyc. The advisory will specify exact fixed versions for both Crosswork Network Controller and Network Services Orchestrator - consult the Fixed Software section for your deployment. Until patching is complete, implement network-layer compensating controls: deploy rate-limiting on upstream firewalls or load balancers to restrict connection attempts per source IP (recommended: 10-50 connections per minute per source, adjust based on legitimate traffic patterns), place CNC and NSO behind VPN or bastion hosts accessible only from trusted management networks, implement IP allowlisting to restrict access to known administrator source addresses, and configure connection timeout values at network edge to prevent connection exhaustion. Deploy network monitoring to detect abnormal connection spikes as early warning of exploitation attempts. Note that aggressive rate-limiting may impact legitimate automation workflows during high-activity periods - test limits in staging environments. Network isolation provides the strongest mitigation but may require architecture changes for organizations with distributed orchestration requirements.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27860