Barracuda logo

Compromised Barracuda appliances equipped with persistent backdoors by attackers

The Cybersecurity and Infrastructure Security Agency (CISA) has published three malware analysis reports based on malware variants associated with the exploitation of a known vulnerability in Barracuda ESG appliances.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The vulnerability at hand is listed as CVE-2023-2868, which has a CVSS score 9.4 out of 10.

It’s described as a remote command injection vulnerability in the Barracuda Email Security Gateway (appliance form factor only), caused by a failure to comprehensively sanitize the processing of .tar files (tape archives).

The vulnerability stems from incomplete input validation of the names of the files contained within the archive. As a consequence, a remote attacker could format the file names to trigger the remote execution of a system command through Perl’s qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of a patch that was applied automatically to all customer appliances.

At a later point Barracuda sent out an action notice to inform customers that impacted ESG appliances should be replaced immediately, regardless of patch version level.

From what we have gathered in the meantime, we know that the vulnerability has been used in targeted attacks as a zero-day vulnerability for months before the patch was issued, by a group that allegedly has ties to China.

The three CISA reports address:

The first report provides information about 14 malware samples comprised of Barracuda exploit payloads and reverse shell backdoors.

The SEASPY backdoor is a persistent and passive backdoor that masquerades as a legitimate Barracuda service (BarracudaMailService). SEASPY monitors traffic from the actor’s C2 server. When the right packet sequence is captured, it establishes a reverse shell to the C2 server over TCP. The shell allows the threat actors to execute arbitrary commands on the ESG appliance. CISA obtained two SEASPY malware samples which are discussed in the report.

The SUBMARINE backdoor is a persistent backdoor executed with root privileges that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts that together enable execution with root privileges, persistence, command and control, and cleanup. This malware poses a severe threat for lateral movement. The report discusses seven malware samples obtained by CISA and the contents of the compromised SQL database, which included sensitive information.

According to Barracuda, the SUBMARINE malware was utilized by the threat actor in response to Barracuda’s remediation actions in an attempt to create persistent access on customer ESG appliances. This malware appeared on a very small number of already compromised ESG appliances. Barracuda’s recommendation is unchanged: Customers should discontinue use of the compromised ESG appliance and contact Barracuda support ( to obtain a new ESG virtual or hardware appliance.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.