[KEV] CVE-2008-4128 -- CVSS 0.0 Vulnerability Briefing
[KEV] CVE-2008-4128 | CVSS 0.0 (Low) | Exploit: Operational
What Is It
CVE-2008-4128 is a cross-site request forgery (CSRF) vulnerability in Cisco IOS 12.4 that allows remote attackers to execute arbitrary commands through the device's HTTP-based management interface.
Technical Detail
The flaw exists in the Cisco IOS HTTP server, specifically in how it processes requests to privileged URI paths including /level/15/exec/- and /level/15/exec/-/configure/http. An attacker can craft malicious HTTP requests that, when triggered by an authenticated administrator's browser session, execute commands such as "show privilege" or "alias exec" at privilege level 15 without requiring direct authentication. Successful exploitation grants the attacker the ability to issue privileged IOS commands, effectively enabling full device configuration control equivalent to administrative access.
Exploitation Status
The exploit maturity for this vulnerability is rated Operational, meaning functional exploit code exists and has been demonstrated in practice beyond proof-of-concept. CISA has confirmed active exploitation in the wild, with this vulnerability added to the Known Exploited Vulnerabilities catalog on July 13, 2026. Despite the vulnerability's age, its presence in the KEV catalog indicates it is being actively leveraged against unpatched infrastructure.
Who Is Targeting This
No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations are available in current intelligence holdings for this CVE.
What To Do
Per CISA's Known Exploited Vulnerabilities binding directive, federal agencies are required to patch or apply mitigations by the deadline associated with the July 13, 2026 KEV listing. Organizations running Cisco IOS 12.4 should upgrade to a patched IOS release immediately. As an interim workaround, disable the IOS HTTP server entirely if web-based management is not operationally required, using the no ip http server and no ip http secure-server commands. If HTTP management must remain enabled, restrict access to the management interface using access control lists that limit HTTP server access to trusted administrative hosts only. Detection should focus on anomalous HTTP requests to /level/15/exec/ URI paths in web server logs, particularly originating from unexpected source addresses or user agents.