Barracuda discloses breach of some email security customers due to zero-day vulnerability
The cybersecurity vendor says that an unspecified number of customers of its Email Security Gateway appliance have been impacted
Barracuda said that some Email Security Gateway customers were impacted by a breach last week that exploited a zero-day vulnerability in the appliance.
The cybersecurity vendor didn't specify how many customers were affected in its disclosure, and said in an email to CRN that it's not sharing further details.
In a post Tuesday, Barracuda said that the vulnerability was discovered on May 19, and the company deployed a patch "to all ESG appliances worldwide" the following day. A second patch was deployed on May 21 to all Email Security Gateway appliances.
The investigation so far has found that the vulnerability "resulted in unauthorised access to a subset of email gateway appliances." Affected customers have been notified, Barracuda said.
"If a customer has not received notice from us via the ESG user interface, we have no reason to believe their environment has been impacted at this time and there are no actions for the customer to take," the company said in an email to CRN Wednesday.
Other Barracuda products were not affected by the vulnerability, including the company's SaaS email security services, the company said in its post.
Barracuda noted that its investigation has been "limited to the ESG product, and not the customer's specific environment."
"Impacted customers should review their environments and determine any additional actions they want to take," Barracuda said in its post.
The zero day vulnerability, which is tracked at CVE-2023-2868, had affected a module used by Barracuda for initial screening of attachments for incoming emails, the company said.