Skip to content

Cisco IOS CVE-2008-4128 CSRF KEV exploitation

Summary

CISA added CVE-2008-4128 to the Known Exploited Vulnerabilities catalog on July 13, 2026. The entry covers multiple cross-site request forgery flaws in Cisco IOS 12.4 that can let a remote attacker execute arbitrary commands through crafted requests to privileged HTTP management URIs.

The durable signal is not novelty of the bug; it is the exploitation pressure against obsolete Cisco IOS 12.4 exposure. Treat any reachable IOS HTTP management interface on legacy branches as an edge-device compromise risk, especially where browser-accessible management sessions may exist for administrators.

Tags

Why this matters

  • CISA's KEV entry states that Cisco IOS 12.4 contains multiple CSRF vulnerabilities allowing remote attackers to execute arbitrary commands via show privilege and alias exec command paths under /level/15/exec/- and /level/15/exec/-/configure/http.
  • Cisco IOS 12.4 is obsolete, so remediation may require migration, replacement, management-plane isolation, or decommissioning rather than a routine in-place update.
  • The KEV due date is July 16, 2026 under CISA BOD 26-04. For defenders outside US federal scope, use that as an urgency signal for exposed network infrastructure.
  • Exploitation of router or switch management planes can support credential theft, configuration tampering, traffic interception, pivoting, persistence, or staging for later intrusion activity.

Defender heuristics

  1. Inventory Cisco IOS devices, identify any IOS 12.4 systems, and verify whether HTTP/HTTPS management is enabled.
  2. Remove public exposure for router/switch web management immediately. Restrict management to dedicated admin networks or VPN paths with explicit allow lists.
  3. Apply Cisco-supported mitigations or move off obsolete IOS 12.4 trains. If no safe mitigation exists, replace or retire the device.
  4. Review AAA logs, syslog, configuration archives, and command accounting for unexpected privilege checks, alias changes, HTTP management access, new local users, SNMP changes, boot variable changes, or ACL/routing modifications.
  5. Preserve current and prior running/startup configurations before cleanup where compromise is suspected; compare against known-good baselines.
  6. Rotate credentials and keys that traversed or administered the device if management-plane compromise cannot be ruled out.

Sources

  • CISA KEV catalog: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
  • Cisco IOS Software Releases 12.4 Mainline obsolete release page: https://www.cisco.com/c/en/us/obsolete/ios-nx-os-software/cisco-ios-software-releases-12-4-mainline.html
  • NVD CVE-2008-4128: https://nvd.nist.gov/vuln/detail/CVE-2008-4128