CVE-2008-4128 — Cisco IOS Cross-Site Request Forgery Vulnerability

CVE-2008-4128

Cisco IOS — HTTP Administrative Interface CSRF Enabling Privilege-15 Command Execution

What is Cisco IOS?

Cisco IOS is the operating system that runs on the vast majority of Cisco's routers and switches, including many devices still deployed at the network edge of small businesses, branch offices, and service-provider customer premises. Beyond command-line access over SSH or Telnet, IOS optionally exposes an HTTP/HTTPS administrative interface (enabled via the ip http server or ip http secure-server global configuration commands) that lets administrators view status and push configuration changes from a web browser. Because that HTTP interface sits directly on the management plane of the device, any flaw in how it authorizes requests can translate directly into full device takeover — making it a long-standing, high-value target for scanning and exploitation against legacy Cisco hardware that is still internet-facing.

Overview

Cisco IOS 12.4 contains multiple cross-site request forgery (CSRF) vulnerabilities in its HTTP administrative interface. A device with ip http server (or ip http secure-server) enabled and an administrator with an active authenticated HTTP session is vulnerable to forged requests that execute privilege-level-15 (highest privilege) EXEC and configuration commands without the administrator's knowledge or consent.

CVE-2008-4128 covers two related forgery paths:

  1. A crafted show privilege command sent to the /level/15/exec/- URI, which discloses the current session's privilege level and can be chained with other requests to confirm admin-level access has been achieved.
  2. A crafted alias exec command sent to the /level/15/exec/-/configure/http URI, which can define a new EXEC alias — effectively allowing the attacker to inject arbitrary IOS commands that execute under the victim administrator's already-authenticated session.

Because the HTTP server does not require any additional token or origin check beyond the existing session cookie, any page the logged-in administrator's browser loads — including one hosted by an unrelated, malicious third party — can silently submit these requests on the administrator's behalf.

This CVE was originally published in 2008 and is now over 18 years old. Its addition to the CISA KEV catalog in July 2026 was accompanied by a joint CISA/FBI/NSA advisory, AA26-194A, attributing exploitation to Russian government-sponsored actors targeting poorly configured and vulnerable networking devices across critical infrastructure sectors worldwide.

Affected Versions

Product Vulnerable Fixed
Cisco IOS 12.4 mainline releases with ip http server/ip http secure-server enabled Cisco IOS 12.4 releases patched per cisco-sa-20081001-http; migrate off 12.4 mainline entirely (EoL)

Cisco IOS 12.4 mainline reached end-of-life and end-of-support years ago; Cisco no longer produces security fixes for it. The only durable remediation for internet-facing devices still running 12.4 is migration to a supported IOS/IOS XE release train.

Technical Details

  • Root cause: The HTTP administrative interface authorizes requests solely based on an active session cookie, with no anti-CSRF token, no origin/referer validation, and no re-authentication step for privileged actions (CWE-352: Cross-Site Request Forgery).
  • Attack vector: Network, but requires user interaction — the victim administrator must be authenticated to the device's HTTP interface and have their browser load attacker-controlled content (a malicious webpage, an email with an embedded image tag, a forum post, etc.) while that session is live.
  • Privileges required: None from the attacker's perspective — the forged request rides on the administrator's existing session and privilege level (typically level 15, the highest).
  • Complexity: Low. A single crafted HTML page containing an auto-submitting form or image tag pointed at the vulnerable URIs is sufficient; no chaining with other vulnerabilities is required.
  • Impact: Successful exploitation lets an attacker execute arbitrary EXEC-mode commands with the administrator's privilege level, up to and including full configuration changes, credential harvesting, or defining a backdoor alias for further command injection.

Discovery

CVE-2008-4128 (alongside the closely related CVE-2008-4127) was disclosed by Cisco's own PSIRT as part of a coordinated advisory addressing multiple CSRF weaknesses in the IOS HTTP administrative interface, published alongside Cisco Security Advisory cisco-sa-20081001-http in 2008.

Exploitation Context

CISA added CVE-2008-4128 to the KEV catalog on July 13, 2026, the same day CISA, the FBI, and the NSA published joint advisory AA26-194A, "Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting." The advisory attributes exploitation to FSB Center 16, a Russian Federal Security Service unit also tracked in industry reporting as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra. FSB Center 16 primarily scans the internet for networking devices accepting default or weak SNMPv1/v2 community strings, then issues spoofed SNMP Set-Requests abusing the Cisco CISCO-CONFIG-COPY-MIB to copy device configurations off to attacker infrastructure over TFTP. The advisory notes the group also opportunistically exploits known CVEs in Cisco devices — including Cisco Smart Install exposure (CVE-2018-0171) and, notably, this CVE — as an alternate path into poorly maintained, internet-facing management interfaces. Affected sectors called out in the advisory include communications, defense, energy, financial services, government, and healthcare. No ransomware use has been reported in connection with this CVE; the activity is consistent with state-sponsored espionage and infrastructure access rather than financially motivated crime.

Remediation

  1. Disable the HTTP administrative interface where not strictly required. Run no ip http server and no ip http secure-server on any device where web-based administration isn't actively needed — this fully closes the attack surface.
  2. Migrate off Cisco IOS 12.4 mainline. It is end-of-life and receives no further security patches; move to a currently supported IOS or IOS XE release.
  3. If the HTTP interface must remain enabled, restrict access via management-plane ACLs (ip http access-class) so it is only reachable from trusted management networks, never the public internet.
  4. Enforce administrator hygiene: avoid browsing untrusted sites or opening untrusted links/emails while authenticated to the device's HTTP interface, and log out of admin sessions when not actively in use.
  5. Review device logs and configuration for unexpected changes, particularly unfamiliar EXEC aliases or configuration entries, which may indicate prior CSRF-based compromise.
  6. Apply the broader router-hygiene guidance in AA26-194A, given confirmed FSB Center 16 targeting: move from SNMPv1/v2 to SNMPv3 with authPriv, eliminate default/weak community strings, disable Cisco Smart Install if unused, and block UDP 69 (TFTP) and TCP 4786 (Smart Install) at the network edge.
  7. Follow CISA BOD 26-04 guidance: evaluate this asset's internet exposure and prioritize remediation according to the July 16, 2026 deadline; if mitigations cannot be applied in time, consider taking the device offline until it can be updated or replaced.

Key Details

PropertyValue
CVE ID CVE-2008-4128
Vendor / Product Cisco — IOS
NVD Published2008-09-18
NVD Last Modified2026-07-14
CVSS 3.1 Score4.3
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
SeverityMEDIUM
CWE CWE-352 find similar ↗
CISA KEV Added2026-07-13
CISA KEV Deadline2026-07-16
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Required Action

CISA BOD 22-01 Deadline: 2026-07-16. Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Timeline

DateEvent
2008-09-18CVE published for Cisco IOS HTTP administrative interface CSRF
2026-07-13CISA, FBI, and NSA publish joint advisory AA26-194A naming this CVE among those exploited by Russian FSB Center 16; added to CISA KEV the same day
2026-07-16CISA BOD 22-01 remediation deadline