IRONSMITHINTEL
CRITICALCVSS9.4
|
Actively Exploited
|CISA KEV|CVE-2023-2868|Auth: none — unauthenticated|Reboot: required|Manual only

Barracuda Networks ESG Appliance Improper Input Validation Vulnerability (CVE-2023-2868)

Barracuda Email Security Gateway (ESG) appliance contains an improper input validation vulnerability of a user-supplied .tar file, leading to remote command injection.

Published May 24, 2023 · Updated May 29, 2026
XLinkedIn
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data, partial service disruption. Federal agencies are required to remediate by 2023-06-16 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Improper Input Validation (CWE-20) vulnerability in Barracuda Networks Email Security Gateway (ESG) Appliance. A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances. Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

IT Security
Running email security gateway 300 firmware: 5.1.3.001 ≤ v ≤ 9.2.0.006; email security gateway 400 firmware: 5.1.3.001 ≤ v ≤ 9.2.0.006; email security gateway 600 firmware: 5.1.3.001 ≤ v ≤ 9.2.0.006; email security gateway 800 firmware: 5.1.3.001 ≤ v ≤ 9.2.0.006; email security gateway 900 firmware: 5.1.3.001 ≤ v ≤ 9.2.0.006
Real-world incidentsWhat we've seen

CISA added this CVE to the Known Exploited Vulnerabilities catalog on 2023-05-26 based on evidence of active exploitation in the wild. Federal agencies required to remediate by 2023-06-16.

How to patch

Get the fix

Apply the fixed package from your vendor. The advisory lists affected versions and the exact fixed build.

Vendor advisory

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply updates per vendor instructions.

References

    1
    Vendor advisory: https://status.barracuda.com/incidents/34kx82j5n4q9
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2023-2868
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-2868
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

Related vulnerabilities