SYS::ONLINE
Wasteland.
Briefs1204
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2008-4128 2026-07-13

Cisco IOS CSRF Flaw (CVE-2008-4128) Added to CISA KEV After Active Exploitation

"An 18-year-old cross-site request forgery weakness in the Cisco IOS 12.4 HTTP administration component has been added to CISA's Known Exploited Vulnerabilities catalog, with confirmed active exploitation and a July 16…"

An 18-year-old cross-site request forgery weakness in the Cisco IOS 12.4 HTTP administration component has been added to CISA's Known Exploited Vulnerabilities catalog, with confirmed active exploitation and a July 16, 2026 remediation deadline.

What Is It

CVE-2008-4128 is a set of multiple cross-site request forgery (CSRF) vulnerabilities in the HTTP Administration component of Cisco IOS 12.4, originally published in September 2008. Classified as CWE-352 (Cross-Site Request Forgery), the flaw lets remote attackers execute arbitrary commands by tricking an authenticated user into submitting crafted requests; specifically a "show privilege" command to the /level/15/exec/- URI, and an "alias exec" command to the /level/15/exec/-/configure/http URI.

Why It Matters

CISA's SSVC assessment marks exploitation status as active, and the vulnerability was added to the KEV catalog on July 13, 2026, confirming real-world abuse. Because the flaws target the privilege-level-15 exec interface, successful exploitation can run arbitrary device commands. NVD carries two scores: a CVSS v2 base of 9.3 (HIGH, complete confidentiality/integrity/availability impact) and a CVSS v3.1 base of 4.3 (MEDIUM). The v3.1 vector requires user interaction, consistent with the CSRF attack pattern in which a victim must be lured into submitting the crafted request.

What's Vulnerable

The affected surface is the router's HTTP-based administration interface.

Patch Status

Cisco IOS 12.4 mainline is now an obsolete/end-of-life software release. CISA's required action is to apply mitigations per vendor instructions in compliance with BOD 26-04 ("Prioritizing Security Updates Based on Risk") and CISA's Forensics Triage Requirements. Where mitigations are unavailable, CISA directs stakeholders to follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product. Organizations must evaluate each asset's internet exposure. The remediation due date is July 16, 2026. Known ransomware campaign use is listed as Unknown.

Sources