Regardless of pushing out patches addressing vulnerabilities in its Electronic mail Safety Gateway (ESG) home equipment in Might, at present Barracuda issued an pressing warning that every one affected units should be taken offline and changed instantly.
The ESG distant command injection vulnerability, tracked below CVE-2023-2868, was already below lively exploit since October 2022, Barracuda mentioned in its preliminary Might 30 disclosure. A patch was launched on Might 20, however by June 6 it was decided the patch and subsequent script pushed out to counter unauthorized entry weren’t sufficient to safe impacted ESG units, in keeping with the advisory.
“Impacted ESG home equipment should be instantly changed no matter patch model stage,” Barracuda warned its clients in an replace. “Barracuda’s remediation advice at the moment is full alternative of the impacted ESG.”
Barracuda decided some contaminated units maintained persistent backdoor entry, with some presenting proof of information exfiltration, even after patching.
Mike Parkin, senior technical engineer with Vulcan Cyber, defined in an announcement offered to Darkish Studying that he suspects the risk actors discovered a approach to make adjustments deep within the system firmware.
“By changing the equipment, Barracuda could be completely certain they’ve eradicated a possible compromise in buyer environments,” Parkin defined. “That is solely an informed guess primarily based on the timeline and their response.”
Parkins added that clients ought to take Barracuda’s warning severely.
“If Barracuda is telling them to ‘take it out of service now, a alternative is on the way in which,’ then they need to most likely do precisely that,” Parkin added. “If a vendor tells you to tug a system out of service primarily based on their very own safety advisory, why argue?”