Barracuda fixes new ESG zero-day exploited by Chinese hackers

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

Cybersecurity experts from Barracuda recently discovered and patched a high-severity vulnerability in some of its email security gateway (ESG) devices.

The flaw, tracked as CVE-2023-7102, is an Arbitrary Code Execution (ACE) vulnerability found inside a third-party library called Spreadsheet::ParseExcel. This library is used by the Amavis virus scanner, within the ESG appliance, the experts said. By crafting a custom Excel attachment, the attackers would able to exploit the flaw and run pretty much any code on the vulnerable device, unabated.

Together with Mandiant, Barracuda’s researchers concluded that the flaw was being leveraged by a Chinese threat actor tracked as UNC4841. This group has been using the ACE flaw to drop new variants of SEASPY and SALTWATER malware.

Open source in danger

“On December 22, 2023, Barracuda deployed a patch to remediate compromised ESG appliances which exhibited indicators of compromise related to the newly identified malware variants,” the company said in an announcement. No action from the user’s side is required, Barracuda concluded, adding that its investigation into the matter is ongoing. 

While Barracuda did address the issue within its own ecosystem, the open-source library remains vulnerable, the company stressed. “For organizations utilizing Spreadsheet::ParseExcel in their own products or services, we recommend reviewing CVE-2023-7101 and promptly taking necessary remediation measures,” it concluded.

This is not the first time Barracuda’s ESG appliances were targeted by UNC4841, BleepingComputer reminds. In May, the group used another zero-day vulnerability, CVE-2023-2868, as part of its cyber-espionage campaign. At the time, the company said the hackers were abusing the flaw for more than half a year, and were deploying previously unknown malware. Roughly a third of all targeted endpoints belonged to government agencies, Mandiant confirmed.

Barracuda claims to be servicing more than 200,000 organizations all over the world, including major brands such as Samsung, Mitsubishi, or Delta Airlines.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.