Barracuda Networks has disclosed a zero-day vulnerability in its Email Security Gateway (ESG) appliances that has been exploited for the past eight months.

On May 19, Barracuda was alerted to anomalous traffic originating from ESG appliances. ESG manages and filters all inbound and outbound email traffic to protect organizations from email-borne threats and data leaks.

Barracuda sent us the following statement:

“Barracuda recently became aware of a security incident impacting our ESG. The incident resulted from a previously unknown vulnerability in our ESG. A security patch to address the vulnerability was applied to all ESG appliances worldwide on May 20. Based on our investigation to date, we’ve identified unauthorized access affecting a small subset of appliances. As a mitigating measure, all appliances have received a second patch on May 21, addressing the indicators of potential compromise identified to date.”

Software Vulnerability Didn’t Impact Other Barracuda Products

The zero-day vulnerability existed in a module which initially screens the attachments of incoming emails, Barracuda said in an incident report. No other Barracuda products, including its SaaS email security services, were subject to this vulnerability.

The earliest identified evidence of exploitation dates back to October 2022.

“Malware was identified on a subset of appliances allowing for persistent backdoor access,” Barracuda said. “Evidence of data exfiltration was identified on a subset of impacted appliances.”

Mandiant is assisting Barracuda in its investigation of the vulnerability and resulting exploitation.

“We have reached out to the specific customers whose appliances are believed to be impacted at this time,” Barracuda said. “If a customer has not received notice from us via the ESG user interface, we have no reason to believe their environment has been impacted at this time and there are no actions for the customer to take. We thank you for your understanding and support as we work through this issue and sincerely apologize for any inconvenience it may cause.”

Lengthy Exploitation ‘Not Entirely Surprising’

Vulcan Cyber’s Mike Parkin

Mike Parkin, senior technical engineer at Vulcan Cyber, said while it’s concerning that the zero-day vulnerability in Barracuda’s ESG appliances went undetected as long as it did, it’s not entirely surprising given the nature of many security appliances.

“There are a lot of times when an appliance like the ESG is deployed and left in a ‘set it and forget it’ configuration after the initial tuning,” he said. “With automatic updates enabled, there’s often not a lot of interaction unless something goes wrong. Fortunately, Barracuda is responding appropriately now that the vulnerability has come to light. Also, compared to the number of organizations that rely entirely on cloud-based email solutions, such as Microsoft 365 and Google’s G Suite, relatively few organizations still run their own email services and rely on on-premises appliances.”