Skip to main content
close search
site logo
Dive Brief

Barracuda patches actively exploited zero-day vulnerability in email gateways

Published May 25, 2023
Matt Kapko's headshot
Senior Reporter
a swarm of barracudas
iStock/Getty Images Plus via Getty Images

Dive Brief:

  • A zero-day vulnerability in Barracuda’s email security gateway appliance was actively exploited to gain unauthorized access in a “subset” of the devices, the security vendor said in an incident report Tuesday.
  • Barracuda first identified the vulnerability, CVE-2023-2868, on May 19 and applied a security patch to all impacted appliances globally on May 20. A second patch, which the company said was part of its containment strategy, was issued to the devices on May 21, Barracuda said. 
  • The remote command injection vulnerability in a module for email attachment screening can be exploited by a threat actor to remotely execute system commands in Barracuda’s product. Barracuda declined to answer questions about how many customers were impacted and what, if any, customer data was compromised.

Dive Insight:

Vulnerabilities are more damaging when they threaten products organizations rely on for defense and this flaw in particular could lead to problems because it’s an additional security layer on a product.

Common vulnerabilities and exposures (CVEs) are on pace to average more than 1,900 per month this year, according to a report insurance provider Coalition released in February.

The products and services sold by security vendors are also susceptible to vulnerabilities that can be exploited by threat actors they’re designed to thwart.

Barracuda said all customers with appliances impacted by the vulnerability have been notified and no other products or services from the vendor were subject to the vulnerability.

The company declined to answer questions about how many email security gateway appliances are currently in use or potentially impacted.

Barracuda, which also offers cloud-based email security services, had more than 200,000 customers when investment firm KKR acquired the company from Thoma Bravo in April 2022.

“Barracuda’s investigation was limited to the ESG product, and not the customer’s specific environment,” the company said in the incident report. “Therefore, impacted customers should review their environments and determine any additional actions they want to take.”

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell