Connect with us

Hi, what are you looking for?


Malware & Threats

Barracuda Urges Customers to Replace Hacked Email Security Appliances

Barracuda Networks is telling customers to immediately replace hacked ESG email security appliances regardless of the patches they installed.

Barracuda zero day exploited by China

Barracuda Networks is telling customers to immediately replace hacked Email Security Gateway (ESG) appliances, even if they have installed all available patches. 

Barracuda became aware of attacks targeting its ESG appliances on May 18. By the next day, the company discovered that the attacks involved exploitation of a zero-day vulnerability (CVE-2023-2868) and it immediately started working on patches and scripts to contain the attack, which it released shortly after.

Barracuda’s initial recommendations for impacted customers included ensuring that their appliances had received all updates, definitions and security patches. At the same time, the company told customers to discontinue the use of compromised devices and contact its support team to receive a new ESG appliance. 

On June 6, the company issued an ‘action notice’ telling impacted customers to immediately replace their appliances, regardless of their patch level. This suggests that the updates may not be completely effective in cleaning up hacked systems.

“If you have not replaced your appliance after receiving notice in your UI, contact support now,” Barracuda said. “Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.” 

Barracuda’s investigation, which is assisted by Mandiant, revealed that the vulnerability has been exploited since at least October 2022. CVE-2023-2868 is a remote command injection issue affecting a module designed for the initial screening of email attachments.

Information shared by the company to date indicates that threat actors delivered malware to a subset of appliances and used it to exfiltrate data. 

Advertisement. Scroll to continue reading.

Three types of malware were discovered on hacked Barracuda appliances. They have been named SaltWater, SeaSpy, and SeaSide. 

SaltWater is designed to allow attackers to upload and download files, execute arbitrary commands, and use it for proxy or tunneling purposes. SeaSpy provides backdoor functionality, while SeaSide is used to receive command and control (C&C) information and to establish a reverse shell.

Indicators of compromise (IoCs) for endpoints and networks, as well as Yara rules that can be used for threat hunting have been shared by the vendor. 

Related: Fortinet Admits Many Devices Still Unprotected Against Exploited Vulnerability

Related: Custom Chinese Malware Found on SonicWall Appliance

Related: Sophos Firewall Zero-Day Exploited in Attacks on South Asian Organizations

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet