CRITICAL🇵🇱 Wersja polska

CVE-2023-7102

CVSS 9.8v3.1pub. 2023-12-24upd. 2024-11-21

Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic.

🤖 AI Analysis
How it works

The vulnerability originates from a Perl library called Spreadsheet-ParseExcel, used by Barracuda ESG software to process Excel files. Improper handling of input data in this library enables parameter injection through a specially crafted Excel file. An attacker can deliver a malicious file (e.g., as an email attachment), which is automatically processed by the gateway, triggering the exploit without any user interaction.

Impact

An unauthenticated remote attacker can gain full control over the device — confidentiality, integrity, and availability of the system are compromised at a critical level.

Mitigation & patch

Barracuda removed the vulnerable logic from the device. Ensure that ESG devices have received an update that eliminates this component — details are available in the Barracuda Networks security notice at: https://www.barracuda.com/company/legal/esg-vulnerability. Patches provided by the vendor should be applied according to the references.

Who is affected

Barracuda ESG Appliance in versions from 5.1.3.001 to 9.2.1.001 (models 300, 400, 600 and others covered by this firmware line), until the vulnerable logic is removed by Barracuda Networks.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Barracuda Email Security Gateway 300

    HW
    Barracuda
    wszystkie wersje
  • Barracuda Email Security Gateway 300 Firmware

    OS
    Barracuda
    5.1.3.001 – 9.2.1.001
  • Barracuda Email Security Gateway 400

    HW
    Barracuda
    wszystkie wersje
  • Barracuda Email Security Gateway 400 Firmware

    OS
    Barracuda
    5.1.3.001 – 9.2.1.001
  • Barracuda Email Security Gateway 600

    HW
    Barracuda
    wszystkie wersje
  • Barracuda Email Security Gateway 600 Firmware

    OS
    Barracuda
    5.1.3.001 – 9.2.1.001
  • Barracuda Email Security Gateway 800

    HW
    Barracuda
    wszystkie wersje
  • Barracuda Email Security Gateway 800 Firmware

    OS
    Barracuda
    5.1.3.001 – 9.2.1.001
  • Barracuda Email Security Gateway 900

    HW
    Barracuda
    wszystkie wersje
  • Barracuda Email Security Gateway 900 Firmware

    OS
    Barracuda
    5.1.3.001 – 9.2.1.001
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-2868CRITICAL9.4⚠ KEVten sam produkt

A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor...

CVE-2025-34394CRITICAL10.0PL ✓ten sam vendor

Barracuda RMM — RCE przez deserializację .NET Remoting w Service Center

CVE-2025-34393CRITICAL10.0PL ✓ten sam vendor

Barracuda RMM – RCE przez insecure reflection w Service Center

CVE-2025-34392CRITICAL10.0PL ✓ten sam vendor

Barracuda RMM: path traversal i RCE przez niezweryfikowany URL w WSDL

CVE-2014-2595CRITICAL9.8ten sam vendor

Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leverag...