Image: Bing Image Creator

Email and network security firm Barracuda is warning customers to replace Email Security Gateway (ESG) appliances hacked in attacks targeting a now patched zero-day vulnerability.

“Affected ESG appliances should be replaced immediately regardless of patch release level,” the company said. warned in an update to the initial notice published on Tuesday.

“Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.”

According to Barracuda, affected customers have already been notified via the user interface of the breached ESGs. Customers who have not yet replaced their devices are requested to contact support urgently by email.

The warning comes after the critical Barracuda ESG remote control injection flaw tracked as CVE-2023-2868 was patched remotely on May 20, and attackers’ access to compromised appliances was cut off a day later by deploying a dedicated script.

May 24, Barracuda notified customers that their ESG appliances may have been breached via bug CVE-2023-2868 and advised them to investigate their environments for signs of intrusion.

A Barracuda spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today for more details on why a full ESG replacement is needed.

Operated since at least October 2022

Before being patched, the Barracuda ESG bug was exploited as a zero-day for at least seven months to hijack customers’ ESG appliances with custom malware and steal data, while the company revealed a week ago.

It was first used in October 2022 to breach “a subset of ESG appliances” and install malware that provided attackers with persistent access to compromised devices.

They deployed Saltwater malware to steal infected devices and a malicious tool called SeaSide to establish reverse shells for easy remote access via SMTP HELO/EHLO commands.

Subsequently, threat actors took advantage of their access to steal information from the stolen appliances.

CISA also added the CVE-2023-2868 vulnerability to its catalog of bugs exploited in the attackswarning federal agencies with ESG appliances to audit their networks for evidence of violations.

Barracuda says its products are used by more than 200,000 organizations, including leading companies like Samsung, Delta Airlines, Mitsubishi and Kraft Heinz.