CVE-2022-20701

What is Cisco Small Business RV Series?

The Cisco Small Business RV160, RV260, RV340, and RV345 series are VPN routers for small and medium businesses, combining VPN gateway, routing, firewall, and remote management functionality in a single internet-facing appliance.

Overview

CVE-2022-20701 is a critical stack-based buffer overflow in the Cisco Small Business RV series router management service, rated CVSS 10.0. An unauthenticated attacker with network access to the device can send a crafted request to trigger arbitrary code execution with root privileges. This is one of five critical CVEs disclosed together in Cisco's February 2022 advisory (alongside CVE-2022-20699, -20700, -20703, and -20708) affecting the same router family through different attack vectors.

Affected Versions

Technical Details

CVE-2022-20701 is a stack-based buffer overflow (CWE-121) in one of the router management services. Like CVE-2022-20699 and CVE-2022-20700, the root cause is missing input length validation before copying attacker-controlled data into a fixed-size stack buffer. The resulting overflow enables control of the instruction pointer and arbitrary code execution.

The CVSS 10.0 score reflects:

• Network-accessible attack vector (no physical or adjacent network access required)
• No authentication or prior access required
• No user interaction
• Changed scope — attacker gains root OS access beyond the vulnerable process

Discovery

Reported by Quentin Kaiser of IoT Inspector Research Lab as part of a broader audit of Cisco's SMB router firmware. The research uncovered multiple independently exploitable vulnerabilities in the same codebase.

Exploitation Context

With five CVSS 10.0 vulnerabilities in a single advisory, the Cisco RV router family presented an unusually broad attack surface. Attackers can exploit any one of the five CVEs independently, meaning patching four but missing one leaves the device fully compromised. In practice, the SSL VPN and web management vectors (CVE-2022-20699, -20700) received the most weaponization attention due to the ports being most commonly internet-exposed.

Security researchers noted exploit code circulating on public repositories within weeks of the advisory, making these vulnerabilities accessible to low-sophistication attackers.

Remediation

1. Update firmware: Install 1.0.01.05 (RV160/RV260) or 1.0.03.24 (RV340/RV345) immediately.
2. Isolate management ports: Place admin interfaces behind a management VLAN inaccessible from the internet.
3. Replace unsupported models: Older RV series without firmware updates available must be replaced.
4. Confirm all five CVEs addressed: Apply the same firmware update that addresses CVE-2022-20699, -20700, -20701, -20703, and -20708 simultaneously.
5. Post-compromise audit: Check for unauthorized admin accounts, persistent cron jobs, and VPN policy changes if exploitation is suspected.