Earlier this week, Barracuda, a renowned provider of network security solutions, alerted customers to a breach in some of its Email Security Gateway (ESG) appliances. Threat actors had exploited a zero-day vulnerability, which has since been patched, causing considerable unease among businesses relying on these appliances.

Patched vulnerability still poses threats

The vulnerability, identified as CVE-2023-2868, was located in the email attachment screening module. The flaw was detected on May 19, and Barracuda promptly rectified the issue by releasing two security patches on May 20 and 21. However, the potential for damage was significant, given that hundreds of thousands of organizations worldwide, including several high-profile companies, use the impacted ESG appliances.

Barracuda reassured customers that this vulnerability doesn’t extend to other company products, specifying that its SaaS email security services remain unaffected.

Following an internal investigation, Barracuda discovered the flaw had been used to target a subset of email gateway appliances. Customers with potentially affected appliances received notifications via the ESG user interface.

CISA intervention and guidelines for federal agencies

In line with Binding Operational Directive (BOD) 22-01 aimed at reducing the significant risk of known exploited vulnerabilities, FCEB agencies are required to address these vulnerabilities promptly to guard their networks against attacks exploiting cataloged flaws.

The Cybersecurity & Infrastructure Security Agency (CISA) has mandated that federal agencies rectify this vulnerability by June 16, 2023. Furthermore, experts recommend private organizations also review the Catalog and take necessary actions to mitigate any vulnerabilities present in their infrastructure.

We would love to hear from you, our valued readers. What are your thoughts on this recent vulnerability disclosure and CISA’s response? Please share your insights in the comments section below!