- 333/2023
- Critical
Barracuda has released a security update to address two zero-day vulnerabilities across multiple versions of Email Security Gateway (ESG) appliances.
The addressed vulnerabilities could allow the remote attacker to execute arbitrary code within a third-party library “Spreadsheet::ParseExcel” on the affected system of Barracuda ESG Appliance by deploying a specially crafted Excel email attachment.
Sample of the addressed vulnerabilities:
Barracuda ESG Appliance Code Execution Vulnerability (CVE-2023-7102):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
It should be highlighted that the addressed vulnerabilities are actively exploited in the wild by many threat actors to deploy their malware.
Vulnerabilities
- CVE-2023-7101
- CVE-2023-7102
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.