Cyber Resilience

CVE-2023-7102

Critical

Published: 24 December 2023

Published
24 December 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8249 99.3th percentile
Risk Priority 69 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-7102 is a critical-severity Use of Unmaintained Third Party Components (CWE-1104) vulnerability in Barracuda Email Security Gateway 300 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-7102 is a parameter-injection vulnerability in Barracuda Email Security Gateway (ESG) appliances that stems from the use of the third-party Spreadsheet::ParseExcel Perl library. The flaw affects firmware versions 5.1.3.001 through 9.2.1.001; Barracuda subsequently removed the vulnerable code path. The issue carries a CVSS 3.1 base score of 9.8, reflecting network attackability without authentication or user interaction and full compromise of confidentiality, integrity, and availability.

An unauthenticated remote attacker can supply a crafted Excel document that triggers the injection when parsed by the affected library, allowing arbitrary command execution on the appliance. Successful exploitation therefore grants an adversary the ability to run code with the privileges of the Barracuda ESG process, typically resulting in full device takeover.

Barracuda’s advisory states that the vulnerable logic has been removed from supported releases and recommends that customers still running the listed firmware versions apply the remediation or migrate to a fixed build. Public proof-of-concept code targeting the underlying Spreadsheet::ParseExcel utility and a detailed Mandiant disclosure are available, while the CVE’s EPSS score remains elevated near 0.82, indicating sustained exploitation interest after publication.

EU & UK References

Vulnerability details

Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic.

CWE(s)

Related Threats

Threat-Actor AttributionAI

UNC4841
Mandiant (MNDT-2023-0019) attributes exploitation of the Barracuda ESG Spreadsheet::ParseExcel RCE flaws (CVE-2023-7101/7102) to UNC4841.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2023-7102 enables remote code execution via parameter injection in the public-facing Barracuda ESG Appliance due to a vulnerable third-party Excel parsing library (Spreadsheet::ParseExcel), facilitating exploitation of public-facing applications.

Affected Assets

barracuda
email security gateway 300 firmware
5.1.3.001 — 9.2.1.001
barracuda
email security gateway 400 firmware
5.1.3.001 — 9.2.1.001
barracuda
email security gateway 600 firmware
5.1.3.001 — 9.2.1.001
barracuda
email security gateway 800 firmware
5.1.3.001 — 9.2.1.001
barracuda
email security gateway 900 firmware
5.1.3.001 — 9.2.1.001

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-1104

Security groups frequently discuss maintenance status of third-party components, aiding identification and avoidance of unmaintained ones.

addresses: CWE-1104

Maintaining an accurate, reviewed inventory of all system components enables tracking of third-party software versions and maintenance status, reducing the risk of using unmaintained components.

addresses: CWE-1104

The maintenance policy requires regular updates and upkeep of systems and third-party components, directly reducing the presence of unmaintained software that attackers can exploit.

addresses: CWE-1104

Requiring quick access to maintenance support and spare parts after failure necessitates using actively supported components rather than unmaintained third-party ones.

addresses: CWE-1104

Contact with security communities directly informs personnel of unmaintained components and their vulnerabilities, reducing the likelihood of their continued use.

addresses: CWE-1104

Threat intelligence sharing directly informs organizations of newly discovered vulnerabilities and exploitation in third-party components, enabling timely updates or replacement before attackers can leverage them.

addresses: CWE-1104

Resource allocation in investment requests funds regular maintenance, patching, and updates of third-party components.

addresses: CWE-1104

Organization-wide SCRM policy includes ongoing evaluation of third-party component support lifecycles to avoid unmaintained dependencies.

References