Barracuda warns of email gateways breached via zero-day flaw

Barracuda, a company known for its email and network security solutions, warned customers today that some of their Email Security Gateway (ESG) appliances were breached last week by targeting a now-patched zero-day vulnerability.

On Friday, May 19, a vulnerability was discovered in the email attachment scanning module. The issue was addressed by applying two security patches on May 20 and 21.

While the flaw was patched over the weekend, Barracuda warned on Tuesday that some of its customers' ESG appliances were compromised by exploiting the now-patched security bug.

"Based on our investigation to date, we've identified that the vulnerability resulted in unauthorized access to a subset of email gateway appliances," the company said.

"Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take. Barracuda has also reached out to these specific customers.

The company's other products, including SaaS email security services, were unaffected by this vulnerability.

Customers asked to check networks for intrusions

Barracuda said the investigation was limited to its ESG product and not the customers' corporate networks. Therefore, the company advises impacted organizations to review their environments to confirm the threat actors did not spread to other devices on the network.

"If a customer has not received notice from us via the ESG user interface, we have no reason to believe their environment has been impacted at this time and there are no actions for the customer to take," Barracuda told BleepingComputer.

A spokesperson for Barracuda didn't reply to a subsequent email asking for more details regarding the number of affected customers or if their data was impacted after their ESG appliances were breached.

Today, Barracuda also addressed a login issue affecting Email Gateway Defense (EGD) appliances and a buggy spam scoring rule that led to customer emails being blocked incorrectly.

Barracuda says its enterprise-grade security solutions are now used by over 200,000 organizations worldwide, including Samsung, Mitsubishi, Kraft Heinz, Delta Airlines, and other high-profile companies.