Barracuda logo

[updated] Barracuda Networks patches zero-day vulnerability in Email Security Gateway

On May 20, Barracuda Networks issued a patch for a zero day vulnerability in its Email Security Gateway (ESG) appliance. The vulnerability existed in a module which initially screens the attachments of incoming emails, and was discovered on May 19.

Barracuda’s investigation showed that the vulnerability resulted in unauthorized access to a subset of email gateway appliances. A remote unauthenticated attacker could send a specially crafted archive to the appliance and execute arbitrary Perl commands on the target system. The affected versions of ESG are 5.1.3 – 9.2.

Consequently a security patch to eliminate the vulnerability was applied to all ESG appliances worldwide on Saturday, May 20. After further investigation a second patch was sent out on May 21, 2023.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in these updates is:

CVE-2023-2868: CVSS score 9.4 out of 10. A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only). The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker could specifically format these file names in a particular manner that will result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.

Barracuda says users whose appliances are believed to be impacted have been notified via the ESG user interface about the actions they need to take. It says it has also reached out to these specific customers. Updates will be posted to the product status page.

The Cybersecurity & Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The due date for FCEB agencies for this vulnerability is June 16, 2023. CISA also warned that these types of vulnerabilities are frequent attack vectors for malicious cyberactors and pose a significant risks to the federal enterprise.

Update May 31, 2023

Barracuda informed the public that they found evidence of exploitation of CVE-2023-2868 at least sinceOctober 2022 and that malware plus evidence of data exfiltration was identified on a subset of appliances. The malware was found to provide persistent backdoor access. Barracuda has named this trojanized module for the Barracuda SMTP daemon SALTWATER. Barracuda has provided Indicators of Compromise (IOCs) and Yara rules to identify the malware modules deployed by the threat actor. 

Update June 9, 2023

Barracuda sent out an action notice to inform customers that impacted ESG appliances must be replaced immediately, regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now (  

Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG. 

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.