Skip to content
feed: live about
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2023-2868

Barracuda Email Security Gateway Zero-Day Remote Command Injection

A remote command-injection vulnerability in Barracuda Email Security Gateway (ESG) appliances, exploited as a zero-day for at least seven months before discovery, allowed attackers to gain a persistent backdoor — remediation required full physical appliance replacement, not just a patch, in confirmed-compromised units.

cat cve-2023-2868.json
Vendor
Barracuda
Product
Email Security Gateway
CVSS
9.8
Status
kev
Published

CVE-2023-2868 is a remote command-injection vulnerability in Barracuda Networks’ Email Security Gateway (ESG) appliances, arising from incomplete input validation in a module that screens attachments. Barracuda disclosed it on May 23, 2023, after finding evidence that the flaw had been actively exploited since at least October 2022 — roughly seven months of undetected zero-day exploitation targeting a subset of ESG appliances.

Why it mattered

The attackers used their access to deploy custom malware for persistence and data exfiltration, and — unusually — Barracuda’s investigation determined that some compromised appliances remained backdoored even after the software patch was applied, because the malware had established persistence mechanisms the patch didn’t remove. Barracuda made the unusual call to tell affected customers to fully replace compromised physical appliances rather than trust a software fix alone, a remediation step rarely seen outside of firmware-level implants.

CISA and threat intelligence researchers linked the campaign to a China-nexus espionage actor targeting a relatively small number of government and high-value targets, distinguishing this from the mass-exploitation pattern seen with many other perimeter-device CVEs. The vulnerability was added to CISA’s KEV catalog. Full detail on the incident and remediation guidance is in Barracuda’s security advisory and at the NVD link above.