Cisco IOS CSRF grants RCE (CVE-2008-4128)
CVE-2008-4128
CVE-2008-4128: Cisco IOS 12.4 on the 871 ISR allows CSRF attacks granting remote command execution (CVSS 9.3). Actively exploited; apply vendor mitigations now.
Actively exploited in the wild - CVE-2008-4128 is a critical cross-site request forgery (CSRF) vulnerability in Cisco IOS 12.4 on the 871 Integrated Services Router that lets remote attackers execute arbitrary commands on the device. No patch was released for this legacy platform; apply the workarounds below.
Overview
CVE-2008-4128 affects the HTTP Administration component of Cisco IOS 12.4 for the 871 Integrated Services Router. An attacker can craft a malicious web page that, when visited by an authenticated router administrator, silently issues HTTP requests to the router’s management interface. The vulnerability exists in two vectors: the /level/15/exec/- URI via the “show privilege” command, and the /level/15/exec/-/configure/http URI via the “alias exec” command. Both allow the attacker to execute arbitrary IOS EXEC commands without the administrator’s knowledge or consent. Given a CVSS score of 9.3 (Critical), the attack can be launched over the network with low complexity, requiring no privileges and only user interaction.
Impact
An attacker who tricks an authenticated administrator into visiting a malicious page can execute any command on the affected router, including modifying configuration, disabling security controls, extracting credentials, or pivoting to internal networks. Because the 871 ISR is commonly used as a small office or branch office gateway, a compromise can expose the entire connected network segment. The vulnerability is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The EPSS score of 12.0% indicates a high probability of continued exploitation over the next 30 days.
Remediation and Mitigation
Cisco has not released a patch for this vulnerability, as the 871 ISR reached end-of-life long ago. Affected organizations should immediately:
- Disable the HTTP server on the router (
no ip http server). - Use HTTPS exclusively and restrict management access to trusted IP addresses via ACLs.
- Replace legacy 871 ISRs with a supported platform running a current IOS release.
- Monitor router logs for unauthorized commands executed via the HTTP interface.
Security Insight
CVE-2008-4128 exemplifies the long-tail risk of legacy networking equipment still in production. Even vulnerabilities from 2008 remain viable attack vectors when devices are left unpatched and accessible from untrusted networks. This incident mirrors the broader trend of attackers targeting end-of-life infrastructure that organizations neglect to upgrade, underscoring the importance of lifecycle management and network segmentation for hard-to-replace legacy hardware. For more on current threats, see the Weekly Threat Roundup: 56M Credentials Leaked (June 15-21) and Cisco Releases Security Updates for Actively Exploited vulnerabilities.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Exploit-DB Entries
Curated public exploit code — authorized use only
The entries below are human-reviewed exploit code hosted on Exploit-DB by Offensive Security. Lower volume than random GitHub PoCs but higher signal: every entry is curated, many are tagged "verified" by the maintainers. Treat as production-ready exploit code.
Authorized use only. Run only against systems you own or have explicit written permission to test. Using exploit code against systems you do not own is illegal in most jurisdictions and violates Yazoul's terms of use.
| EDB-ID | Title | Status |
|---|---|---|
| EDB-6476 | Cisco Router - HTTP Administration Cross-Site Request Forgery / Command Execution (1) | verified |
1 Exploit-DB entry indexed for this CVE. Source: Exploit-DB.
Related Advisories
GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration fi...
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute...
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to execute ...
Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the reque...