Cyber Resilience

CVE-2023-2868

CriticalCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 24 May 2023

Published
24 May 2023
Modified
24 October 2025
KEV Added
26 May 2023
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.8921 99.6th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2868 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Barracuda Email Security Gateway 300 Firmware. Its CVSS base score is 9.4 (Critical).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A remote command injection vulnerability affects the Barracuda Email Security Gateway appliance in versions 5.1.3.001 through 9.2.0.006. The flaw stems from incomplete input validation when processing .tar archives, specifically the names of files contained within them. An attacker can craft archive entries that cause Perl's qx operator to execute arbitrary system commands with the privileges of the Email Security Gateway product. The issue is tracked under CWE-20 and CWE-77 and carries a CVSS 3.1 score of 9.4.

An unauthenticated remote attacker can exploit the vulnerability by sending a specially formatted .tar file to the appliance. Successful exploitation grants the ability to run commands on the underlying system, potentially leading to full compromise of the email security gateway with impacts on confidentiality, integrity, and limited availability.

Barracuda addressed the issue via patch BNSF-36456, which was automatically deployed to all customer appliances. Public advisories from Barracuda and CISA confirm the fix and note that the vulnerability has been observed in active exploitation campaigns.

The CVE appears in CISA's Known Exploited Vulnerabilities catalog. Its EPSS score reached a peak of 0.9145 and currently stands at 0.8921, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems…

more

from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.

CWE(s)
KEV Date Added
26 May 2023

Related Threats

Threat-Actor AttributionAI

UNC4841
Mandiant publicly attributed mass exploitation of this Barracuda ESG zero-day to UNC4841 espionage operations (2023 reporting).

Affected Assets

barracuda
email security gateway 300 firmware
5.1.3.001 — 9.2.0.006
barracuda
email security gateway 400 firmware
5.1.3.001 — 9.2.0.006
barracuda
email security gateway 600 firmware
5.1.3.001 — 9.2.0.006
barracuda
email security gateway 800 firmware
5.1.3.001 — 9.2.0.006
barracuda
email security gateway 900 firmware
5.1.3.001 — 9.2.0.006

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input (tar archive file names) before it reaches Perl's qx operator, blocking the command-injection path.

prevent

Mandates timely application of vendor patches (BNSF-36456) that eliminate the unsanitized tar-processing flaw in the Email Security Gateway.

detect

Enables monitoring of system processes and command execution on the appliance to identify anomalous behavior resulting from successful exploitation.

References