CISA Warns Russian Hackers Are Exploiting 18-Year-Old Cisco IOS Flaw


CISA has warned that Russian state-sponsored hackers are actively exploiting CVE-2008-4128, an 18-year-old cross-site request forgery vulnerability in end-of-life Cisco IOS devices.

The flaw can let an attacker manipulate an authenticated administrator’s browser into sending commands to a vulnerable router. Successful exploitation could expose device information or make unauthorized configuration changes.

CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog on July 13, 2026. The agency’s security alert directs federal agencies to complete the required remediation by July 16.

Russian FSB hackers are targeting vulnerable routers

A joint advisory from US and international cybersecurity agencies attributes the broader router campaign to Center 16 of Russia’s Federal Security Service, or FSB. Security researchers also track the group under names including Berserk Bear, Dragonfly, Ghost Blizzard, and Static Tundra.

The joint router security advisory says the hackers have targeted poorly configured and vulnerable network devices across communications, energy, defense, transportation, and other critical sectors.

The agencies identified CVE-2008-4128 and CVE-2018-0171 among the vulnerabilities previously exploited by the group. They also documented abuse of Cisco Smart Install, SNMP, and device management portals.

DetailInformation
VulnerabilityCVE-2008-4128
ProductCisco IOS 12.4 on end-of-life devices
Vulnerability typeCross-site request forgery
Affected componentHTTP Administration interface
Original disclosureSeptember 2008
KEV addition dateJuly 13, 2026
Federal remediation deadlineJuly 16, 2026
Known ransomware useNot reported by CISA

How CVE-2008-4128 works

CVE-2008-4128 affects the HTTP Administration component in Cisco IOS 12.4. The public vulnerability record specifically documents the issue on the Cisco 871 Integrated Services Router rather than across every product that has used Cisco IOS.

According to the National Vulnerability Database entry, an attacker can create a malicious request that targets commands under the privileged web management interface.

The attack requires user interaction. An administrator who has an authenticated session with the router must visit malicious content or open an attacker-controlled page that causes the browser to submit the crafted request.

  • A crafted “show privilege” request can target the /level/15/exec/- path.
  • An “alias exec” command can target the /level/15/exec/-/configure/http path.
  • The request runs through the administrator’s authenticated browser session.
  • The attack does not require the threat actor to know the administrator’s password directly.

The issue falls under CWE-352, the classification for cross-site request forgery. CSRF attacks exploit the trust that a web application places in requests sent by an authenticated browser.

Successful exploitation can change router behavior

An attacker who exploits the flaw may be able to execute commands with the administrator’s privileges. The possible impact depends on the account’s access level and the commands accepted by the vulnerable interface.

The documented command paths could allow an attacker to inspect privilege information or create command aliases. Unauthorized aliases can make later commands behave differently, support persistence, or conceal changes from administrators.

The CVE-2008-4128 record carries conflicting legacy and modern severity assessments. NVD’s older CVSS 2.0 assessment rated it 9.3, while CISA’s newer CVSS 3.1 assessment lists a 4.3 score and describes the technical impact as partial.

Neither score changes the central operational concern. CISA has evidence that attackers are exploiting the vulnerability, and the affected hardware has reached end of life.

CISA gives federal agencies a July 16 deadline

The CISA KEV entry requires federal civilian agencies to apply vendor mitigations, follow forensic triage requirements, or discontinue the product when mitigations are unavailable.

The deadline falls only three days after CISA added the vulnerability to the catalog. The short window reflects the active exploitation evidence and the risk that vulnerable network infrastructure creates for other systems.

The applicable directive is Binding Operational Directive 26-04, which took effect in June 2026. It replaced BOD 22-01 and introduced risk-based remediation requirements for vulnerabilities affecting federal systems.

CISA’s mandatory deadline applies directly to US federal civilian executive branch agencies. However, the agency strongly encourages private organizations and other public-sector entities to prioritize vulnerabilities in the KEV Catalog.

Affected Cisco devices have reached end of life

The government advisory states that CVE-2008-4128 affects end-of-life Cisco devices. Organizations should not assume that an old router remains safe simply because it continues to function.

End-of-life hardware no longer receives normal security support or software updates. If an organization cannot obtain a supported software release that removes the vulnerability, replacing the device offers the safest long-term response.

CISA’s router hygiene guidance recommends updating network device software and firmware while replacing unsupported products. It also calls for tighter controls around management protocols and device credentials.

  • Identify devices running Cisco IOS 12.4 and confirm their exact hardware models.
  • Replace routers and switches that no longer receive vendor support.
  • Disable HTTP and HTTPS management services when they are unnecessary.
  • Restrict management interfaces to trusted systems on a dedicated network.
  • Block direct internet access to administrative interfaces.
  • Use access control lists to limit SNMP and other management traffic.

Administrators should inspect devices for compromise

Applying a mitigation does not remove changes that an attacker may have already made. Security teams should inspect affected devices for unauthorized accounts, modified access control lists, unexpected command aliases, and changes to HTTP management settings.

Organizations should also review authentication records, configuration archives, SNMP activity, and outbound connections from network devices. Any unexplained configuration change should trigger a wider investigation.

The CISA KEV announcement does not link CVE-2008-4128 to ransomware. However, compromised routers can support surveillance, credential collection, traffic redirection, and access to systems deeper inside a network.

Administrators should avoid using the same browser session for network management and general web browsing. A dedicated administrative workstation or isolated browser profile reduces exposure to CSRF attacks, although it does not replace patching or hardware upgrades.

What organizations should do now

Network teams should start with a complete inventory of Cisco equipment and compare each model and software release with its current support status. Internet-facing management services require immediate attention.

Federal agencies must follow the action and deadline in the CVE-2008-4128 KEV listing. Other organizations can use the same priority because government agencies have confirmed exploitation in real attacks.

Teams responsible for federal systems should also review the remediation and evidence-preservation requirements in BOD 26-04. Where no supported fix exists, removing the vulnerable device from service may provide the only reliable resolution.

The exploitation of a vulnerability disclosed in 2008 shows how unsupported network equipment can preserve security weaknesses for years. Organizations that cannot see, update, or replace their routers leave a valuable entry point available to state-sponsored attackers.

FAQ

What is CVE-2008-4128?

CVE-2008-4128 is a cross-site request forgery vulnerability in the HTTP Administration component of Cisco IOS 12.4. It can make an authenticated administrator’s browser send unauthorized commands to a vulnerable device.

Is CVE-2008-4128 actively exploited?

Yes. CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog after finding evidence of active exploitation. A joint advisory connects the related router campaign to Russia’s FSB Center 16.

Which Cisco products are affected?

Government records describe the vulnerability in Cisco IOS 12.4 and specifically document the Cisco 871 Integrated Services Router. CISA says the affected Cisco devices have reached end of life.

What is the federal remediation deadline?

Federal civilian executive branch agencies must complete the required action by July 16, 2026. They must apply available mitigations or discontinue using the affected product when mitigation is unavailable.

How can organizations reduce the risk?

Organizations should replace end-of-life devices, disable unnecessary web management services, restrict administrative access to trusted networks, update supported equipment, and inspect configurations for unauthorized changes.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages