Skip to content
feed: live about
>_ 0dayNews
barracuda
Analysis

Barracuda Told Customers to Replace Their Appliances, Not Just Patch Them. Here's Why.

CVE-2023-2868 was exploited as a zero-day for roughly seven months before discovery — and left some compromised appliances backdoored even after the software patch was applied.

Barracuda Told Customers to Replace Their Appliances, Not Just Patch Them. Here's Why.
Photo: Cuda-mwolfe / Wikimedia Commons · CC BY-SA 4.0
0day News Desk · Published · 2 min read

Most vulnerability disclosures end with “apply the patch.” CVE-2023-2868 ended with something far more unusual: Barracuda telling a subset of customers to physically replace their appliances, because a software patch alone wouldn’t remove what attackers had already planted.

What the vulnerability does

The flaw is a remote command-injection vulnerability in Barracuda Networks’ Email Security Gateway (ESG) appliances, rooted in incomplete input validation in a module responsible for screening email attachments. Barracuda disclosed the issue on May 23, 2023 — but the investigation that followed the disclosure revealed something more troubling: the vulnerability had been actively exploited as a zero-day since at least October 2022, roughly seven months of undetected exploitation against a subset of ESG appliances before anyone noticed.

Why patching wasn’t enough

This is the detail that sets CVE-2023-2868 apart from most perimeter-device CVEs. The attackers who exploited the flaw during that seven-month window didn’t just gain temporary access — they deployed custom malware built specifically for persistence and ongoing data exfiltration. Barracuda’s forensic investigation found that on some compromised appliances, that malware persisted even after the software patch was applied, because the patch fixed the injection vulnerability but didn’t remove an implant that had already established its own foothold on the device.

That finding drove Barracuda’s unusual remediation call: rather than trust a software fix to fully clean a potentially compromised unit, the company told affected customers to physically replace compromised ESG appliances outright — a step rarely recommended outside of firmware-level implant scenarios, and a signal of how seriously Barracuda treated the risk of residual access.

Who was behind it

CISA and threat intelligence researchers linked the campaign to a China-nexus espionage actor, and the targeting pattern reinforced that assessment: a relatively small, apparently selective number of government and high-value organizational targets, rather than the indiscriminate mass-scanning pattern typical of most KEV-catalog perimeter-device bugs.

What administrators should do

Organizations running affected ESG appliances were directed to Barracuda’s investigation findings to determine compromise status and, where indicators of compromise were present, to replace the physical appliance rather than rely on the patch alone. Full detail on the incident and remediation guidance is in Barracuda’s security advisory and the NVD entry.

This article describes the vulnerability’s impact and official mitigation guidance only — it does not include exploit code or step-by-step attack instructions.

Found this useful? Share it.