Barracuda warns of email gateways breached via zero-day flaw

Barracuda, a company known for its email and network security solutions, warned customers today that some of their Email Security Gateway (ESG) appliances were breached last week by targeting a now-patched zero-day vulnerability.

On Friday, May 19, a vulnerability was discovered in the email attachment scanning module. The issue was addressed by applying two security patches on May 20 and 21.

While the flaw was patched over the weekend, Barracuda warned on Tuesday that some of its customers ESG appliances were compromised by exploiting the now-patched security bug.

“Based on our investigation to date, we’ve identified that the vulnerability resulted in unauthorized access to a subset of email gateway appliances,” the company said.

“Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take. Barracuda has also reached out to these specific customers.

The company’s other products, including SaaS email security services, were unaffected by this vulnerability.

Customers asked to check networks for intrusions

Barracuda said the investigation was limited to its ESG product and not the customers’ corporate networks. Therefore, the company advises impacted organizations to review their environments to confirm the threat actors did not spread to other devices on the network.

“If a customer has not received notice from us via the ESG user interface, we have no reason to believe their environment has been impacted at this time and there are no actions for the customer to take,” said Barracuda.

Today, Barracuda also addressed a login issue affecting Email Gateway Defense (EGD) appliances and a buggy spam scoring rule that led to customer emails being blocked incorrectly.

Barracuda says its enterprise-grade security solutions are now used by over 200,000 organizations worldwide, including Samsung, Mitsubishi, Kraft Heinz, Delta Airlines, and other high-profile companies.


The U.S. Cybersecurity and Infrastructure Security Agency on Friday added the remote code injection vulnerability impacting Barracuda ESG appliances to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by June 16, 2023.

Source: BleepingComputer, Barracuda