Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Remote Command Injection in Barracuda Email Security Gateway Appliance

IdentifiersCVE-2023-2868CWE-78

CVE-2023-2868 is a remote command injection vulnerability in Barracuda Email Security Gateway (ESG) appliances, affecting appliance form factor versions 5.1.3.001 through 9.2.0.006. The flaw is caused by incomplete input validation when the ESG attachment-scanning component processes user-supplied .tar archives. Specifically, filenames contained within a crafted .tar file are not comprehensively sanitized, allowing an attacker to format archive member names so they are passed into Perl's qx operator and interpreted as system commands. Successful exploitation results in remote execution of attacker-controlled commands in the context of the ESG product. Barracuda disclosed that the vulnerability had been actively exploited as a zero-day and that exploitation was associated with unauthorized access, deployment of backdoor malware, and data exfiltration.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote command execution on affected Barracuda ESG appliances. Reported real-world impact includes unauthorized access to the appliance, deployment of backdoors such as SALTWATER and other malware families, persistence on the device, and evidence of data exfiltration from compromised systems. Given the ESG's role as a mail security gateway, compromise can also create opportunities for further internal access and potential lateral movement. The content characterizes impact to confidentiality, integrity, and availability as high.

Mitigation

If you can’t patch tonight, do this now.

Limit exposure by closely monitoring ESG appliances for Barracuda-published indicators of compromise, including malicious .tar artifacts and known C2 or exfiltration infrastructure. Review appliance logs and telemetry for suspicious attachment-scanning activity and evidence of unauthorized access. If compromise is suspected or confirmed, isolate and replace the appliance rather than relying solely on patching. More generally, reduce trust in internet-facing edge appliances, maintain rapid patching, and apply compensating monitoring controls around mail gateway infrastructure.

Remediation

Patch, then assume compromise.

Barracuda fixed the issue in patch BNSF-36456 and stated that the patch was automatically applied to all customer appliances. Organizations should ensure affected ESG appliances are updated and verify they are running the latest Barracuda-provided software. However, the provided content also states Barracuda and the FBI advised replacement of compromised appliances because patching alone was considered ineffective once a device had been breached. Administrators should review Barracuda notifications, investigate for compromise, and replace any appliance with signs of exploitation.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
poc-cve-2023-2868MaturityPoCVerified exploit

This repository contains a proof-of-concept exploit for CVE-2023-2868, a command injection vulnerability in Barracuda Email Security Gateway (ESG) appliances. The repository consists of a Ruby script ('poc_cve_2023_2868.rb') and a README file. The exploit works by crafting a malicious tar archive containing a file with a payload that, when processed by the vulnerable ESG, executes a shell command to establish a reverse shell to the attacker's machine using OpenSSL. The script sends the malicious tar file as an email attachment to the target ESG via SMTP. The attacker must specify the target's IP address (RHOST) and have a listener running on their own machine (LHOST:LPORT) to receive the shell. The exploit demonstrates a full attack chain, including payload generation, archive creation, email delivery, and cleanup. The code is operational and can be used to gain remote shell access to vulnerable Barracuda ESG devices.

cfielding-r7Disclosed Jun 20, 2023rubynetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Barracuda NetworksEmail Security Gateway 300 Firmwareoperating_system
Barracuda NetworksEmail Security Gateway 400 Firmwareoperating_system
Barracuda NetworksEmail Security Gateway 600 Firmwareoperating_system
Barracuda NetworksEmail Security Gateway 800 Firmwareoperating_system
Barracuda NetworksEmail Security Gateway 900 Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

19 SOURCESView more in app
recorded future blogNews
Feb 19, 2026
2025 Cloud Threat Hunting and Defense Landscape

A remote command injection / RCE vulnerability in Barracuda Email Security Gateway’s attachment scanning, triggered via crafted .tar attachments, used by UNC4841 to gain and maintain espionage access and deploy custom implants.

Read more
recorded future blogNews
Feb 19, 2026
2025 Cloud Threat Hunting and Defense Landscape

A Barracuda Email Security Gateway (ESG) remote command injection vulnerability in the attachment-scanning component, triggered via crafted email attachments (notably .tar archives) to execute arbitrary system commands; used in espionage campaigns linked to UNC4841.

Read more
recorded future blogNews
Feb 19, 2026
2025 Cloud Threat Hunting and Defense Landscape

A Barracuda Email Security Gateway (ESG) remote command injection vulnerability in the attachment-scanning component, triggered via crafted email attachments (notably .tar archives), used for long-term espionage and to deploy custom implants.

Read more
register securityNews
Sep 8, 2025
Salt Typhoon used dozens of domains, going back five years. Did you visit one?

A critical vulnerability in Barracuda Email Security Gateways (ESG) that was exploited by Chinese espionage group UNC4841 (Salt Typhoon) in 2023 to deploy custom malware and maintain persistent access to high-value networks, including government organizations.

Read more
+8 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence2

Every observed campaign linking this CVE to a named adversary.

Associated malware4

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-2868
NVD
nvd.nist.gov/vuln/detail/CVE-2023-2868
MITRE CWE · CWE-78
cwe.mitre.org
Vendor Advisory
status.barracuda.com/incidents/34kx82j5n4q9
Vendor Advisory
barracuda.com/company/legal/esg-vulnerability
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-2868