Barracuda has warned its customers that some of its Email Security Gateway appliances were recently breached by threat actors exploiting a now-patched zero-day vulnerability.
The vulnerability, tracked as CVE-2023-2868, resides in the module for email attachment screening. The issue was discovered on May 19 and fixed it with the release of two security patches on May 20 and 21.
The security flaw could have a significant impact because the impacted Email Security Gateway appliances are used by hundreds of thousands of organizations worldwide, including several high-profile businesses.
The bug doesn’t impact other Barracuda products and states that its SaaS email security services is not affected by this issue.
Barracuda investigated the flaw and discovered that it was exploited to target a subset of email gateway appliances. The company notified via the ESG user interface the customers whose appliances they believe were impacted.
Barracuda says that the investigation was limited to its ESG product and not the customers’ specific environment. Impacted organizations are recommended to review their networks to determine if other systems were compromised by the attackers.