COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2008-4128

CVE-2008-4128

Severity
high · on CISA KEV actively exploited
Source
CISA-KEV · kev
Published
2026-07-13
Reference
https://nvd.nist.gov/vuln/detail/CVE-2008-4128
⚡ RCE ⌖ exploited in the wild shame 65/100 rceexploited-in-wildunpatchedsupply-chain

Cisco IOS 12.4 devices are actively exploited in the wild via a cross-site request forgery vulnerability enabling remote command execution.

This CVE allows remote attackers to execute arbitrary commands on Cisco IOS 12.4 devices through specific HTTP URIs, posing a severe risk to DIB networks relying on legacy or unpatched Cisco hardware. Organizations must immediately audit their Cisco IOS inventory for version 12.4 and apply patches to prevent unauthorized access and potential data exfiltration.

Shame score — Active exploitation of a known vulnerability in widely deployed Cisco hardware indicates a failure in vendor patch management and DIB vendor oversight.

Players implicated

Cisco Systems Inc. · vendorIOS · product

Description

Cisco IOS 12.4 contains multiple cross-site forgery vulnerabilities that allows remote attackers to execute arbitrary commands via (1) a certain "show privilege" command to the /level/15/exec/- URI, and (2) a certain "alias exec" command to the /level/15/exec/-/configure/http URI.

Affected FedRAMP products 8 in the catalog

ProductProviderStatusMatch
Cisco Cloudlock for Government Cisco Systems Inc. Authorized vendor-exact · 0.90
Cisco Meraki for Government Cisco Systems Inc. In Process vendor-exact · 0.90
Cisco SD-WAN for Government Cisco Systems Inc. In Process vendor-exact · 0.90
Cisco Umbrella for Government Cisco Systems Inc. In Process vendor-exact · 0.90
Cisco Unified Communications Manager Cloud for Government (Cisco UCM Cloud for Government) Cisco Systems Inc. Authorized vendor-exact · 0.90
Duo Federal Duo Security (A Cisco Company) Authorized dex-judge · 0.95
WebEx Contact Center Enterprise for Government (WxCCE-G) Cisco Systems Inc. In Process vendor-exact · 0.90
Webex for Government Cisco Systems Inc. Authorized vendor-exact · 0.90