UPDATE

Despite pushing out patches addressing vulnerabilities in its Email Security Gateway (ESG) appliances in May, today Barracuda issued an urgent warning that all affected devices need to be taken offline and replaced immediately.

The ESG remote command injection vulnerability, tracked under CVE-2023-2868, was already under active exploit since October 2022, Barracuda said in its initial May 30 disclosure. A patch was released on May 20, but by June 6 it was determined the patch and subsequent script pushed out to counter unauthorized access weren't enough to secure impacted ESG devices, according to the advisory.

Barracuda determined some infected devices maintained persistent backdoor access, with some presenting evidence of data exfiltration, even after patching.

A statement provided to Dark Reading from Barracuda said only 5% of active ESG appliances show indicators of compromise.

"Despite deployment of additional patches based on known IOCs, we continue to see evidence of ongoing malware activity on a subset of the compromised appliances," Barracuda's statement provided to Dark Reading said. "Therefore, we would like customers to replace any compromised appliance with a new unaffected device."

Barracuda added that it is providing replacement devices at no cost to its customers.

Mike Parkin, senior technical engineer with Vulcan Cyber, explained in a statement provided to Dark Reading that he suspects the threat actors found a way to make changes deep in the device firmware.

"By replacing the kit, Barracuda can be absolutely sure they've eradicated a potential compromise in customer environments," Parkin explained. "This is only an educated guess based on the timeline and their reaction."

Parkin added that customers should take Barracuda's warning seriously.

"If Barracuda is telling them to 'take it out of service now, a replacement is on the way,' then they should probably do exactly that," Parkin added. "If a vendor tells you to pull a system out of service based on their own security advisory, why argue?"

This post was updated Friday at 2 p.m. ET with statements from Barracuda.