CVE-2023-2868

CVE-2023-2868 is a significant software vulnerability that was identified in the Barracuda Email Security Gateway (ESG) appliances. This flaw, specifically a remote command injection vulnerability, was disclosed by Barracuda on May 30th, 2023. The vulnerability had been exploited as early as October 2022 and was due to the way initial screening of incoming email attachments was handled. Notably, UNC4841, a Chinese threat actor group, exploited this zero-day vulnerability in the email attachment screening module, leading to global security concerns. Intrusion sets with links to China have been observed heavily targeting Remote Code Execution (RCE) vulnerabilities and exploiting zero-day vulnerabilities, as highlighted by Mandiant's publications. Among these, CVE-2023-2868 stands out for its exploitation by UNC4841 to gain unauthorized access to ESG appliances and deploy additional malware. This aggressive and skilled activity has raised suspicions of links to China. In addition to CVE-2023-2868, other notable vulnerabilities such as CVE-2021-44207, CVE-2021-44228, and CVE-2022-41328 were also exploited by different Chinese groups. In response to the ongoing campaign utilizing CVE-2023-2868 against Barracuda appliances, the vendor recommended customers return their appliances for new ones. Further investigations into the exploitation of this vulnerability were carried out by security firms like Vectra AI, TeamT5, and Mandiant. These investigations provided further details on the tactics, techniques, and procedures (TTPs) used by the threat actor UNC4841. This continued exploitation of vulnerabilities underscores the need for robust cybersecurity measures and prompt responses to identified threats.