Cisco IOS CVE-2008-4128 CSRF KEV exploitation
Summary
CISA added CVE-2008-4128 to the Known Exploited Vulnerabilities catalog on July 13, 2026. The entry covers multiple cross-site request forgery flaws in Cisco IOS 12.4 that can let a remote attacker execute arbitrary commands through crafted requests to privileged HTTP management URIs.
The durable signal is not novelty of the bug; it is the exploitation pressure against obsolete Cisco IOS 12.4 exposure. Treat any reachable IOS HTTP management interface on legacy branches as an edge-device compromise risk, especially where browser-accessible management sessions may exist for administrators.
Tags
- ops
- operations
- vulnerability
- active exploitation
- CISA KEV
- Cisco
- Cisco IOS
- Cisco IOS 12.4
- CVE-2008-4128
- CWE-352
- cross-site request forgery
- CSRF
- network infrastructure exploitation
- edge device
- command execution
- obsolete software
Why this matters
- CISA's KEV entry states that Cisco IOS 12.4 contains multiple CSRF vulnerabilities allowing remote attackers to execute arbitrary commands via
show privilegeandalias execcommand paths under/level/15/exec/-and/level/15/exec/-/configure/http. - Cisco IOS 12.4 is obsolete, so remediation may require migration, replacement, management-plane isolation, or decommissioning rather than a routine in-place update.
- The KEV due date is July 16, 2026 under CISA BOD 26-04. For defenders outside US federal scope, use that as an urgency signal for exposed network infrastructure.
- Exploitation of router or switch management planes can support credential theft, configuration tampering, traffic interception, pivoting, persistence, or staging for later intrusion activity.
Defender heuristics
- Inventory Cisco IOS devices, identify any IOS 12.4 systems, and verify whether HTTP/HTTPS management is enabled.
- Remove public exposure for router/switch web management immediately. Restrict management to dedicated admin networks or VPN paths with explicit allow lists.
- Apply Cisco-supported mitigations or move off obsolete IOS 12.4 trains. If no safe mitigation exists, replace or retire the device.
- Review AAA logs, syslog, configuration archives, and command accounting for unexpected privilege checks, alias changes, HTTP management access, new local users, SNMP changes, boot variable changes, or ACL/routing modifications.
- Preserve current and prior running/startup configurations before cleanup where compromise is suspected; compare against known-good baselines.
- Rotate credentials and keys that traversed or administered the device if management-plane compromise cannot be ruled out.
Related pages
- Cisco Catalyst SD-WAN Manager CVE-2026-20245 / CVE-2026-20262 exploitation
- UAT-7810 LONGLEASH ORB network expansion
- JDY SOHO / IoT reconnaissance botnet
- Arista EOS CVE-2026-7473 tunnel decapsulation exploitation
Sources
- CISA KEV catalog: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
- Cisco IOS Software Releases 12.4 Mainline obsolete release page: https://www.cisco.com/c/en/us/obsolete/ios-nx-os-software/cisco-ios-software-releases-12-4-mainline.html
- NVD CVE-2008-4128: https://nvd.nist.gov/vuln/detail/CVE-2008-4128