If you look at the URL, you should know that things are serious.
https://www.barracuda.com/company/legal/esg-vulnerability
And there was a very enthusiastic attempt to highlight the company’s commitment to protecting your data…they definitely didn’t want you to miss it.
We are committed to protecting your data
The big friendly letter reminded me quite aptly of the famous saying, “Don’t Panic!” On the cover of The Hitchhiker’s Guide to the Galaxy…
But if you’re feeling panic, I probably can’t blame you. That’s because security firm Barracuda Networks is warning people about security vulnerabilities in its Email Security Gateway (ESG) appliances.
But beyond that, Barracuda has taken the unusual step of a network security vendor by telling customers to physically remove and decommission their hardware.
Action Notice: Affected ESG appliances should be replaced immediately regardless of patch version level. If you haven’t replaced your appliance after receiving a notification in the UI, contact support now ([email protected]).
Barracuda’s current recommended remedy is to replace the affected ESG entirely.
That is correct. Barracuda isn’t telling you to patch appliances that scan incoming and outgoing email for malware. They want you to remove it and replace it.
Hackers have clearly exploited a security vulnerability in the Barracuda Email Security Gateway appliance, and patches cannot drive it out.
There may be over 10,000 Barracuda ESG appliances in use worldwide. And malicious exploits against vulnerable Barracuda ESG appliances appear to have taken place since at least October 2022.
No wonder Barracuda has taken legal advice on how to communicate this to customers.
“Don’t you panic?”
Did you enjoy this article? Follow Graham Cluley on Twitter Or visit Mastodon to read more exclusive content we post.
