Alert: Hackers Exploit Barracuda Email Security Gateway 0-Day Flaw for 7 Months


Enterprise security firm Barracuda on Tuesday disclosed that a recently patched zero-day flaw in its Email Security Gateway (ESG) appliances had been abused by threat actors since October 2022 to backdoor the devices.

The latest findings show that the critical vulnerability, tracked as CVE-2023-2868 (CVSS score: N/A), has been actively exploited for at least seven months prior to its discovery.

The flaw, which Barracuda identified on May 19, 2023, affects versions through and could allow a remote attacker to achieve code execution on susceptible installations. Patches were released by Barracuda on May 20 and May 21.

“CVE-2023-2868 was utilized to obtain unauthorized access to a subset of ESG appliances,” the network and email security company said in an updated advisory.

Read more…