Blue Goat CyberBlue Goat CyberSMMedical Device Cybersecurity
    K
    Goat Feed · KEV

    CISA KEV: Cisco IOS CVE-2008-4128 (CVSS 3.1 4.3 MEDIUM) - IOS Cross-Site Request Forgery Vulnerability

    Multiple cross-site request forgery (CSRF) vulnerabilities in the HTTP Administration component in Cisco IOS 12.4 on the 871 Integrated Services Router allow remote attackers to execute arbitrary commands via (1) a certain "show privilege" command to the /level/15/exec/- URI, and (2) a certain "alias exec" command to the /level/15/exec/-/configure/http URI. NOTE: some of these details are obtained from third party information.

    Back to the daily feed
    KEV
    critical

    BGC Risk Score

    Blue Goat Cyber MedTech rubric v1.0 · methodology

    4.7
    of 10
    notable
    CVSS technical
    40% · +1.7

    3.1 base 4.3 · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

    Patient safety
    35% · +0.7

    No direct patient impact inferred

    Exploit maturity
    15% · +1.5

    On CISA KEV (in-the-wild)

    MedTech exposure
    10% · +0.8

    8/10 network-reachable signals

    How we got to 4.7

    1. 1
      CVSS technical severity (40%)

      Industry-standard exploitability + impact score. We prefer CVSS 4.0 and fall back to 3.1 per the FDA's Feb 2026 premarket cybersecurity guidance. Missing CVSS scores get a neutral 4.0 so unknown vulns are not over- or under-rated.

      3.1 base 4.3 × 40% = +1.72
    2. 2
      Patient safety impact (35%)

      What happens to a patient if this vuln is exploited on a connected device. Auto-inferred from headline, dek, tags, and device class against a curated MedTech keyword library (pacemaker, infusion pump, EHR, PACS, etc.).

      No direct patient impact inferred → 2 × 35% = +0.70
    3. 3
      Exploit maturity (15%)

      Is anyone actually using this in attacks? KEV listing > weaponized exploit > public PoC > none. KEV alone forces tier=critical regardless of CVSS.

      On CISA KEV (in-the-wild) → 10 × 15% = +1.50
    4. 4
      MedTech exposure (10%)

      How likely this affects clinical operations: presence in our MedTech feed (+4 baseline), network-reachable signals (+3), known device-class tags (+2), identified MedTech vendor (+1).

      Exposure 8/10 × 10% = +0.80

    Tier cutoffs: Critical ≥ 8.5 · High 7.0–8.4 · Notable 4.0–6.9 · Info < 4.0. Full methodology, weights, and changelog at /goatfeed/risk-rubric.

    CVE: CVE-2008-4128

    CVSS 3.1: 4.3 (MEDIUM) - `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N`

    Weakness: CWE-352

    Vendor / product: Cisco IOS

    KEV added: 2026-07-13 · Federal due date: 2026-07-16

    BGC-RS: 4.7 (notable) · CVSS 3.1 base 4.3 · patient-safety: none · exploit: kev · MedTech exposure 8/10 · methodology

    Vulnerability

    Multiple cross-site request forgery (CSRF) vulnerabilities in the HTTP Administration component in Cisco IOS 12.4 on the 871 Integrated Services Router allow remote attackers to execute arbitrary commands via (1) a certain "show privilege" command to the /level/15/exec/- URI, and (2) a certain "alias exec" command to the /level/15/exec/-/configure/http URI. NOTE: some of these details are obtained from third party information.

    Required action

    Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

    Citations
    #kev#cve#cisco
    Need help acting on this?

    Talk to Blue Goat Cyber

    Penetration testing, SBOM, threat modeling, and 524B submission support for MedTech.