Barracuda Networks issue added to CISA vulnerability list

A bug patched recently in email security hardware from Barracuda Networks was added Friday to the federal catalog of exploited vulnerabilities.

The company reported earlier this week that it pushed out two separate patches to its Email Security Gateway (ESG) appliance to fix a flaw “in a module which initially screens the attachments of incoming emails.”

The bug could allow an attacker to remotely execute system commands, according to the entry in the government’s Known Exploited Vulnerabilities database.

In posting the bug, tracked as CVE-2023-2868, the Cybersecurity and Infrastructure Security Agency warned federal agencies and the public that these types of vulnerabilities “are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”

Barracuda Networks says it serves more than 200,000 customers worldwide, most of them small- and medium-sized enterprises. It did not report how many of the ESG appliances are in circulation.

No other Barracuda Networks products were affected, the company said.

“Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take,” the company said. “Barracuda has also reached out to these specific customers.”

The patches went out automatically on May 20 and May 21, Barracuda Networks said.

“We took immediate steps to investigate this vulnerability,” the company said. “Based on our investigation to date, we’ve identified that the vulnerability resulted in unauthorized access to a subset of email gateway appliances.”