How to Fix CVE-2022-20699: Cisco RV340 SSL VPN Unauthenticated RCE
*By Sai Kiran Pandrala*
| Severity | CVSS 10.0, Critical |
|---|---|
| Actively exploited? | Yes, bundle listed in CISA KEV (added 2022-03-03). Public exploit code on PacketStorm. |
| Affected | Cisco Small Business RV160, RV260, RV340, RV345 series, specifically the SSL VPN component |
| Fixed in | RV340/RV345 firmware 1.0.03.26+. RV160/RV260, vendor recommends hardware replacement. |
| Type (CWE) | CWE-121: Stack-based Buffer Overflow |
CVE-2022-20699 is the SSL VPN-specific vulnerability in the Cisco RV Series bundle. Public exploit code targeting this CVE has been published on PacketStorm Security since 2022, making it one of the more dangerous entries in the bundle.
What's different about CVE-2022-20699?
This CVE lives in the SSL VPN service rather than the general web management interface. If your RV router exposes SSL VPN to the public internet for remote-worker access (a common deployment), this CVE is reachable even when admin management is restricted. The exploitation flow: unauthenticated request to the SSL VPN port, stack-overflow primitive, RCE as root on the router.
For environments using the RV340 as the SSL VPN gateway for branch-office or remote-employee access, this is the highest-priority CVE in the bundle.
How to fix CVE-2022-20699
Same fix as the rest of the bundle: upgrade RV340/RV345 to firmware 1.0.03.26 or later, or replace EOL RV160/RV260 hardware. Full step-by-step is in How to Fix CVE-2022-20708.
Additional urgency for the SSL VPN exposure
If you cannot patch in the next 24 hours and you publish SSL VPN to the internet:
- Disable the SSL VPN service immediately. From the GUI: VPN → SSL VPN → uncheck Enable SSL VPN.
- Route remote users through an alternative VPN (corporate VPN, dedicated firewall, cloud VPN) while you patch.
- Block port 443 inbound at any upstream firewall covering the router.
These steps are critical because the SSL VPN port is internet-facing by definition. Public exploit code means automated scanners are using it daily.
Upgrade the affected Cisco platform
! Verify the running release on the device
show version
show inventory
! Stage the patched image from the Cisco Security Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D
copy tftp://<fileserver>/<patched-image>.bin flash:
! Set the boot image and reload in a maintenance window
configure terminal
boot system flash:<patched-image>.bin
end
write memory
reload
! After reload, confirm the new image is running
show version | include image
Verify the fix landed
# 1. Confirm the running version matches the fixed-in version from the advisory:
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D
# Use the platform-specific version probe above.
# 2. Re-scan with your vulnerability scanner (Nessus, Qualys, Tenable, OpenVAS).
# The scanner should no longer flag CVE-2022-20699 on the patched target.
# 3. Inspect recent service / kernel logs for crash loops or rollback events.
journalctl -u <service> --since "10 minutes ago"
dmesg --since "10 minutes ago"
Verification
After firmware upgrade, confirm by logging into the router GUI: Administration → System Summary should show 1.0.03.26 or later. If you ran the SSL VPN-disable mitigation, re-enable it only after confirming the patched firmware is running.
Frequently asked questions
Is CVE-2022-20699 actively exploited?
Yes. CVE-2022-20699 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.
What is the CVSS severity of CVE-2022-20699?
Critical. See the advisory for the full CVSS vector.
Where can I read the official advisory?
See https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vu
Does the patch require a reboot?
It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.
References
- Official Cisco PSIRT advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vu
- Zero Day Initiative ZDI-22-414: https://www.zerodayinitiative.com/advisories/ZDI-22-414/
- Public exploit on PacketStorm: http://packetstormsecurity.com/files/167113/Cisco-RV340-SSL-VPN-Unauthenticated-Remote-Cod
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-20699
- CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Bundle primary: How to Fix CVE-2022-20708
*This guide is part of the Cisco RV Series bundle. The primary write-up with full remediation procedure is at how-to-fix-cve-2022-20708.*