Email protection and network security services provider Barracuda is warning users about a zero-day flaw that it said has been exploited to breach the company’s Email Security Gateway (ESG) appliances.
The zero-day is being tracked as CVE-2023-2868 and has been described as a remote code injection vulnerability affecting versions 5.1.3.001 through 9.2.0.006.
The California-headquartered firm said the issue is rooted in a component that screens the attachments of incoming emails.
“The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives),” according to an advisory from the NIST’s national vulnerability database.
“The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product.”
The shortcoming, Barracuda noted, was identified on May 19, 2023, prompting the company to deploy a patch across all ESG devices worldwide a day later. A second fix was released on May 21 as part of its “containment strategy.”
Additionally, the company’s investigation uncovered evidence of active exploitation of CVE-2023-2868, resulting in unauthorized access to a “subset of email gateway appliances.”
The company, which has over 200,000 global customers, did not disclose the scale of the attack. It said affected users have been directly contacted with a list of remedial actions to take.
Barracuda has also urged its customers to review their environments, adding it’s still actively monitoring the situation.
Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!Save My Seat!