CVE-2022-20700

What is Cisco Small Business RV Series?

The Cisco Small Business RV160, RV260, RV340, and RV345 series are VPN routers for small and medium businesses, providing site-to-site VPN, SSL remote access, routing, and firewall functionality. They are commonly deployed at network edges and exposed to the internet for remote worker connectivity.

Overview

CVE-2022-20700 is a critical stack-based buffer overflow in the web-based management interface of Cisco Small Business RV series routers, rated CVSS 10.0. An unauthenticated, remote attacker can send a specially crafted HTTP request to the management web interface to trigger a stack overflow and execute arbitrary code with root privileges. This is one of five critical CVEs (CVE-2022-20699 through CVE-2022-20708) disclosed simultaneously in Cisco's February 2022 advisory for this router family.

Affected Versions

Technical Details

The vulnerability is a stack-based buffer overflow (CWE-121) in the web management interface. The HTTP server fails to validate the length of attacker-supplied input before copying it into a fixed-size stack buffer. Overflowing the buffer allows an attacker to overwrite the return address and gain control of program execution.

This CVE is distinct from CVE-2022-20699 (which targets the SSL VPN tunnel service) — CVE-2022-20700 specifically affects the device's web-based administration interface. Both are CVSS 10.0 because the management interface is also routinely internet-exposed on SMB router deployments.

Attack characteristics:

• No authentication: exploitable without any valid credentials
• Pre-auth: no prior session or account required
• Remote network: targets the management HTTP/HTTPS listener
• Root-level execution: successful exploitation yields OS-level code execution on the router

Discovery

Discovered by Quentin Kaiser of IoT Inspector Research Lab and reported to Cisco PSIRT. Multiple related vulnerabilities were found in the same codebase during the same research engagement.

Exploitation Context

The Cisco RV router family is ubiquitous in SMB networks. Management interfaces are frequently left internet-accessible for remote IT administration, providing a large attack surface. With CVSS 10.0 and no authentication required, this vulnerability is immediately weaponizable by any attacker with network reach to the management port.

Exploitation of these router vulnerabilities enables persistent access to a network's perimeter, allowing attackers to intercept traffic, modify routing, or use the device as a beachhead for lateral movement into the internal network.

Remediation

1. Update firmware: Install firmware 1.0.01.05 (RV160/RV260) or 1.0.03.24 (RV340/RV345) via Administration > Firmware Upgrade.
2. Restrict web management access: Block the management interface from untrusted networks using ACLs or firewall rules; limit to specific management IP addresses.
3. Disable remote management if unused: If web-based remote administration is not required, disable it entirely.
4. Replace end-of-life models: Older RV series not receiving updates should be replaced with supported hardware.
5. Audit for compromise: After patching, review admin accounts, firewall rules, and VPN configurations for unauthorized modifications.