Enterprise security firm Barracuda is now urging customers affected by the recently uncovered zero-day flaw in its email security gateway (ESG) appliance to replace it immediately.
“Affected ESG appliances should be replaced immediately, regardless of patch version level,” the company said in an update. It’s an exchange,” he added.
This latest development reveals that a critical device flaw (CVE-2023-2868, CVSS score: 9.8) will be exploited as a zero-day to deliver bespoke malware and steal data for at least seven months from October 2022. This was done in response to Barracuda revealing that it had been
This vulnerability pertains to a remote code injection case affecting versions 5.1.3.001 through 9.2.0.006 due to incomplete validation of attachments contained in incoming emails. This issue was addressed on May 20, 2023 and he on May 21.
Three different malware families discovered so far have the ability to upload or download arbitrary files, execute commands, set persistence, and establish reverse shells to attacker-controlled servers.
The exact extent of the incident is still unknown. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recommended that federal agencies apply the patch by June 16, 2023.
