On Tuesday, 6 June 2023, Barracuda announced that all ESG appliances compromised via CVE-2023-2868 must be immediately replaced, regardless of the current patch version.
Barracuda ESG is an email security gateway that manages and filters inbound and outbound email traffic within an organisation’s network. On 18 June 2023, Barracuda identified CVE-2023-2868 after being alerted to anomalous traffic originating from ESG appliances. The vulnerability exists in a module that initially screens the attachments of incoming emails, affecting ESG versions 5.1.3.001-9.2.0.006. No other Barracuda products, including their SaaS email security services, are vulnerable to CVE-2023-2868.
While no evidence of a published POC has been observed, Barracuda has noted that it has been under active exploitation since at least October 2022. Threat actors have leveraged the vulnerability to exfiltrate data and obtain persistent access on a subset of appliances.
Recommendation for CVE 2023-2868
Recommendation #1: Follow Barracuda Remediation Guidance for Compromised Devices
If your organisation has been informed by Barracuda of exploitation activity, we strongly recommend following Barracuda’s current remediation guidance and fully replacing the impacted ESG to prevent future exploitation. Current guidance and additional information can be found here: https://www.barracuda.com/company/legal/esg-vulnerability
Recommendation #2: Verify ESG Appliance has the Latest Security Patch Applied
If you have not been notified by Barracuda, we strongly recommend verifying that the most recent security patch was deployed to your ESG appliances and monitor for any communications from Barracuda. Barracuda deployed a security patch to all ESG appliances worldwide on May 20, 2023, to remediate CVE-2023-2868. Additional security patches will likely be deployed in the near future based on Barracuda’s security advisory.