CVE-2023-2868

ENISA EUVD: EUVD-2023-34316 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 14 articles Published: 2023-05-24

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

89.98%

probability

This CVE has a 89.98% probability of being exploited in the next 30 days.

0% Top 99.6th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

9.4

CRITICAL

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Description

VulnerabilityLookup (CNA)

A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.

Affected Products

Barracuda

Barracuda Email Security Gateway

5.1.3.001

barracuda

email security gateway 300 firmware

barracuda

email security gateway 400 firmware

barracuda

email security gateway 600 firmware

barracuda

email security gateway 800 firmware

barracuda

email security gateway 900 firmware

Barracuda

Barracuda Email Security Gateway

5.1.3.001 <9.2.0.006

Attack Intelligence

CWE-20 · Improper Input Validation CWE-707 · Improper Neutralization CWE-74 · Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-77 · Command Injection

Google Project Zero

Discovered

May 18, 2023

Patched

May 30, 2023

Reported by

???

Root Cause Analysis

???

Exploits & PoC

cfielding-r7/poc-cve-2023-2868

11 2023-07-05

cashapp323232/CVE-2023-2868CVE-2023-2868

0 2023-08-05

krmxd/CVE-2023-2868

0 2023-08-25

3 repos — triés par ⭐ Rechercher sur GitHub ↗

https://www.barracuda.com/company/legal/esg-vulnerability

https://status.barracuda.com/incidents/34kx82j5n4q9

Signal Intelligence

Confidenceⓘ

92%

EPSS 89.98%

CVSS v3.1 9.4

Mentions 14

Last Seen Dec 27, 2023

CNA Information

CNA Assigner

Google

CNA Title

Remote Code injection in Barracuda Email Security Gateway

Analyst Note

This CVE is confirmed as a zero-day exploited in active attacks by Chinese threat actors against Barracuda Email Security Gateway appliances. The critical CVSS 9.4 score, inclusion in Google Project Zero, and reporting by reputable security outlets (BleepingComputer) corroborate the vulnerability's existence and severity.