Despite pushing out patches addressing vulnerabilities in its Email Security Gateway (ESG) appliances in May, today Barracuda issued an urgent warning that all affected devices need to be taken offline and replaced immediately.
The ESG remote command injection vulnerability, tracked under CVE-2023-2868, was already under active exploit since October 2022, Barracuda said in its initial May 30 disclosure. A patch was released on May 20, but by June 6 it was determined the patch and subsequent script pushed out to counter unauthorized access weren't enough to secure impacted ESG devices, according to the advisory.
"Impacted ESG appliances must be immediately replaced regardless of patch version level," Barracuda warned its customers in an update. "Barracuda's remediation recommendation at this time is full replacement of the impacted ESG."
Barracuda determined some infected devices maintained persistent backdoor access, with some presenting evidence of data exfiltration, even after patching.
Mike Parkin, senior technical engineer with Vulcan Cyber, explained in a statement provided to Dark Reading that he suspects the threat actors found a way to make changes deep in the device firmware.
"By replacing the kit, Barracuda can be absolutely sure they've eradicated a potential compromise in customer environments," Parkin explained. "This is only an educated guess based on the timeline and their reaction."
Parkins added that customers should take Barracuda's warning seriously.
"If Barracuda is telling them to 'take it out of service now, a replacement is on the way,' then they should probably do exactly that," Parkin added. "If a vendor tells you to pull a system out of service based on their own security advisory, why argue?"