CVE-2023-2868

CRITICAL 9.4

⚠️ CISA KEV

Remote Code injection in Barracuda Email Security Gateway

CVSS Score

9.4

EPSS Score

0.0%

EPSS Percentile

0th

A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.

CWE	CWE-20
Vendor	barracuda
Product	barracuda email security gateway
Published	May 24, 2023
Last Updated	Oct 21, 2025

⚠️ Actively Exploited — Act Now

Get instant alerts for barracuda barracuda email security gateway

This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2023-2868.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Affected Versions

Barracuda / Barracuda Email Security Gateway

5.1.3.001 < 9.2.0.006

References

NVD ↗ CVE.org ↗ EPSS Data ↗

barracuda.com: https://www.barracuda.com/company/legal/esg-vulnerability status.barracuda.com: https://status.barracuda.com/incidents/34kx82j5n4q9 cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-2868