
Cisco IOS
Cisco's networking device operating system.
Last refreshed: 14 July 2026 · Appears in 1 active topic
Why is an 18-year-old Cisco IOS bug only now on CISA's actively-exploited list?
Timeline for Cisco IOS
A quiet KEV fortnight, then a 2008 bug
Cybersecurity: Threats and DefencesWhy was an 18-year-old Cisco IOS bug added to CISA's KEV list in 2026?
What is Cisco IOS?
Has an old vulnerability been KEV-listed like this before?
Background
Cisco IOS (Internetwork Operating System) is the software that runs on Cisco's routers and switches, controlling how network traffic is forwarded, filtered and managed. First introduced in the 1980s, it underpins a large share of the internet's core routing infrastructure and remains one of the most widely deployed network operating systems in the world.
Because IOS devices sit at network chokepoints, a vulnerability in the operating system can expose entire organisational networks rather than a single application, making patch discipline on ageing Cisco hardware a persistent concern for defenders.
On 13 July 2026, CISA added CVE-2008-4128, a cross-site request forgery flaw in Cisco IOS, to its Known Exploited Vulnerabilities catalogue, eighteen years after the bug was originally disclosed. It is the oldest entry this beat has tracked CISA ADD to the catalogue, and echoes an equally ancient 17-year-old Office bug KEV-listed in April 2026.
A flaw's addition to KEV years after disclosure typically signals that CISA has evidence of live exploitation now, not that the vulnerability is newly discovered, underscoring how long unpatched legacy network gear can remain a viable target.