Published: June 9, 2023


A critical remote code injection vulnerability (CVE-2023-2868 CVSS Score 9.8) exists in the Barracuda Email Security Gateway (ESG). The vulnerability arises out of incomplete input validation of .tar files as it pertains to the names of the files contained within the tar files.  


A remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product. A third party can utilize the technique described above to gain unauthorized access to a subset of ESG appliances. Some malware which have been exploiting this vulnerability are SALTWATER, SEASPY and SEASIDE.  

Applicable Versions 

Barracuda Email Security Gateway (ESG) versions 

Mitigations and Workarounds 

Customers who use the physical Barracuda ESG appliance should take the device offline immediately and replace it. Barracuda’s advisory has instructions for contacting support. Users are also advised to rotate any credentials connected to the ESG appliance, including: 

  • Any connected LDAP/AD 
  • Barracuda Cloud Control 
  • FTP Server 
  • SMB 
  • Any private TLS certificates 

ESG appliance users should check for signs of compromise dating back to at least October 2022 using the network and endpoint indicators Barracuda has released publicly (where possible). 

Best Practices 

Apply the latest updates from Barracuda on the ESG (Email Security Gateway) devices. It is advisable to run vulnerability scanning for detection and perform automated OS, application, and firmware patch management. 

Netsurion Detection and Response 

Our security analysts have added the IoCs (Indicators of Compromise – the hashes of malicious files and the IP addresses) to Netsurion’s Threat Center, our Threat Intelligence Platform. This will help detect malicious files and suspicious Command and Control communications to malicious IP addresses. Netsurion’s vulnerability management system will also detect the vulnerability (CVE-2023-2868) for customers who have subscribed to Netsurion Vulnerability Management.