
CVE-2008-4128
An 18-year-old cross-site request forgery flaw in Cisco IOS added to CISA's KEV catalogue in July 2026.
Last refreshed: 14 July 2026 · Appears in 1 active topic
How does a cross-site request forgery bug from 2008 become an active exploitation risk in 2026?
Timeline for CVE-2008-4128
Added to the KEV catalogue eighteen years after disclosure
Cybersecurity: Threats and Defences: A quiet KEV fortnight, then a 2008 bugWhat is CVE-2008-4128?
Why did CISA add an 18-year-old CVE to its KEV catalogue?
What is the federal deadline to patch CVE-2008-4128?
Background
CVE-2008-4128 is a cross-site request forgery (CSRF) vulnerability in Cisco IOS, the operating system that runs Cisco's routers and switches. Disclosed in 2008, it allows an attacker to trick an authenticated administrator's browser into submitting unwanted commands to a vulnerable device without the administrator's knowledge, potentially altering router or switch configuration.
CSRF flaws in network device management interfaces are particularly dangerous because a successful attack can reconfigure the device that controls traffic for an entire network segment, not just a single application.
CISA added CVE-2008-4128 to its Known Exploited Vulnerabilities catalogue on 13 July 2026, with a federal remediation Deadline of 16 July, eighteen years after the flaw was first disclosed. It is the oldest CVE this beat has tracked entering KEV, echoing an equally ancient 17-year-old Office bug added in April 2026.
A KEV listing this long after disclosure means CISA has confirmed active, real-world exploitation now, which points to attackers still finding unpatched, ageing Cisco IOS deployments worth targeting despite nearly two decades of available fixes.