CVE-2023-7102
published 2023-12-24CVE-2023-7102: Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
43.32%
98.6th percentile
Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| barracuda | email_security_gateway_300_firmware | 5.1.3.001 – 9.2.1.001 | — |
| barracuda | email_security_gateway_400_firmware | 5.1.3.001 – 9.2.1.001 | — |
| barracuda | email_security_gateway_600_firmware | 5.1.3.001 – 9.2.1.001 | — |
| barracuda | email_security_gateway_800_firmware | 5.1.3.001 – 9.2.1.001 | — |
| barracuda | email_security_gateway_900_firmware | 5.1.3.001 – 9.2.1.001 | — |
| barracuda_networks_inc | barracuda_esg_appliance | 5.1.3.001 – 9.2.1.001 | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
Barracuda Email Security Gateway Remote Code Execution (CVE-2023-7102)
- →Detect malicious XLS email attachments with Perl code injected into Excel Number format strings (FORMAT records in BIFF8 XLS files) delivered via email to ESG appliances running Amavis/Spreadsheet::ParseExcel. ↗
- →The exploit payload must not contain ']' (terminates format string) or single quotes — use these character constraints as a signature heuristic when inspecting XLS FORMAT record strings for injected Perl eval payloads. ↗
- →Hunt for post-exploitation malware families SeaSpy, Saltwater, SeaSide, Submarine/DepthCharge, and Whirlpool on Barracuda ESG appliances as indicators of successful CVE-2023-7102 exploitation by UNC4841. ↗
- →Monitor for reverse shell activity originating from Barracuda ESG appliances, as UNC4841 used SeaSide to establish reverse shells on compromised devices. ↗
- →The exploitation campaign began as early as November 2023; threat hunt on ESG appliances for compromise indicators starting from that date. ↗
- →The attack vector is a specially crafted Excel file delivered as an email attachment; inspect inbound email attachments for XLS files with anomalous FORMAT record strings containing eval-injectable Perl syntax. ↗
- ·Affected Barracuda ESG versions span 5.1.3.001 through 9.2.1.001; the vulnerability was present until Barracuda removed the vulnerable logic via automatic update. ↗
- ·CISA remediation due date for CVE-2023-7101 (the upstream library) was 2024-01-23; organizations should verify their own Spreadsheet::ParseExcel deployments are patched per vendor instructions. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Spreadsheet::ParseExcel Remote Code Execution Vulnerability
cisa·2024-01-02·CVSS 7.8
CVE-2023-7101 [HIGH] CWE-95 Spreadsheet::ParseExcel Remote Code Execution Vulnerability
Vulnerability: Spreadsheet::ParseExcel Remote Code Execution Vulnerability
Affected: Spreadsheet::ParseExcel Spreadsheet::ParseExcel
Spreadsheet::ParseExcel contains a remote code execution vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings within the Excel parsing logic.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://metacpan.org/dist/Spreadsheet-ParseExcel and Ba
GHSA
GHSA-ccqc-vx6w-76x6: Use of a Third Party library produced a vulnerability in Barracuda Networks Inc
ghsa_unreviewed·2023-12-25
CVE-2023-7102 [CRITICAL] CWE-1104 GHSA-ccqc-vx6w-76x6: Use of a Third Party library produced a vulnerability in Barracuda Networks Inc
Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic.
VulnCheck
Barracuda ESG Appliance ParseExcel Code Execution Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-7102 [CRITICAL] Barracuda ESG Appliance ParseExcel Code Execution Vulnerability
Barracuda ESG Appliance ParseExcel Code Execution Vulnerability
Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic.
Affected: Barracuda Networks Email Security Gateway (ESG) Appliance
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.barracuda.com/company/legal/esg-vulnerability; https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/barracuda-email-security-gateway-esg-malicious-activity-additional-indicators-compromis
No detection rules found.
