CVE-2023-2868
Published May 24, 2023
Last updated 8 months ago
AI description
CVE-2023-2868 is a remote command injection vulnerability found in Barracuda Email Security Gateway (ESG) appliances, specifically affecting versions 5.1.3.001 through 9.2.0.006. The flaw stems from inadequate sanitization during the processing of `.tar` file attachments in incoming emails. Attackers exploited this by crafting malicious `.tar` files, where manipulated filenames within the archive allowed for the execution of system commands with the privileges of the ESG product. This vulnerability was actively exploited in the wild by threat actors since at least October 2022, prior to its public disclosure by Barracuda in May 2023. Exploitation enabled unauthorized execution of commands, leading to capabilities such as persistent access, email scanning, credential harvesting, and data exfiltration. While Barracuda initially issued patches, the company later advised customers to decommission and replace affected physical ESG appliances due to the deep and persistent nature of the compromise.
- Description
- A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.
- Source
- cve-coordination@google.com
- NVD status
- Analyzed
- Products
- email_security_gateway_300_firmware, email_security_gateway_400_firmware, email_security_gateway_600_firmware, email_security_gateway_800_firmware, email_security_gateway_900_firmware
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
Data from CISA
- Vulnerability name
- Barracuda Networks ESG Appliance Improper Input Validation Vulnerability
- Exploit added on
- May 26, 2023
- Exploit action due
- Jun 16, 2023
- Required action
- Apply updates per vendor instructions.
- Hype score
- Not currently trending
Metasploit adds 3 new exploit modules including CVE-2026-23767 (ESC/POS printers), CVE-2025-12548 (Eclipse Che RCE), and CVE-2023-2868 (Barracuda ESG). Enhanced NTLM relay capabilities now support broader client compatibility. #DFIR_Radar https://t.co/qx2DMa2Rh4
@DFIR_Radar
28 Mar 2026
1 Impression
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Metasploit adds 3 new exploit modules including CVE-2026-23767 (ESC/POS printer RCE), CVE-2025-12548 (Eclipse Che unauthenticated RCE), and CVE-2023-2868 (Barracuda ESG command injection). Enhanced NTLM relay compatibility with Linux smbclient. #DFIR_Radar https://t.co/kTThThSAH
@DFIR_Radar
28 Mar 2026
316 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
The latest #Metasploit Wrapup is here! 🎉 This week brings enhanced SMB NTLM relaying for better client compatibility (including smbclient), plus new modules for RCE in Eclipse Che (CVE-2025-12548), Barracuda ESG command injection (CVE-2023-2868), and an ESC/POS printer injecto
@metasploit
27 Mar 2026
3014 Impressions
9 Retweets
23 Likes
6 Bookmarks
0 Replies
0 Quotes
Early 2026 reports show rising cloud compromises via misconfigured services and CVE-2023-3519, CVE-2023-2868, CVE-2021-43798 exploitation, expanding victim impact across sectors. #CloudSecurity https://t.co/JtGxVn3keB
@threatcluster
19 Feb 2026
52 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2023-2868
@transilienceai
11 Mar 2025
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:barracuda:email_security_gateway_300_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F270DBDA-EE31-4AF0-8743-D742467485CF",
"versionEndIncluding": "9.2.0.006",
"versionStartIncluding": "5.1.3.001",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:barracuda:email_security_gateway_300:-:*:*:*:*:*:*:*",
"matchCriteriaId": "824DAE15-3628-4346-947E-C33FA46AADE6",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:barracuda:email_security_gateway_400_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4A9B9E0B-F8D4-4626-AD39-BD525D638693",
"versionEndIncluding": "9.2.0.006",
"versionStartIncluding": "5.1.3.001",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:barracuda:email_security_gateway_400:-:*:*:*:*:*:*:*",
"matchCriteriaId": "ACD3DD62-D690-47F9-8416-61AD78B33699",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:barracuda:email_security_gateway_600_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "83D228EA-35C8-4B6E-9D22-CF0F7C20362B",
"versionEndIncluding": "9.2.0.006",
"versionStartIncluding": "5.1.3.001",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:barracuda:email_security_gateway_600:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6C507D86-2E68-44A4-A31C-EEF9A6BBEE54",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:barracuda:email_security_gateway_800_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8ADAC6B0-DE92-41F6-B8B1-1C830BB70C24",
"versionEndIncluding": "9.2.0.006",
"versionStartIncluding": "5.1.3.001",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:barracuda:email_security_gateway_800:-:*:*:*:*:*:*:*",
"matchCriteriaId": "74D999D5-6CE5-49F7-A0C5-0B44704FEE45",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:barracuda:email_security_gateway_900_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C5A27A43-E632-4C8A-A9F8-49C6E091E7ED",
"versionEndIncluding": "9.2.0.006",
"versionStartIncluding": "5.1.3.001",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:barracuda:email_security_gateway_900:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FFA6EA4B-B0FF-437B-A48E-F11D0CD5EB2B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
]