VERY IMPORTANT

The earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022. Barracuda also noted that malware was placed on a subset of vulnerable appliances to allow for persistence even if the vulnerability were patched. Additionally, evidence of data exfiltration was identified on a subset of impacted appliances. Because of this, on June 6, Barracuda updated its advisory, notifying customers to immediately replace ESG appliances regardless of patch version level. This issue is critical for every organization currently using the Barracuda Email Security Gateway Appliance.