Zero-Day Vulnerability in Barracuda ESG Exploited by Unknown Threat Actors

Data protection and network security solution provider, Barracuda Networks announced that its Email Security Gateway (ESG) appliances was compromised due to a zero-day vulnerability.

Barracuda, a US-based cybersecurity company is one of the leading email security providers with customers ranging from medium to large-scale organizations, including Mitsubishi, Carrefour, Tupperware, among others.

In the announcement, the company did not disclose the number of Email Gateway customers affected by the breach nor of any possible damage to its other products and services. ‘’No other Barracuda products, including our SaaS email security services, were subject to this vulnerability,’’ stated Barracuda.

The vulnerability, which was discovered on May 19, has been identified as CVE-2023-2868 and was found in a module which initially scans incoming email attachments. On discovery, the company immediately rolled out security solutions in two batches. On May 20 the first phase of security patch was applied to all ESG appliances worldwide and on May 21, as part of its ‘’containment strategy’’ a second patch of security was applied to all appliances by Barracuda.

Barracuda’s current investigation showed that the vulnerability was exploited by unknown threat actors and ‘’resulted in unauthorized access to a subset of email gateway appliances’’.

The customers who were affected by this breach were notified through the company’s ESG appliance about the necessary steps to take. As the investigation was limited to Barracuda’s ESG product and not to any client’s internal network. The company stated that affected customers should investigate their specific networks for any possible impact and take remedial actions as necessary.

Barracuda announced that it would continue to monitor this situation. In addition to direct outreach to its customers, information about the updates would also be available through the company’s product status page and Trust Center.