CVE-2023-2868: Barracuda Networks ESG Appliance Improper Input Validation Vulnerability (Pentest Lab Guide)
CVE-2023-2868: Technical Deep-Dive (Auto Refreshed)
Generated on 2026-03-23T20:51:38.104Z. This file is automatically regenerated every 30 minutes by the CVE AI enrichment job using web sources (NVD, MITRE, CISA KEV, GitHub).
Executive Technical Summary
A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.
- Context preserved from previous revision: A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances. Notes: Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and Bug Bounty programs.
Technical Details
- CVE: CVE-2023-2868
- KEV date added: Unknown
- KEV due date: Not specified
- NVD published: 2023-05-24
- NVD modified: 2025-10-24
- MITRE modified: 2025-10-21
- CVSS base score: 9.4
- CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
- CVSS exploitability score: 3.9
- CVSS impact score: 5.5
- Attack vector: Network
- Attack complexity: Low
- Privileges required: None
- User interaction: None
- Scope: Unchanged
- Confidentiality impact: High
- Integrity impact: High
- Availability impact: Low
Versions and Products Impacted
- barracuda / email security gateway 300 firmware (versions: >= 5.1.3.001, <= 9.2.0.006)
- barracuda / email security gateway 400 firmware (versions: >= 5.1.3.001, <= 9.2.0.006)
- barracuda / email security gateway 600 firmware (versions: >= 5.1.3.001, <= 9.2.0.006)
- barracuda / email security gateway 800 firmware (versions: >= 5.1.3.001, <= 9.2.0.006)
- barracuda / email security gateway 900 firmware (versions: >= 5.1.3.001, <= 9.2.0.006)
- Barracuda / Barracuda Email Security Gateway (versions: 5.1.3.001)
Weakness Classification
- CWE-20
- CWE-77
Repositories for Lab Validation (Public Examples)
- Ostorlab/KEV | stars: 608 | updated: 2026-03-23 | https://github.com/Ostorlab/KEV
Notes: Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and Bug Bounty programs.
People and Organizations Mentioned
- Ostorlab
Practical Defensive Validation (Authorized Only)
- Use only isolated environments and systems you own or are explicitly authorized to test.
- Snapshot infrastructure before validation and preserve baseline logs (EDR, SIEM, OS, app).
- Deploy barracuda / email security gateway 300 firmware (versions: >= 5.1.3.001, <= 9.2.0.006) with synthetic data and validate strict server-side input validation and parameterization.
- Replay safe payload patterns through WAF/IDS tuning pipelines to reduce false negatives.
- Correlate request IDs with app/database logs to improve root-cause analysis speed.
References
- NVD record: https://nvd.nist.gov/vuln/detail/CVE-2023-2868
- MITRE CVE record: https://www.cve.org/CVERecord?id=CVE-2023-2868
- CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- CISA KEV JSON feed: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
- https://status.barracuda.com/incidents/34kx82j5n4q9
- https://www.barracuda.com/company/legal/esg-vulnerability
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-2868
- Repository example: https://github.com/Ostorlab/KEV
This content is for defensive security training and authorized validation only.