The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that attackers are actively exploiting CVE-2008-4128, a cross-site request forgery (CSRF) vulnerability affecting Cisco IOS versions 12.4(12) and 12.4(4).
This vulnerability was added to CISA’s Known Exploited Vulnerabilities Catalog on July 13, 2026, underscoring that even legacy networking flaws can pose security risks years after being disclosed.
Federal civilian executive branch agencies have been mandated to implement necessary mitigations by July 16, 2026, under Binding Operational Directive 22-040.
Cisco IOS is widely utilized in enterprise routers, switches, and other network infrastructure. Devices exposed to the internet or operating with outdated configurations may provide entry points for attackers seeking to gain control of network environments.
CVE-2008-4128 is categorized under CWE-352, which addresses CSRF vulnerabilities. CSRF attacks occur when a victim with an authenticated browser session is deceived into visiting a malicious webpage or opening attacker-controlled content.
This specific flaw affects the web management functionality of Cisco IOS, allowing an attacker to use specially crafted requests to make an authenticated administrator’s browser unknowingly send commands to a targeted Cisco IOS device.
Decades-Old Cisco IOS Flaw Exploited
According to the CVE description, this issue can enable remote attackers to execute arbitrary commands via crafted requests that involve the “show privilege” command and the “/level/15/exec/-” URI.
Another potential attack vector involves sending an alias exec command through the “/level/15/exec/-/configure/http” URI. Successful exploitation relies on an administrator being authenticated to the device’s web interface and interacting with malicious content from the attacker.
If exploited, the flaw could allow an attacker to alter router or switch settings, create command aliases, modify HTTP configurations, or otherwise disrupt network operations.
CISA did not publicly identify the threat actor, attack campaign, or exploitation method behind the active use of CVE-2008-4128, and it noted that the vulnerability is not currently known to have been exploited in ransomware campaigns.
Organizations should immediately review their Cisco IOS assets and identify systems running affected versions. Security teams are advised to apply Cisco’s recommended mitigations and follow CISA’s risk-based remediation guidance.
Where patches or mitigations are unavailable, organizations should consider removing affected devices from service. They should also evaluate whether administrative interfaces are accessible from the internet, restrict web management access to trusted networks, and disable unnecessary HTTP or HTTPS services.
Administrators should avoid browsing untrusted websites while logged in to network device management portals. Additionally, organizations should review logs and configurations for unauthorized command aliases, unusual HTTP configuration changes, and unexpected privilege-related activity.
The inclusion of CVE-2008-4128 in the KEV Catalog highlights a persistent operational challenge: old vulnerabilities can become newly dangerous when unsupported devices, weak exposure controls, or long-lived administrative interfaces remain in active use.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.