CVE-2010-20109

UNKNOWN 0.0

Barracuda Spam & Virus Firewall "locale" Path Traversal

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Barracuda products, confirmed in Spam & Virus Firewall, SSL VPN, and Web Application Firewall versions prior to October 2010, contain a path traversal vulnerability in the view_help.cgi endpoint. The locale parameter fails to properly sanitize user input, allowing attackers to inject traversal sequences and null-byte terminators to access arbitrary files on the underlying system. By exploiting this flaw, unauthenticated remote attackers can retrieve sensitive configuration files such as /mail/snapshot/config.snapshot, potentially exposing credentials, internal settings, and other critical data.

CWE	CWE-22
Vendor	barracuda networks
Product	spam & virus firewall
Published	Aug 21, 2025
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for barracuda networks spam & virus firewall

Be the first to know when new unknown vulnerabilities affecting barracuda networks spam & virus firewall are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Barracuda Networks / Spam & Virus Firewall

* ≤ 4.1.1.021

Barracuda Networks / SSL VPN

* ≤ prior to October 2010

Barracuda Networks / Web Application Firewall

* ≤ prior to October 2010

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/15130 web.archive.org: https://web.archive.org/web/20101004131244/http://secunia.com/advisories/41609/ raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/http/barracuda_directory_traversal.rb vulncheck.com: https://www.vulncheck.com/advisories/barracuda-multiple-products-locale-path-traversal

Credits

ShadowHatesYou