How to Fix CVE-2022-20703: Cisco RV Series Router (Bundle Sibling)
*By Sai Kiran Pandrala*
| Severity | CVSS 10.0, Critical |
|---|---|
| Actively exploited? | Yes, bundle listed in CISA KEV (added 2022-03-03) |
| Affected | Cisco Small Business RV160, RV260, RV340, RV345 series (and wireless / PoE variants) |
| Fixed in | RV340/RV345 firmware 1.0.03.26+. RV160/RV260, vendor recommends hardware replacement. |
| Type (CWE) | CWE-121: Stack-based Buffer Overflow |
CVE-2022-20703 is one of the 15 CVEs in the Cisco Small Business RV Series advisory. The full bundle, including the firmware-upgrade procedure and end-of-life guidance for the affected hardware, is covered in detail in How to Fix CVE-2022-20708.
What's different about CVE-2022-20703?
It is a distinct vulnerable code path within the same web management interface, originally disclosed via ZDI advisory ZDI-22-408. The exploitation primitive (stack overflow leading to unauthenticated RCE) and the impact (full root on the router) are the same as the other bundle CVEs.
How to fix CVE-2022-20703
The fix is the same as the rest of the bundle: upgrade RV340/RV345 to firmware 1.0.03.26 or later, or replace EOL RV160/RV260 hardware. See the full procedure in How to Fix CVE-2022-20708, it covers the firmware download, backup, install, verify, and the hardware-migration path for SKUs that have no fix planned.
Frequently asked questions
Is CVE-2022-20703 actively exploited?
Yes. CVE-2022-20703 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.
What is the CVSS severity of CVE-2022-20703?
Critical. See the advisory for the full CVSS vector.
Where can I read the official advisory?
See https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vu
Does the patch require a reboot?
It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.
References
- Official Cisco PSIRT advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vu
- Zero Day Initiative ZDI-22-408: https://www.zerodayinitiative.com/advisories/ZDI-22-408/
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-20703
- CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Bundle primary: How to Fix CVE-2022-20708
*This guide is one of the bundle siblings disclosed in the same Cisco PSIRT advisory. The primary write-up with full remediation steps lives at how-to-fix-cve-2022-20708.*