Cisco IOS 12.4 CSRF From 2008 Lands in CISA KEV
CISA added CVE-2008-4128 — a Cisco IOS 12.4 mainline HTTP admin CSRF from 2008 — to the KEV catalog on 2026-07-13. IOS 12.4 mainline is obsolete. Upgrade.
CISA added CVE-2008-4128 to the Known Exploited Vulnerabilities catalog on 2026-07-13. The bug is a set of cross-site request forgery flaws in the HTTP administration component of Cisco IOS 12.4 on the 871 Integrated Services Router, published in 2008 and scored medium (CVSS 4.3). Eighteen years later it is on the list of things federal civilian agencies have to remediate under BOD 26-04.
That is not a typo. Someone is still running IOS 12.4 in production, and CISA has evidence someone is exploiting it.
What actually changed
Cisco IOS 12.4 mainline is end-of-life. The vendor URL CISA links from the KEV entry points at Cisco’s obsolete-releases page for 12.4 mainline, not at a fix. There is no patched 12.4 build coming. 12.4 mainline stopped receiving updates a decade ago.
So “patch” is not the remediation. The remediation is one of three moves. Ranked by honesty:
- Upgrade off IOS 12.4 entirely. Get the affected 871 or equivalent-class router onto a supported IOS train, or replace the platform. This is the real answer. It is also the one every previous EOL notice has been trying to force, which is why we are here.
- Turn off the HTTP admin server.
no ip http serverandno ip http secure-server— no HTTP admin, no CSRF against HTTP admin. Manage the box over SSH from a fixed jumpbox instead. This is the mitigation you can ship this afternoon on a 12.4 device that has to stay up until a hardware refresh. - ACL the HTTP admin interface down to a management VLAN. If policy will not let you turn HTTP off, at least stop letting arbitrary internal networks reach
/level/15/exec/. If the admin surface is not routable from user segments, the CSRF payload has nowhere to land.
Pick one before the end of the week. Options two and three are stopgaps. Option one is the plan.
The honest timeline
CVE-2008-4128 was published on September 18, 2008. Cisco IOS 12.4 mainline hit end-of-life more than a decade ago. Anyone still running it is doing so past every EOL notice Cisco has published.
That CISA has now added an eighteen-year-old CSRF to KEV in 2026 says one specific thing: the KEV team is watching what attackers are actually reaching, and there is enough of a 12.4 install base still on the internet — or reachable from compromised internal networks — that exploitation has crossed their evidence bar. CVEs get on KEV because someone at CISA can point at an incident. This is not backfill.
The tight BOD 26-04 window applies to federal civilian agencies. But when a KEV addition backfills eighteen years of obsolete hardware, the signal to private-sector defenders is the same as the one to feds: find those boxes and deal with them, because the boxes are still out there and someone is knocking on the door.
What to actually go look for
If the asset inventory is honest, this is a five-minute question. If the asset inventory is aspirational, this is where the pain lives.
- Query every Cisco device the inventory claims runs IOS. Anything reporting a 12.4 mainline train is in scope.
- Include boxes not in the inventory. Small branch routers, telco demarc gear pushed into a rack fifteen years ago, hardware from an acquisition where the network team never got the full list. Those are the 871s still on 12.4.
- Check for the HTTP admin server explicitly by pulling
show running-configand looking forip http serverandip http secure-server. If either is on and the box is 12.4, that is the exposed combination that just went KEV.
Priority call: if there is any Cisco 12.4-class router with ip http server on and any reachability beyond an isolated management VLAN, that is a today-not-tomorrow item. Disable HTTP admin first. Plan the platform swap second. Do not treat “the box has been fine for ten years” as a defense — CISA just published the counterargument.
The credibility read
The KEV catalog is not just this quarter’s zero-days. It is CISA’s running answer to “what is worth prioritizing given what we actually see attackers using.” Every so often that answer is a boring, ancient CSRF in obsolete hardware — and when it is, that is the loudest possible statement that the ancient obsolete hardware is still deployed and still exploited. Ignore it at the cost of the same appliance being the intrusion path in the next incident report.
Related coverage:
- CISA KEV: Balbooa & iCagenda Joomla file-upload RCE — the last KEV additions this week, same BOD 26-04 cadence
- PTC Windchill FlexPLM CVE-2026-12569 KEV — how the KEV cycle looks when the underlying software is still supported
- Cisco confirms active exploitation of Unified CM flaw — recent Cisco appliance-class KEV pattern
Sourcing
- CISA Known Exploited Vulnerabilities catalog: cisa.gov/known-exploited-vulnerabilities-catalog
- NVD entry for CVE-2008-4128: nvd.nist.gov/vuln/detail/CVE-2008-4128
- Cisco IOS 12.4 mainline obsolete-releases page: cisco.com — cisco-ios-software-releases-12-4-mainline
- CISA BOD 26-04, Prioritizing Security Updates Based on Risk: cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
Found this useful? Share it.

