Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Remote Command Injection in Barracuda Email Security Gateway Appliance

IdentifiersCVE-2023-2868CWE-77· Improper Neutralization of Special…

CVE-2023-2868 is a remote command injection vulnerability in Barracuda Email Security Gateway (ESG) appliances, affecting appliance form factor versions 5.1.3.001 through 9.2.0.006. The flaw is in the ESG attachment-scanning/processing path for user-supplied .tar archives. Barracuda stated the issue results from incomplete sanitization and input validation of filenames contained within a .tar file. A specially crafted archive can cause attacker-controlled filename data to be passed into Perl's qx operator, resulting in execution of system commands with the privileges of the ESG product. Barracuda fixed the issue in patch BNSF-36456, which was automatically applied to customer appliances.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated remote command execution on a vulnerable Barracuda ESG appliance. Barracuda reported the vulnerability was exploited in the wild to gain unauthorized access, deploy backdoor malware, and exfiltrate data. Multiple sources in the provided content also associate exploitation with follow-on malware deployment and persistent access on compromised ESG devices. Given the product’s role as an email security gateway, compromise can expose sensitive email traffic and create a foothold for further intrusion activity.

Mitigation

If you can’t patch tonight, do this now.

Until remediation and validation are complete, reduce exposure by tightly controlling inbound email attachment handling where operationally feasible, especially .tar archives, and monitor ESG appliances for Barracuda-published indicators of compromise. Review logs and telemetry for exploitation attempts, suspicious archive processing, unexpected outbound connections, and persistence artifacts. If an appliance shows signs of compromise, isolate and replace it, rotate credentials and secrets that may have been exposed, and assess downstream impact on connected mail infrastructure and internal systems.

Remediation

Patch, then assume compromise.

Apply Barracuda's fix for CVE-2023-2868, identified as patch BNSF-36456. The provided content states this patch was automatically applied to customer appliances. Verify the appliance is updated beyond the affected range and review Barracuda notifications for signs of exploitation. Where compromise is suspected or confirmed, follow Barracuda and government guidance to replace the appliance rather than relying solely on patching, because the content notes reports that patched-but-compromised appliances remained at risk. Conduct IOC-based investigation for malicious tar artifacts, backdoors, command-and-control activity, and evidence of data exfiltration.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
poc-cve-2023-2868MaturityPoCVerified exploit

This repository contains a proof-of-concept exploit for CVE-2023-2868, a command injection vulnerability in Barracuda Email Security Gateway (ESG) appliances. The repository consists of a Ruby script ('poc_cve_2023_2868.rb') and a README file. The exploit works by crafting a malicious tar archive containing a file with a payload that, when processed by the vulnerable ESG, executes a shell command to establish a reverse shell to the attacker's machine using OpenSSL. The script sends the malicious tar file as an email attachment to the target ESG via SMTP. The attacker must specify the target's IP address (RHOST) and have a listener running on their own machine (LHOST:LPORT) to receive the shell. The exploit demonstrates a full attack chain, including payload generation, archive creation, email delivery, and cleanup. The code is operational and can be used to gain remote shell access to vulnerable Barracuda ESG devices.

cfielding-r7Disclosed Jun 20, 2023rubynetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Barracuda NetworksEmail Security Gateway 300 Firmwareoperating_system
Barracuda NetworksEmail Security Gateway 400 Firmwareoperating_system
Barracuda NetworksEmail Security Gateway 600 Firmwareoperating_system
Barracuda NetworksEmail Security Gateway 800 Firmwareoperating_system
Barracuda NetworksEmail Security Gateway 900 Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
recorded future blogNews
Feb 19, 2026
2025 Cloud Threat Hunting and Defense Landscape

A remote command injection / RCE vulnerability in Barracuda Email Security Gateway’s attachment scanning, triggered via crafted .tar attachments, used by UNC4841 to gain and maintain espionage access and deploy custom implants.

Read more
recorded future blogNews
Feb 19, 2026
2025 Cloud Threat Hunting and Defense Landscape

A Barracuda Email Security Gateway (ESG) remote command injection vulnerability in the attachment-scanning component, triggered via crafted email attachments (notably .tar archives) to execute arbitrary system commands; used in espionage campaigns linked to UNC4841.

Read more
recorded future blogNews
Feb 19, 2026
2025 Cloud Threat Hunting and Defense Landscape

A Barracuda Email Security Gateway (ESG) remote command injection vulnerability in the attachment-scanning component, triggered via crafted email attachments (notably .tar archives), used for long-term espionage and to deploy custom implants.

Read more
register securityNews
Sep 8, 2025
Salt Typhoon used dozens of domains, going back five years. Did you visit one?

A critical vulnerability in Barracuda Email Security Gateways (ESG) that was exploited by Chinese espionage group UNC4841 (Salt Typhoon) in 2023 to deploy custom malware and maintain persistent access to high-value networks, including government organizations.

Read more
+8 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence2

Every observed campaign linking this CVE to a named adversary.

Associated malware4

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-2868
NVD
nvd.nist.gov/vuln/detail/CVE-2023-2868
MITRE CWE · CWE-77
Improper Neutralization of Special Elements…
Vendor Advisory
status.barracuda.com/incidents/34kx82j5n4q9
Vendor Advisory
barracuda.com/company/legal/esg-vulnerability
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-2868