Skip to content

CISA Adds Cisco IOS Flaw Exploited by Russian FSB Actors to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency has added an 18-year-old Cisco IOS vulnerability to its Known Exploited Vulnerabilities catalog following confirmation that the flaw has been exploited in real-world attacks.

The vulnerability, tracked as CVE-2008-4128, affects the HTTP Administration component in Cisco IOS 12.4 running on Cisco 871 Integrated Services Routers.

The issue involves multiple cross-site request forgery vulnerabilities that can allow a remote attacker to trick an authenticated administrator into executing arbitrary commands. The malicious requests can invoke privilege-related commands or alter the router’s configuration through the web management interface.

Although CISA assigned the vulnerability a CVSS 3.1 score of 4.3, its addition to the Known Exploited Vulnerabilities catalog means exploitation is no longer considered theoretical.

The development follows a multinational advisory titled Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting, which was released by U.S. and international cybersecurity and intelligence agencies.

According to the advisory, actors associated with Russia’s Federal Security Service Center 16 have spent more than a decade targeting poorly configured and vulnerable networking devices. The activity has affected organizations across the communications, defense, energy, financial services, government, and healthcare sectors.

The agencies said the Russian actors primarily scan for routers with exposed Simple Network Management Protocol services that accept common or default community strings. Compromised devices can be instructed to copy their configurations and transfer them to attacker-controlled infrastructure through protocols such as TFTP.

The same actors have also exploited Cisco Smart Install and known vulnerabilities, including CVE-2008-4128 and CVE-2018-0171, to gain access to network devices.

CVE-2008-4128 only affects end-of-life Cisco equipment. Cisco states that IOS Software Release 12.4 Mainline is retired and has not been supported since January 31, 2016.

Organizations still using affected devices should replace them with supported hardware rather than relying on an unsupported software branch. Network administrators should also disable unnecessary web management and Cisco Smart Install services, restrict management access with access control lists, and prevent router administration interfaces from being exposed to untrusted networks.

The joint advisory additionally recommends disabling SNMPv1 and SNMPv2 where possible, using SNMPv3 with authentication and encryption, changing default community strings, and monitoring for unusual configuration transfers or inbound SNMP Set-Requests.

The KEV addition highlights a recurring infrastructure security problem: an old vulnerability can remain operationally relevant for years when unsupported network devices are left exposed. Attackers do not need a new zero-day when legacy routers remain reachable and poorly configured.

Latest