- June 29, 2023: Research update.
- June 16, 2023: Published.
The Barracuda Email Security Gateway has a remote command injection vulnerability [CVE-2023-2868]. It could allow a remote attacker to format file names, allowing them to remotely execute a system command through the Perl qx operator with Email Security Gateway product privileges.
Affected Versions
Appliance form factor, versions 5.1.3.001-9.2.0.006.
Remediation & Mitigation
- Our security research team has completed investigations into possible scanning for this vulnerability. We have determined that a check at the version- and vulnerability-specific level is not possible to do without resorting to intrusive methods which we will not pursue.
- See potential exposure: The results of the product fingerprinting scan identifying companies using Barracuda ESG is available to customers. The scan is specific to Barracuda and does not include version information. Use this as evidence of potential exposure (not confirmed) based on the possible use of the affected product. Contact your Bitsight Customer Success Manager or Bitsight Support to learn more.