Barracuda Networks faced a critical challenge with the discovery of two zero-day vulnerabilities, CVE-2023-7102 and CVE-2023-7101, associated with the Spreadsheet::ParseExcel library. These vulnerabilities, exploited by the China Nexus actor UNC4841, targeted Barracuda Email Security Gateway (ESG) devices through malicious Excel email attachments, posing an Arbitrary Code Execution (ACE) threat. The investigation led by Barracuda’s security team, alongside Mandiant, focused on CVE-2023-7102.
This flaw allowed threat actors to execute arbitrary code within the ESG appliance’s library, impacting devices within version ranges 5.1.3.001 to 9.2.1.001. The severity, marked by a CVSSv2 score of 7.5 and CVSS3 score of 8.8, emphasized the vulnerability’s impact on a limited number of ESG devices. Barracuda swiftly responded to the threat by releasing a security update on December 21, 2023, to all active ESGs. This update effectively addressed the ACE vulnerability, demonstrating Barracuda’s commitment to fortifying its technology and protecting users without requiring customer intervention.
Moreover, active attacks targeting CVE-2023-7102 led to the identification of new malware variants, SEASPY and SALTWATER, on compromised ESG devices. Responding promptly, Barracuda deployed a patch on December 22, 2023, to remediate compromised devices displaying signs of these malware variants, showcasing their dedication to countering state-sponsored threats. The swift identification, mitigation, and remediation of the Barracuda ESG vulnerability underscore the significance of proactive cybersecurity measures and accountability in confronting online threats.
