Critical (9.3) Actively Exploited

Cisco IOS CSRF grants RCE (CVE-2008-4128)

CVE-2008-4128

CVE-2008-4128: Cisco IOS 12.4 on the 871 ISR allows CSRF attacks granting remote command execution (CVSS 9.3). Actively exploited; apply vendor mitigations now.

Affected: Cisco Ios Cisco 871 Integrated Services Router

Actively exploited in the wild - CVE-2008-4128 is a critical cross-site request forgery (CSRF) vulnerability in Cisco IOS 12.4 on the 871 Integrated Services Router that lets remote attackers execute arbitrary commands on the device. No patch was released for this legacy platform; apply the workarounds below.

Overview

CVE-2008-4128 affects the HTTP Administration component of Cisco IOS 12.4 for the 871 Integrated Services Router. An attacker can craft a malicious web page that, when visited by an authenticated router administrator, silently issues HTTP requests to the router’s management interface. The vulnerability exists in two vectors: the /level/15/exec/- URI via the “show privilege” command, and the /level/15/exec/-/configure/http URI via the “alias exec” command. Both allow the attacker to execute arbitrary IOS EXEC commands without the administrator’s knowledge or consent. Given a CVSS score of 9.3 (Critical), the attack can be launched over the network with low complexity, requiring no privileges and only user interaction.

Impact

An attacker who tricks an authenticated administrator into visiting a malicious page can execute any command on the affected router, including modifying configuration, disabling security controls, extracting credentials, or pivoting to internal networks. Because the 871 ISR is commonly used as a small office or branch office gateway, a compromise can expose the entire connected network segment. The vulnerability is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The EPSS score of 12.0% indicates a high probability of continued exploitation over the next 30 days.

Remediation and Mitigation

Cisco has not released a patch for this vulnerability, as the 871 ISR reached end-of-life long ago. Affected organizations should immediately:

  • Disable the HTTP server on the router (no ip http server).
  • Use HTTPS exclusively and restrict management access to trusted IP addresses via ACLs.
  • Replace legacy 871 ISRs with a supported platform running a current IOS release.
  • Monitor router logs for unauthorized commands executed via the HTTP interface.

Security Insight

CVE-2008-4128 exemplifies the long-tail risk of legacy networking equipment still in production. Even vulnerabilities from 2008 remain viable attack vectors when devices are left unpatched and accessible from untrusted networks. This incident mirrors the broader trend of attackers targeting end-of-life infrastructure that organizations neglect to upgrade, underscoring the importance of lifecycle management and network segmentation for hard-to-replace legacy hardware. For more on current threats, see the Weekly Threat Roundup: 56M Credentials Leaked (June 15-21) and Cisco Releases Security Updates for Actively Exploited vulnerabilities.

Further Reading

Share:

Never miss a critical vulnerability

Get real-time security alerts delivered to your preferred platform.

Exploit-DB Entries

Curated public exploit code — authorized use only

The entries below are human-reviewed exploit code hosted on Exploit-DB by Offensive Security. Lower volume than random GitHub PoCs but higher signal: every entry is curated, many are tagged "verified" by the maintainers. Treat as production-ready exploit code.

Authorized use only. Run only against systems you own or have explicit written permission to test. Using exploit code against systems you do not own is illegal in most jurisdictions and violates Yazoul's terms of use.

EDB-ID Title Status
EDB-6476

Cisco Router - HTTP Administration Cross-Site Request Forgery / Command Execution (1)

verified

1 Exploit-DB entry indexed for this CVE. Source: Exploit-DB.

Related Advisories

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.