Skip to content
You can now search across every topic, entity and event.What's new
CVE-2008-4128
Technology

CVE-2008-4128

An 18-year-old cross-site request forgery flaw in Cisco IOS added to CISA's KEV catalogue in July 2026.

Last refreshed: 14 July 2026 · Appears in 1 active topic

Key Question

How does a cross-site request forgery bug from 2008 become an active exploitation risk in 2026?

Timeline for CVE-2008-4128

#1014 Jul

Added to the KEV catalogue eighteen years after disclosure

Cybersecurity: Threats and Defences: A quiet KEV fortnight, then a 2008 bug
View full timeline →
Common Questions
What is CVE-2008-4128?
CVE-2008-4128 is a cross-site request forgery flaw in Cisco IOS, disclosed in 2008, that lets an attacker trick an authenticated administrator into submitting unauthorised commands to a vulnerable router or switch.Source: event
Why did CISA add an 18-year-old CVE to its KEV catalogue?
CISA added CVE-2008-4128 on 13 July 2026 because it found evidence of active exploitation now, not because the flaw is newly discovered; it remains the oldest entry this beat has tracked in the catalogue.Source: event
What is the federal deadline to patch CVE-2008-4128?
CISA set a 16 July 2026 compliance Deadline for federal agencies, three days after the 13 July KEV listing.Source: event

Background

CVE-2008-4128 is a cross-site request forgery (CSRF) vulnerability in Cisco IOS, the operating system that runs Cisco's routers and switches. Disclosed in 2008, it allows an attacker to trick an authenticated administrator's browser into submitting unwanted commands to a vulnerable device without the administrator's knowledge, potentially altering router or switch configuration.

CSRF flaws in network device management interfaces are particularly dangerous because a successful attack can reconfigure the device that controls traffic for an entire network segment, not just a single application.

CISA added CVE-2008-4128 to its Known Exploited Vulnerabilities catalogue on 13 July 2026, with a federal remediation Deadline of 16 July, eighteen years after the flaw was first disclosed. It is the oldest CVE this beat has tracked entering KEV, echoing an equally ancient 17-year-old Office bug added in April 2026.

A KEV listing this long after disclosure means CISA has confirmed active, real-world exploitation now, which points to attackers still finding unpatched, ageing Cisco IOS deployments worth targeting despite nearly two decades of available fixes.