CISA warned of a recently patched zero-day vulnerability exploited last week to hack into Barracuda Email Security Gateway (ESG) appliances.
Barracuda says its security solutions are used by more than 200,000 organizations worldwide, including high-profile companies like Samsung, Mitsubishi, Kraft Heinz, and Delta Airlines.
The U.S. cybersecurity agency also added the bug (CVE-2023-2868) to its catalog of security flaws exploited in the wild based on this evidence of active exploitation.
Federal Civilian Executive Branch Agencies (FCEB) agencies must patch or mitigate the vulnerability as ordered by the BOD 22-01 binding operational directive.
However, this is no longer needed since Barracuda has already patched all vulnerable devices by applying two security patches over the weekend.
“Based on our investigation to date, we’ve identified that the vulnerability resulted in unauthorized access to a subset of email gateway appliances,” Barracuda said.
“As part of our containment strategy, all ESG appliances have received a second patch on May 21, 2023.”
Affected customers asked to check for network breaches
The company said the investigation into the compromised appliances was limited to its ESG product and advised affected customers to review their environments to ensure the attackers didn’t gain access to other devices on their network.
Therefore, federal agencies will also have to take CISA’s alert as a warning to check their networks for signs of intrusions.
Even though only U.S. federal agencies are required to fix the bugs added to CISA’s Known Exploited Vulnerabilities (KEV) list, private companies are also strongly recommended to prioritize patching them.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.
On Monday, federal agencies were warned to secure iPhones and Macs in their environment against three iOS and macOS zero-days, one reported by Google TAG and Amnesty International security researchers and likely exploited in state-backed spyware attacks.
One week ago, CISA also added a Samsung ASLR bypass flaw to its KEV catalog, abused as part of an exploit chain to deploy a spyware suite on Samsung mobile devices running Android 11, 12, and 13.