Connect with us

Hi, what are you looking for?



Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances

Barracuda Networks is warning customers about CVE-2023-2868, a zero-day exploited to hack some Email Security Gateway (ESG) appliances.

Barracuda zero day exploited

Security, application delivery and data protection solutions provider Barracuda Networks is warning customers about a zero-day vulnerability that has been exploited to hack the company’s  Email Security Gateway (ESG) appliances.

The zero-day, tracked as CVE-2023-2868, was addressed with a patch (BNSF-36456) that has been automatically applied to all impacted appliances.

An entry in NIST’s vulnerability database describes CVE-2023-2868 as a remote command injection vulnerability affecting versions through of the Barracuda ESG appliance.

“The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product,” the advisory explains.

Barracuda said the zero-day was discovered on May 19 and a patch was rolled out to all ESG appliances the next day. A second fix was released on May 21 as part of what the company described as its ‘containment strategy’.

“The vulnerability existed in a module which initially screens the attachments of incoming emails. No other Barracuda products, including our SaaS email security services, were subject to this vulnerability,” the company noted.

Barracuda’s investigation, which is ongoing, showed that “the vulnerability resulted in unauthorized access to a subset of email gateway appliances”.

Advertisement. Scroll to continue reading.

Impacted users have been notified through the ESG user interface and provided with instructions on the actions they need to take. 

Barracuda has promised to share updates as its investigation progresses on its status page. In addition, impacted customers are being directly contacted.

“Barracuda’s investigation was limited to the ESG product, and not the customer’s specific environment. Therefore, impacted customers should review their environments and determine any additional actions they want to take,” Barracuda recommended.

Only a few vulnerabilities affecting Barracuda Networks products were publicly disclosed in recent years and there do not appear to be any previous reports of malicious exploitation. 

On the other hand, threat actors have been known to target appliances made by F5, Cisco, Fortinet, SonicWall and Sophos.

Related: QNAP Appliances Targeted in New DeadBolt, eCh0raix Ransomware Campaigns

Related: CISA Warns of Two Mitel Vulnerabilities Exploited in Wild

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.