Enterprise security firm Barracuda is now urging customers affected by a recently uncovered zero-day error in Email Security Gateway (ESG) equipment to replace it immediately.
“Affected ESG equipment should be replaced immediately regardless of patch version level,” the company said said in an update, adding “the current remediation recommendation is full replacement of the affected ESG.”
The latest development comes as Barracuda discloses that a critical device flaw (CVE-2023-2868, CVSS score: 9.8) has been exploited as day zero for at least seven months since October 2022 to deliver bespoke malware and steal data.
The vulnerability concerns a case of remote code injection affecting versions 5.1.3.001 to 9.2.0.006 originating from incomplete validation of attachments contained in incoming emails. It is aimed at May 20 and May 21, 2023.
The three different malware families discovered to date come with the ability to upload or download arbitrary files, execute commands, set persistence, and create a reverse shell to an actor-controlled server.
The exact scope of the incident is still unknown. The US Cybersecurity and Infrastructure Agency (CISA) has recommended that federal agencies implement the fix by June 16, 2023.