cbcvebase.
CVE-2010-20109
published 2025-08-21

CVE-2010-20109: Barracuda products, confirmed in Spam & Virus Firewall, SSL VPN, and Web Application Firewall versions prior to October 2010, contain a path traversal…

PriorityP265high8.7CVSS 4.0
AVNACLATNPRNUINVCHVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.09%
61.1th percentile
Barracuda products, confirmed in Spam & Virus Firewall, SSL VPN, and Web Application Firewall versions prior to October 2010, contain a path traversal vulnerability in the view_help.cgi endpoint. The locale parameter fails to properly sanitize user input, allowing attackers to inject traversal sequences and null-byte terminators to access arbitrary files on the underlying system. By exploiting this flaw, unauthenticated remote attackers can retrieve sensitive configuration files such as /mail/snapshot/config.snapshot, potentially exposing credentials, internal settings, and other critical data.

Affected

3 ranges
VendorProductVersion rangeFixed in
barracuda_networksspam_virus_firewall<= 4.1.1.021
barracuda_networksssl_vpn<= 2010-10
barracuda_networksweb_application_firewall<= 2010-10

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/view_help.cgi
path/mail/snapshot/config.snapshot
  • Monitor HTTP requests to view_help.cgi where the 'locale' parameter contains path traversal sequences (e.g., '../') or null-byte terminators ('%00'), which are the exploitation mechanism for this vulnerability.
  • Alert on unauthenticated HTTP requests to view_help.cgi targeting /mail/snapshot/config.snapshot, as this is the default target file used by known exploit modules to extract credentials and configuration data.
  • Scope detection to Barracuda Spam & Virus Firewall, SSL VPN, and Web Application Firewall products running versions prior to October 2010, as these are the confirmed affected products.
  • ·Exploitation does not require authentication, meaning no session token or credential is needed to trigger the traversal and retrieve sensitive files.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.