BGC Risk Score
Blue Goat Cyber MedTech rubric v1.0 · methodology
3.1 base 4.3 · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
No direct patient impact inferred
On CISA KEV (in-the-wild)
8/10 network-reachable signals
How we got to 4.7
- 1
CVSS technical severity (40%)
Industry-standard exploitability + impact score. We prefer CVSS 4.0 and fall back to 3.1 per the FDA's Feb 2026 premarket cybersecurity guidance. Missing CVSS scores get a neutral 4.0 so unknown vulns are not over- or under-rated.
3.1 base 4.3 × 40% = +1.72 - 2
Patient safety impact (35%)
What happens to a patient if this vuln is exploited on a connected device. Auto-inferred from headline, dek, tags, and device class against a curated MedTech keyword library (pacemaker, infusion pump, EHR, PACS, etc.).
No direct patient impact inferred → 2 × 35% = +0.70 - 3
Exploit maturity (15%)
Is anyone actually using this in attacks? KEV listing > weaponized exploit > public PoC > none. KEV alone forces tier=critical regardless of CVSS.
On CISA KEV (in-the-wild) → 10 × 15% = +1.50 - 4
MedTech exposure (10%)
How likely this affects clinical operations: presence in our MedTech feed (+4 baseline), network-reachable signals (+3), known device-class tags (+2), identified MedTech vendor (+1).
Exposure 8/10 × 10% = +0.80
Tier cutoffs: Critical ≥ 8.5 · High 7.0–8.4 · Notable 4.0–6.9 · Info < 4.0. Full methodology, weights, and changelog at /goatfeed/risk-rubric.
CVE: CVE-2008-4128
CVSS 3.1: 4.3 (MEDIUM) - `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N`
Weakness: CWE-352
Vendor / product: Cisco IOS
KEV added: 2026-07-13 · Federal due date: 2026-07-16
BGC-RS: 4.7 (notable) · CVSS 3.1 base 4.3 · patient-safety: none · exploit: kev · MedTech exposure 8/10 · methodology
Vulnerability
Multiple cross-site request forgery (CSRF) vulnerabilities in the HTTP Administration component in Cisco IOS 12.4 on the 871 Integrated Services Router allow remote attackers to execute arbitrary commands via (1) a certain "show privilege" command to the /level/15/exec/- URI, and (2) a certain "alias exec" command to the /level/15/exec/-/configure/http URI. NOTE: some of these details are obtained from third party information.
Required action
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.