The
URL
should
have
given
away
that
things
were
serious.
https://www.barracuda.com/company/legal/esg-vulnerability
And
then
there
was
the
very
keen
attempt
to
underline
the
firm’s
commitment
to
securing
your
data…
they
definitely
didn’t
want
you
to
miss
that.
We
are
committed
to
securing
your
data
The
big
friendly
letters
reminded
me
–
rather
aptly
–
of
the
famous
words
“Don’t
panic!”
on
the
front
of
the
“HitchHiker’s
Guide
to
the
Galaxy”…
But
if
you
were
feeling
a
sense
of
panic,
I
probably
couldn’t
blame
you,
because
security
firm
Barracuda
Networks
is
warning
people
of
a
security
vulnerability
in
its
Email
Security
Gateway
(ESG)
appliance.
But
more
than
that,
Barracuda
is
taking
the
unusual
step
for
a
network
security
vendor
of
telling
its
customers
to
physically
remove
and
decommission
its
hardware.
ACTION
NOTICE:
Impacted
ESG
appliances
must
be
immediately
replaced
regardless
of
patch
version
level.
If
you
have
not
replaced
your
appliance
after
receiving
notice
in
your
UI,
contact
support
now
([email protected]).Barracuda’s
remediation
recommendation
at
this
time
is
full
replacement
of
the
impacted
ESG.
That’s
right.
Barracuda
is
not
telling
you
to
apply
a
patch
to
the
appliance
that
scans
your
incoming
and
outgoing
email
for
malware.
They
want
you
to
rip
it
out
and
replace
it
instead.
Clearly
hackers
have
managed
to
exploit
security
vulnerabilities
on
the
Barracuda
Email
Security
Gateway
appliance
to
such
an
extent
that
any
patch
simply
isn’t
up
to
the
job
of
kicking
them
out.
There
are
likely
to
be
10,000+
Barracuda
ESG
appliances
in
use
around
the
world.
And
it
appears
malicious
exploitation
of
vulnerable
Barracuda
ESG
appliances
has
been
taking
place
since
at
least
October
2022.
No
wonder
Barracuda
is
getting
some
legal
advice
on
how
to
communicate
this
to
its
customers.
“Don’t
panic?”
Found
this
article
interesting?
Follow
Graham
Cluley
on
Twitter
or
Mastodon
to
read
more
of
the
exclusive
content
we
post.