Cookie Consent by Free Privacy Policy Generator

CISA Adds 2008 Cisco IOS Vulnerability to Known Exploited Vulnerabilities Catalogue

The US Cybersecurity and Infrastructure Security Agency has added CVE-2008-4128, a cross-site request forgery vulnerability in Cisco IOS, to its Known Exploited Vulnerabilities catalogue based on evidence of active exploitation. CISA reports that the vulnerability, originally disclosed in 2008, allows attackers to perform unauthorised actions on behalf of authenticated users by tricking them into visiting a malicious website or clicking a crafted link. The addition to the KEV catalogue indicates that threat actors are actively exploiting this 18-year-old flaw in environments where Cisco IOS devices have not been patched or replaced. CISA requires US federal agencies to address KEV-listed vulnerabilities within specified timeframes, and the catalogue is widely used by UK and international organisations as a prioritisation tool for vulnerability management.

Why this matters for UK organisations

For UK businesses, the continued exploitation of vulnerabilities from 2008 highlights the operational reality that legacy network infrastructure often remains in production far longer than originally intended, and patching cycles for network devices can lag significantly behind endpoint and server patching. Cisco IOS devices are widely deployed in UK enterprise networks, and many organisations continue to operate older hardware that may no longer receive vendor support. The risk is that attackers can exploit these devices to gain initial access, establish persistence, or move laterally within the network. The fact that CISA has added this vulnerability to the KEV catalogue nearly two decades after disclosure suggests that it remains a viable attack vector in real-world environments, likely because organisations have not prioritised network device patching or have assumed that older vulnerabilities are no longer relevant. This is a reminder that attackers do not only target the latest vulnerabilities, they also target the gaps in patching and asset management that allow older flaws to remain exploitable. The KEV catalogue is a useful resource for UK organisations because it identifies vulnerabilities that are being actively exploited in the wild, helping security teams prioritise remediation efforts based on real-world threat activity rather than theoretical risk scores alone.

What to review

UK organisations should review the age and patch status of network infrastructure, particularly routers, switches, and firewalls. Many organisations focus patching efforts on servers and endpoints but treat network devices as stable infrastructure that rarely changes. Ensuring that network devices are inventoried, that their firmware versions are known, and that a process exists to apply security updates or replace unsupported hardware is a foundational control that should be verified regularly. Where devices cannot be patched, organisations should consider whether compensating controls such as network segmentation, access restrictions, or replacement are appropriate. The CISA KEV catalogue should be reviewed regularly as part of vulnerability management processes, and organisations should consider whether the vulnerabilities listed are present in their own environments. For Cisco IOS devices specifically, organisations should verify that devices are running supported firmware versions, that management interfaces are not exposed to untrusted networks, and that access controls are in place to prevent unauthorised configuration changes. This is an area where asset management, configuration management, and vulnerability management processes need to work together to ensure that network infrastructure is maintained to the same standard as other parts of the IT estate.

Source: CISA

News and blog posts
Introduction Knowing what to do when a client asks for proof of cybersecurity...
The National Cyber Security Centre, alongside CISA and international partners,...
Microsoft has published research detailing a year-long campaign in which...
The US Cybersecurity and Infrastructure Security Agency has added...