- A zero-day vulnerability in Barracuda’s email security gateway appliance was actively exploited to gain unauthorized access in a “subset” of the devices, the security vendor said in an incident report Tuesday.
- Barracuda first identified the vulnerability, CVE-2023-2868, on May 19 and applied a security patch to all impacted appliances globally on May 20. A second patch, which the company said was part of its containment strategy, was issued to the devices on May 21, Barracuda said.
- The remote command injection vulnerability in a module for email attachment screening can be exploited by a threat actor to remotely execute system commands in Barracuda’s product. Barracuda declined to answer questions about how many customers were impacted and what, if any, customer data was compromised.
Vulnerabilities are more damaging when they threaten products organizations rely on for defense and this flaw in particular could lead to problems because it’s an additional security layer on a product.
Common vulnerabilities and exposures (CVEs) are on pace to average more than 1,900 per month this year, according to a report insurance provider Coalition released in February.
The products and services sold by security vendors are also susceptible to vulnerabilities that can be exploited by threat actors they’re designed to thwart.
Barracuda said all customers with appliances impacted by the vulnerability have been notified and no other products or services from the vendor were subject to the vulnerability.
The company declined to answer questions about how many email security gateway appliances are currently in use or potentially impacted.
Barracuda, which also offers cloud-based email security services, had more than 200,000 customers when investment firm KKR acquired the company from Thoma Bravo in April 2022.
“Barracuda’s investigation was limited to the ESG product, and not the customer’s specific environment,” the company said in the incident report. “Therefore, impacted customers should review their environments and determine any additional actions they want to take.”