Skip to content
Activamente explotadaCVSS 4.3 · MEDIUM

CVE-2008-4128

Cisco IOS 12.4 contains multiple cross-site forgery vulnerabilities that allows remote attackers to execute arbitrary commands via (1) a certain "show privilege" command to the /level/15/exec/- URI, and (2) a certain "alias exec" command to the /level/15/exec/-/configure/http URI.

Ver en NVD

Análisis

Las vulnerabilidades de CSRF en el componente de administración HTTP de Cisco IOS permiten a atacantes remotos ejecutar comandos arbitrarios en routers de la serie 871. Este fallo está incluido en el catálogo KEV de CISA debido a que está siendo explotado activamente para comprometer la infraestructura de red.

Roles relevantes

HardwareCyberSecurityBackendCloud

Severidad

Puntaje: 4.3(MEDIUM)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: REQUIRED
S: UNCHANGED
C: LOW
I: NONE
A: NONE
Tipo de falla (CWE): CWE-352

CISA KEV

Agregada al KEV: 2026-07-13
Fecha límite federal: 2026-07-16
Uso conocido en ransomware: Unknown
Acción requerida

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

EPSS

Probabilidad de explotación (próx. 30 días): 0.1204 (12.0%)
Percentil: 95.6%
EPSS: 2026-07-13

Afecta

cisco:ioscisco:871_integrated_services_router

Descripción técnica

Multiple cross-site request forgery (CSRF) vulnerabilities in the HTTP Administration component in Cisco IOS 12.4 on the 871 Integrated Services Router allow remote attackers to execute arbitrary commands via (1) a certain "show privilege" command to the /level/15/exec/- URI, and (2) a certain "alias exec" command to the /level/15/exec/-/configure/http URI. NOTE: some of these details are obtained from third party information.

Publicada: 18/9/2008, 20:00:00
Última modificación: 13/7/2026, 19:12:50

Referencias

InicioEventosBlogRecursosEquipo