A zero-day vulnerability first disclosed by Barracuda last week was actively exploited up to seven months ago, the security vendor said in an updated incident report Tuesday.

The sizable time gap between the first known active exploitation of CVE-2023-2868 in October and Barracuda’s disclosure increases the potential for widespread compromise for customers using the security vendor’s email security gateway appliances.

“Malware was identified on a subset of appliances allowing for persistent backdoor access,” the company said. Data exfiltration was also identified on a subset of impacted appliances.

Barracuda did not respond to questions about how many customers use its ESG appliances nor how many customers are potentially compromised and had data stolen.

Barracuda was alerted to the anomalous traffic on an ESG device on May 18, leading the company to hire Mandiant to assist with an investigation. Barracuda identified the zero-day vulnerability on May 19 and issued patches to all ESG devices on May 20 and May 21.

A subsequent series of security patches are also being deployed to all appliances, Barracuda said. The company maintains no other products are impacted by the vulnerability.

Customers with ESG devices that were impacted have been notified, according to Barracuda. And known indicators of compromise were included in the latest update.

Barracuda, which also offers cloud-based email security services, had more than 200,000 customers when investment firm KKR acquired the company from Thoma Bravo in April 2022.