Barracuda's ESG patch worked, and you still had to throw the box in the dumpster

Barracuda shipped a patch for CVE-2023-2868 on May 20, 2023, and for a lot of customers it accomplished nothing. The fix closed the hole. It did not close the breach. Seventeen days later Barracuda told affected customers to physically replace the appliance regardless of patch status, and that sentence is the whole story.

This is one of the rare cases where “apply the patch and move on” was the wrong answer, and the vendor said so out loud.

What the patch actually did

The vulnerability was a 9.8 in the Barracuda Email Security Gateway, the physical appliance, versions 5.1.3.001 through 9.2.0.006 (per Mandiant). The ESG parsed incoming email attachments, including .tar archives. Filenames inside those archives got passed to Perl’s qx operator without sanitization. A filename that started with a single quote and a backtick triggered command injection. No login required. Remote code execution on an internet-facing email gateway from a crafted attachment.

The May 20 patch fixed that. It changed how the appliance handled the tar parsing so the injection no longer fired. If you were unexploited, you were now fine. Barracuda auto-deployed it to every ESG worldwide, which was the right call.

The problem is the timeline. The earliest known exploitation traces back to October 10, 2022. Barracuda did not identify the vulnerability until May 18, 2023, after being alerted to anomalous traffic from the appliances themselves. That is roughly eight months of an attacker having root on email gateways before anyone knew the bug existed. A patch on day one of disclosure does nothing for a box that was owned in the fall of the previous year.

Why the patch couldn’t save the compromised boxes

A patch fixes the door. It does not evict whoever already walked through it. On the Barracuda appliances, the attacker had walked very far in.

The group, tracked as UNC4841 and assessed by Mandiant as a Chinese nation-state actor, dropped a stack of malware on compromised devices. The first wave included SEASPY, a passive backdoor that installed itself as a PCAP filter on the SMTP ports and woke up on a magic packet, and SALTWATER, a module injected straight into the Barracuda SMTP daemon with upload, download, command execution, and tunneling capabilities.

Then disclosure happened, and the attacker did not pack up. In early June 2023, after the patch, UNC4841 deployed a second wave. The one that matters here is DEPTHCHARGE, also tracked as SUBMARINE. It lived inside the SQL database on the appliance itself, built from a SQL trigger, shell scripts, and a loaded library for a Linux daemon. It ran as root. It persisted through patches and reboots. It cleaned up after itself.

That is where “patch and move on” stops working. The persistence mechanism lived in a layer the patch never touched. You could fully patch the box, reboot it, and still have an actor with root sitting in the database. Worse, Barracuda’s own remediation tooling ran on the compromised appliance, which means the thing you would use to check whether you were clean was itself running on hardware the attacker controlled (Rapid7). You cannot trust a clean bill of health signed by a machine that might be lying to you.

So on June 6, Barracuda’s advisory said the quiet part plainly: “Barracuda’s recommendation at this time is full replacement of the impacted ESG.” Not re-image. Not patch and monitor. Replace the physical unit. They offered free replacement hardware, which was the correct thing to do and also an admission of how bad it was.

If there was any doubt the patch was insufficient, the FBI removed it in August 2023 with a Flash advisory stating the May patches were ineffective for previously compromised devices. When the vendor and the Bureau both tell you the patch you deployed didn’t fix your problem, the appliance is no longer an asset. It’s evidence.

Why this keeps happening

Security appliances are a black box on your network with root-level reach into your most sensitive traffic, and almost no visibility into what’s running inside them. That is the trade. You buy the box so you don’t have to build the email security stack yourself, and the cost of that convenience is that when the box is compromised, you have no native way to see it, clean it, or prove it’s clean.

DEPTHCHARGE exploited exactly this. The attacker put persistence in a layer the customer can’t inspect and the vendor’s own tooling can’t be trusted to scan, because the tooling runs on the suspect hardware. This is not a Barracuda-specific failure of engineering. It is the structural shape of every closed network appliance. The detection alert that finally surfaced this came from anomalous outbound traffic, not from anything the appliance reported about itself.

The eight-month dwell time may have been a detection gap on Barracuda’s side, or it may just be the reality of a well-resourced state actor staying quiet. The result for the customer is the same either way: a critical piece of perimeter infrastructure was owned for the better part of a year, and the first reliable signal came from the network around it.

What you should actually expect

Treat “the vendor shipped a patch” as the start of your assessment, not the end of it. When a network appliance has a confirmed unauthenticated RCE that’s been exploited in the wild, the questions are: how long was the exploit live before disclosure, and could it have established persistence below the patch layer. If the first answer is “months” and the second is “yes,” patching is necessary and not sufficient.

A few things that follow from that:

• Assume dwell time, not patch time. CVE-2023-2868 was in CISA’s KEV catalog, exploited since at least October 2022. The clock that matters started eight months before the fix, not on patch day.
• Don’t trust the suspect box to grade its own homework. If the appliance might be compromised, in-band remediation tooling that runs on that same box is not a clean signal. Pull the verdict from the network, not the device.
• Have a replacement path, not just a patch path. Barracuda gave away hardware here. Most vendors won’t. Know in advance what “replace this unit” costs in dollars, downtime, and change windows, because for a compromised black box that’s sometimes the only honest fix.

A patch that fixes the vulnerability and a patch that fixes your problem are not always the same patch. Barracuda’s update did exactly what it claimed. It closed CVE-2023-2868. It just couldn’t reach the part of the appliance the attacker had already moved into, and no patch shipped after the fact ever could.

PatchDayAlert flags KEV-listed, actively-exploited gateway bugs in the daily digest with the piece most advisories bury: whether patching is actually enough, or whether you’re looking at a replacement.

Sources

• Barracuda ESG Zero-Day Exploited Globally — Mandiant / Google Cloud — 2023-06-15
• ESG Vulnerability advisory — Barracuda Networks — 2023-06-06
• CVE-2023-2868: Total Compromise of Physical Barracuda ESG Appliances — Rapid7 — 2023-06-08
• FBI: Patches for Recent Barracuda ESG Zero-Day Ineffective — SecurityWeek — 2023-08
• CISA Releases Malware Analysis Reports on Barracuda Backdoors — CISA — 2023-07-28