Skip to content
Actively exploitedCVSS 4.3 · MEDIUM

CVE-2008-4128

Cisco IOS 12.4 contains multiple cross-site forgery vulnerabilities that allows remote attackers to execute arbitrary commands via (1) a certain "show privilege" command to the /level/15/exec/- URI, and (2) a certain "alias exec" command to the /level/15/exec/-/configure/http URI.

View on NVD

Analysis

Las vulnerabilidades de CSRF en el componente de administración HTTP de Cisco IOS permiten a atacantes remotos ejecutar comandos arbitrarios en routers de la serie 871. Este fallo está incluido en el catálogo KEV de CISA debido a que está siendo explotado activamente para comprometer la infraestructura de red.

Relevant roles

HardwareCyberSecurityBackendCloud

Severity

Score: 4.3(MEDIUM)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: REQUIRED
S: UNCHANGED
C: LOW
I: NONE
A: NONE
Weakness (CWE): CWE-352

CISA KEV

Added to KEV: 2026-07-13
Federal patch deadline: 2026-07-16
Known ransomware use: Unknown
Required action

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

EPSS

Probability of exploitation (next 30 days): 0.1204 (12.0%)
Percentile: 95.6%
EPSS: 2026-07-13

Affects

cisco:ioscisco:871_integrated_services_router

Technical description

Multiple cross-site request forgery (CSRF) vulnerabilities in the HTTP Administration component in Cisco IOS 12.4 on the 871 Integrated Services Router allow remote attackers to execute arbitrary commands via (1) a certain "show privilege" command to the /level/15/exec/- URI, and (2) a certain "alias exec" command to the /level/15/exec/-/configure/http URI. NOTE: some of these details are obtained from third party information.

Published: 9/18/2008, 8:00:00 PM
Last modified: 7/13/2026, 7:12:50 PM

References

HomeEventsBlogResourcesTeam