CVE-2022-20699

What is Cisco Small Business RV Series?

The Cisco Small Business RV160, RV260, RV340, and RV345 series are VPN routers marketed to small and medium businesses for providing site-to-site and remote access VPN connectivity along with standard routing and firewall features. They are widely deployed as network edge devices in SMB environments, often directly internet-facing to support remote workers. Their SSL VPN capability allows employees to connect to corporate networks from home.

Overview

CVE-2022-20699 is a critical stack-based buffer overflow in the SSL VPN tunnel service of Cisco Small Business RV series routers, rated CVSS 10.0. An unauthenticated, remote attacker can send a specially crafted HTTP request to the SSL VPN interface, triggering a buffer overflow that allows arbitrary code execution with root privileges on the underlying Linux OS. This CVE is one of five critical vulnerabilities (CVE-2022-20699 through CVE-2022-20708) disclosed by Cisco in February 2022 as part of a single advisory for the RV router family.

Affected Versions

Technical Details

The vulnerability is a stack-based buffer overflow (CWE-121) in the SSL VPN component of the management web server. When parsing crafted HTTP requests directed at the SSL VPN endpoint, the router fails to properly validate the size of user-supplied data before copying it into a fixed-size stack buffer. A specially crafted request can overwrite the return address and redirect execution to attacker-controlled shellcode or ROP chains.

Attack characteristics:

• No authentication required: exploitable without credentials, targeting the SSL VPN listener
• Network-accessible: the SSL VPN port (typically 443 or 8443) is intended to be internet-facing
• Scope: Changed: successful exploitation grants control over the underlying device OS, beyond the vulnerable component
• No user interaction required: single request triggers the overflow

Cisco did not release firmware updates for end-of-life RV320/RV325 series, which share similar code — those devices remain permanently vulnerable.

Discovery

The vulnerabilities were discovered by Quentin Kaiser of IoT Inspector Research Lab, who reported multiple issues in the Cisco RV series to Cisco's PSIRT.

Exploitation Context

Small business routers are attractive targets due to their role as network perimeters and their typically less rigorous patch management compared to enterprise equipment. SSL VPN endpoints on these devices are inherently internet-facing by design. Within weeks of the advisory, security researchers published functional exploit code.

The five-CVE cluster in this Cisco advisory is particularly dangerous because each vulnerability independently allows full device compromise, providing attackers multiple entry points if any one patch is missed. Persistent access via modified firmware or added VPN accounts is a common follow-on action after exploitation.

Remediation

1. Update firmware immediately: Install firmware 1.0.01.05 (RV160/RV260) or 1.0.03.24 (RV340/RV345) via the device admin panel under Administration > Firmware Upgrade.
2. Disable remote management if unused: If SSL VPN or remote admin access is not needed, disable it to eliminate the attack surface.
3. Restrict admin interface access: Limit SSL VPN and web management access to known IP ranges using access control lists.
4. Replace end-of-life models: The RV320/RV325 will not receive patches. Migrate to supported hardware.
5. Monitor for unauthorized VPN accounts: After patching, audit VPN user accounts and firewall rules for unauthorized additions.
6. Network segmentation: Ensure compromised edge routers cannot directly pivot to critical internal systems.