Barracuda’s email security gateway appliances, which were compromised by a zero-day vulnerability disclosed last month, need to be scrapped and replaced immediately, the company said Tuesday in an action notice.

The vulnerability, CVE-2023-2868, has been actively exploited for at least eight months. Despite a series of patches issued to all appliances last month, Barracuda said, regardless of patch version level, its “remediation recommendation at this time is full replacement of the impacted ESG.”

Barracuda’s decision to effectively retire all compromised ESG appliances is akin to an admission the company could not fully remove threat actor access and recover the devices for customers, according to experts.

“I think it’s crystal clear,” Mauricio Sanchez, research director at Dell’Oro Group, said via email. “It’s unfortunately a complete face plant for Barracuda. Having an appliance become scrap inside a customer’s environment is the worst-case scenario.”

Barracuda estimates about 5% of active ESG appliances worldwide have shown evidence of known indicators of compromise due to the vulnerability.

“Despite deployment of additional patches based on known IOCs, we continue to see evidence of ongoing malware activity on a subset of the compromised appliances,” the company said Friday in a statement.

Barracuda declined to answer questions about long-term product integrity, but said it will provide replacement products to impacted customers at no cost. It’s also unclear if ESG appliances that weren’t previously compromised are still susceptible to the vulnerability down the line.

Actively exploited vulnerabilities can render hardware a complete loss, but it’s rare and usually involves a weakness in the firmware that adversaries have taken advantage of, according to Sanchez.

The remote command injection vulnerability in a module for email attachment screening was exploited by a threat actor to install malware on a “subset of appliances allowing for persistent backdoor access,” Barracuda said in a June 1 update.

“Barracuda’s latest guidance is an unmistakable indicator that the containment strategy they had implemented earlier, which including pushing patches out to affected appliances, was not enough to definitively eradicate threat actor access to compromised systems,” Caitlin Condon, senior manager of security research at Rapid7, said via email.

“It’s very unlikely that all devices are compromised, but their assessment appears to be that all physical appliances are susceptible to total takeover that persists beyond a complete reset of the device — hence the guidance,” Condon said.

Barracuda, which also offers cloud-based email security services, had more than 200,000 customers when investment firm KKR acquired the company from Thoma Bravo in April 2022. The company did not answer questions about how it might be helping impacted customers transition to a cloud-based ESG offering.

The global network security market for hardware and cloud-based services reached $5.3 billion in the first quarter of 2023, according to Dell’Oro Group. Physical appliances accounted for $3.2 billion with virtual and SaaS-based services capturing the remainder.

Hardware growth is slowing as more businesses adopt cloud-based offerings. “Over the three-year period of 2019 to 2022, the hardware market grew at about a 6% compound annual growth rate. Virtual and SaaS together grew at about 30% CAGR,” Sanchez said.

“On a quarter basis,” Sanchez said, “the behavior is much the same and I expect the momentum in each to continue for the next several years.”