18-Year-Old Cisco IOS Vulnerability Actively Exploited, Added to CISA’s KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2008-4128, an 18-year-old Cross-Site Request Forgery (CSRF) vulnerability in Cisco IOS 12.4, to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation. The flaw, first disclosed in 2008, affects the HTTP management interface of legacy Cisco devices, allowing attackers to execute arbitrary commands with privilege-level 15 access effectively granting full administrative control.
The vulnerability can be exploited through two attack vectors:
- A crafted "show privilege" command sent to the /level/15/exec/- URI
- A malicious "alias exec" command injected via the /level/15/exec/-/configure/http URI
Since the flaw abuses the trust placed in an authenticated administrator’s browser session, attackers can trick logged-in users into submitting forged requests without needing direct credential theft.
CISA’s inclusion of CVE-2008-4128 in the KEV catalog on July 13, 2026, with a remediation deadline of July 16, 2026, highlights the ongoing risk posed by unpatched legacy infrastructure. Federal agencies and aligned organizations must act within a three-day window to mitigate exposure, per Binding Operational Directive (BOD) 26-04.
The resurgence of this vulnerability underscores a persistent challenge: outdated Cisco IOS devices, often deemed "stable" or business-critical, are frequently deprioritized in patch cycles, making them prime targets for attackers scanning for exposed HTTP management interfaces. While it remains unclear whether the flaw has been used in ransomware campaigns, organizations are advised to disable the HTTP server feature if unused, restrict access via ACLs, enforce HTTPS with strong authentication, and audit configurations for signs of exploitation.
Source: https://cyberpress.org/18-year-old-cisco-ios-vulnerability-exploited/
Cisco TPRM report: https://www.rankiteo.com/company/cisco
"id": "cis1784025731",
"linkid": "cisco",
"type": "Vulnerability",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Organizations using legacy '
'Cisco IOS 12.4 devices with '
'HTTP management interface '
'enabled',
'industry': 'Information Technology',
'name': 'Cisco',
'type': 'Technology/Networking'}],
'attack_vector': ["crafted 'show privilege' command sent to the "
'/level/15/exec/- URI',
"malicious 'alias exec' command injected via the "
'/level/15/exec/-/configure/http URI'],
'date_publicly_disclosed': '2008',
'description': 'The U.S. Cybersecurity and Infrastructure Security Agency '
'(CISA) has added CVE-2008-4128, an 18-year-old Cross-Site '
'Request Forgery (CSRF) vulnerability in Cisco IOS 12.4, to '
'its Known Exploited Vulnerabilities (KEV) catalog after '
'confirming active exploitation. The flaw affects the HTTP '
'management interface of legacy Cisco devices, allowing '
'attackers to execute arbitrary commands with privilege-level '
'15 access, effectively granting full administrative control.',
'impact': {'operational_impact': 'Full administrative control of affected '
'devices',
'systems_affected': 'Cisco IOS 12.4 devices with HTTP management '
'interface enabled'},
'lessons_learned': 'The resurgence of this vulnerability underscores the '
'persistent challenge of unpatched legacy infrastructure, '
'which is often deprioritized in patch cycles, making them '
'prime targets for attackers.',
'post_incident_analysis': {'root_causes': 'Unpatched legacy Cisco IOS 12.4 '
'devices with exposed HTTP '
'management interfaces'},
'recommendations': ['Disable the HTTP server feature if unused',
'Restrict access via ACLs',
'Enforce HTTPS with strong authentication',
'Audit configurations for signs of exploitation'],
'references': [{'source': 'CISA KEV Catalog'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA KEV catalog '
'inclusion (July 13, '
'2026)',
'Binding Operational '
'Directive (BOD) '
'26-04']},
'response': {'containment_measures': ['Disable the HTTP server feature if '
'unused',
'Restrict access via ACLs',
'Enforce HTTPS with strong '
'authentication',
'Audit configurations for signs of '
'exploitation']},
'title': '18-Year-Old Cisco IOS Vulnerability Actively Exploited, Added to '
'CISA’s KEV Catalog',
'type': 'Cross-Site Request Forgery (CSRF)',
'vulnerability_exploited': 'CVE-2008-4128'}