Skip to content
You can now search across every topic, entity and event.What's new
Cisco IOS
Product

Cisco IOS

Cisco's networking device operating system.

Last refreshed: 14 July 2026 · Appears in 1 active topic

Key Question

Why is an 18-year-old Cisco IOS bug only now on CISA's actively-exploited list?

Timeline for Cisco IOS

#1014 Jul

A quiet KEV fortnight, then a 2008 bug

Cybersecurity: Threats and Defences
View full timeline →
Common Questions
Why was an 18-year-old Cisco IOS bug added to CISA's KEV list in 2026?
CISA added CVE-2008-4128, a cross-site request forgery flaw in Cisco IOS first disclosed in 2008, to its KEV catalogue on 13 July 2026, the oldest entry this beat has tracked, indicating evidence of live exploitation despite the flaw's age.Source: event
What is Cisco IOS?
Cisco IOS is the operating system that runs on Cisco's routers and switches, first introduced in the 1980s and still widely deployed across core network infrastructure.
Has an old vulnerability been KEV-listed like this before?
Yes, a 17-year-old Microsoft Office bug was KEV-listed in April 2026, making the July 2026 Cisco IOS addition the second recent case of a decade-plus-old flaw resurfacing as an active exploitation target.Source: event

Background

Cisco IOS (Internetwork Operating System) is the software that runs on Cisco's routers and switches, controlling how network traffic is forwarded, filtered and managed. First introduced in the 1980s, it underpins a large share of the internet's core routing infrastructure and remains one of the most widely deployed network operating systems in the world.

Because IOS devices sit at network chokepoints, a vulnerability in the operating system can expose entire organisational networks rather than a single application, making patch discipline on ageing Cisco hardware a persistent concern for defenders.

On 13 July 2026, CISA added CVE-2008-4128, a cross-site request forgery flaw in Cisco IOS, to its Known Exploited Vulnerabilities catalogue, eighteen years after the bug was originally disclosed. It is the oldest entry this beat has tracked CISA ADD to the catalogue, and echoes an equally ancient 17-year-old Office bug KEV-listed in April 2026.

A flaw's addition to KEV years after disclosure typically signals that CISA has evidence of live exploitation now, not that the vulnerability is newly discovered, underscoring how long unpatched legacy network gear can remain a viable target.