CVE-2023-2868: Barracuda and FBI Recommend Replacing Email Security Gateway (ESG) Devices Immediately

On May 19, Barracuda published an incident report that detailed an investigation into a zero-day vulnerability in its Email Security Gateway (ESG) appliances known as CVE-2023-2868, a remote command injection vulnerability. Barracuda hired Mandiant to aid in its investigation into the vulnerability and identify indicators of compromise related to attacks linked to its exploitation. As part of the investigation, Mandiant discovered that attackers had been exploiting the vulnerability as a zero-day as early as October 2022. Both Mandiant and the Federal Bureau of Investigation (FBI) attribute the zero-day attacks exploiting CVE-2023-2868 to a People’s Republic of China (PRC) aligned threat actor. Mandiant refers to this group as UNC4841.

In an FBI flash alert (AC-000172-TT) published on August 23, the agency says that the “patches released by Barracuda in response to this CVE were ineffective” adding that they continue to “observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit.” Following its investigation into the incident, Barracuda recommended the “i​​mmediate replacement of compromised ESG appliances, regardless of patch level.” This guidance was underscored by the FBI in its recent flash alert, as the agency “strongly advises all affected ESG appliances be isolated and replaced immediately.”

For more information about the vulnerability, including the availability of Tenable product coverage, please visit our blog.