Email protection and network security services provider Barracuda is warning users about a zero-day flaw that it said has been exploited to breach the company’s Email Security Gateway (ESG) appliances.
The zero-day is being tracked as CVE-2023-2868 and has been described as a remote code injection vulnerability affecting versions 5.1.3.001 through 9.2.0.006.
The California-headquartered firm said the issue is rooted in a component that screens the attachments of incoming emails.
“The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives),” according to an advisory from the NIST’s national vulnerability database.
“The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product.”
The shortcoming, Barracuda noted, was identified on May 19, 2023, prompting the company to deploy a patch across all ESG devices worldwide a day later. A second fix was released on May 21 as part of its “containment strategy.”
Additionally, the company’s investigation uncovered evidence of active exploitation of CVE-2023-2868, resulting in unauthorized access to a “subset of email gateway appliances.”
The company, which has over 200,000 global customers, did not disclose the scale of the attack. It said affected users have been directly contacted with a list of remedial actions to take.
Barracuda has also urged its customers to review their environments, adding it’s still actively monitoring the situation.
The identity of the threat actors behind the attack is currently not known, but Chinese and Russian hacking groups have been observed deploying bespoke malware on vulnerable Cisco, Fortinet, and SonicWall devices in recent months.
The development comes as Defiant alerted of large-scale exploitation of a now-fixed cross-site scripting (XSS) flaw in a plugin called Beautiful Cookie Consent Banner (CVSS score: 7.2) that’s installed on over 40,000 sites.
The WordPress security company said it “blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing.”
The U.S. Cybersecurity and Infrastructure Security Agency on Friday added the remote code injection vulnerability impacting Barracuda ESG appliances to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by June 16, 2023.