On Barracuda ESG Remote Command Injection

How it all started

Barracuda, a firm that offers solutions in email, data, network and application security, released an advisory where they claimed to identify a Remote Code Execution (RCE) vulnerability present in the Barracuda Email Security Gateway (ESG) versions 5.13.001 to

Furthermore, this zero-day vulnerability, from now on regarded as CVE-2023-2868, had been exploited as early as October 2022. In response, Barracuda engaged in an investigation together with Mandiant that uncovered a connection to a Nation-State actor from China labeled as UNC4841.

According to Barracuda, the vulnerability was caused by incomplete input validation of user-supplied .tar files as it pertains to the names of the files contained within the archive. Therefore, an attacker might format file names in a specific way that would lead to a remote code execution through Perl’s qx operator, making it  appear   more severe considering the privileges of the ESG product. 

With that initial foothold in the system, the threat actor used three families of malware to maintain a presence on the ESG appliances, referred to as SALTWATER, SEASPY, and SEASIDE.

To overcome this issue, Barracuda released a security patch on May 20th and posted some Indicators of Compromise (IoC) for security teams to address within their own environments.

What’s happening now?

Despite this release, the FBI recently warned that the flaw is still being targeted and that even ESG appliances running the patches remain at risk. This issue has allowed the attackers to perform lateral movement attacks (move from compromised hosts to other hosts within the network) to send more malicious emails and further advance the impact.

What can you do to stay safe?

The FBI advised organizations to remove all ESG appliances immediately to avoid further damage. This is the latest piece of advice  since the hardening report – along with several recommendations released by Mandiant –  was posted about two months ago.

From a high-level perspective, events like these are an increasing trend. Therefore, the approach for  your organization shouldn’t be to simply avoid the threat, but rather prepare for it as it could come quietly. Part of that preparation requires you to have a solid understanding of your weaknesses and keep thorough monitoring and adequate incident response capabilities. Here at Red Sentry, we have the human expertise and the tools you need to improve your cybersecurity, including a prioritized list of vulnerabilities to address and the remediation steps to fix them. Schedule a pentest and get a free scan with us today.

Andres Pena
Security engineer, developer and economist

Schedule a Pentest:

Penetration Testing

Start a Free Trial:

Vulnerability Scanner