Rapid7
Metasploit Wrap Up 05/22/2026
blogs_rapid7·2026-05-22·CVSS 9.8
CVE-2026-20182 [CRITICAL] Metasploit Wrap Up 05/22/2026
## Another week, another authentication bypass
Our humble Metasploit weekly(ish) blog has been blessed with a new network component vulnerability. The dynamic duo of @sfewer-r7 and @jburgess-r7 have discovered and authored the admin/networking/cisco_sdwan_vhub_auth_bypass module for CVE-2026-20182, a vulnerability gracing the Cisco Catalyst SD-WAN Controller. The devices, whose purpose is to control a software-defined (SD) wide-area-network (WAN) was unfortunately missing an extra A for authentication. An oversight that Cisco has duly patched.
Elsewhere this week, the HUSTOJ online judge platform has been caught failing to judge its own zip files (CVE-2026-24479), courtesy of a zip-slip RCE module from LoTuS and friends. Next, @Alpenlol has weaponized the small matter of Barracuda's Emai
Wiz
Crying Out Cloud - January Newsletter | Wiz
blogs_wiz·2024-01-01·CVSS 8.8
CVE-2023-26360 [HIGH] Crying Out Cloud - January Newsletter | Wiz
This month we’ve seen several vulnerabilities and security incidents that have left users affected. We know you're busy too, so we've sifted through the noise to bring you the real game-changers.
Here are our top picks!
## 🐞 High Profile Vulnerabilities
Adobe ColdFusion RCE vulnerability exploited in-the-wild
CVE-2023-26360 is a critical vulnerability in Adobe ColdFusion that was published in March 2023. This vulnerability could allow an attacker to execute arbitrary code on the remote server in the context of the current user. On December 5, 2023, CISA announced that threat actors were actively exploiting this vulnerability in order to gain initial access to government-owned servers. Customers should update Adobe ColdFusion to the latest version.
According to Wiz data, less than 1% o
Checkpoint
1st January – Threat Intelligence Report
blogs_checkpoint·2024-01-01
CVE-2023-7102 1st January – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 1st January – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 1st January, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The German hospital network Katholische Hospitalvereinigung Ostwestfalen (KHO) has been a victim of cyber-attack that disrupted the systems of hospitals in Bielefeld, Rheda-Wiedenbrück, and Herford. Lockbit ransomware group claimed responsibility for the attack.
Check Point Harmony Endpoint and Threat Emulation provide pro
Bleepingcomputer
Barracuda fixes new ESG zero-day exploited by Chinese hackers
blogs_bleepingcomputer·2023-12-27·CVSS 9.4
CVE-2023-7102 [CRITICAL] Barracuda fixes new ESG zero-day exploited by Chinese hackers
## Barracuda fixes new ESG zero-day exploited by Chinese hackers
## Sergiu Gatlan
Network and email security firm Barracuda says it remotely patched all active Email Security Gateway (ESG) appliances on December 21 against a zero-day bug exploited by UNC4841 Chinese hackers.
The company deployed a second wave of security updates a day later on already compromised ESG appliances where the attackers deployed SeaSpy and Saltwater malware.
Disclosed on Christmas Eve and tracked as CVE-2023-7102 , the zero-day is due to a weakness in the Spreadsheet::ParseExcel third-party library used by the Amavis virus scanner running on Barracuda ESG appliances.
Attackers can exploit the flaw to execute arbitrary code on unpatched ESG appliances through parameter injection.
The company also filed the
Recorded Future
2025 Cloud Threat Hunting and Defense Landscape
blogs_recorded_future
2025 Cloud Threat Hunting and Defense Landscape
# 2025 Cloud Threat Hunting and Defense Landscape
## Executive Summary
Insikt Group has observed continued trends of growth and increased activity of threat actors leveraging and exploiting cloud infrastructure to broaden the number of victims they target and infect. Recent reporting across the observed incidents shows that cloud-focused threats are converging on a few consistent patterns, which serve as the main sections of this report:
- Exploitation and Misconfiguration
- Cloud Abuse
- Cloud Ransomware
- Credential Abuse, Account Takeover, and Unauthorized Access
- Third-Party Compromise
Across cases, initial access frequently comes from vulnerable or misconfigured services exposed to the internet — including application delivery controllers, monitoring dashboards, email security ga
https://github.com/haile01/perl_spreadsheet_excel_rce_pochttps://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.mdhttps://metacpan.org/dist/Spreadsheet-ParseExcelhttps://www.barracuda.com/company/legal/esg-vulnerabilityhttps://www.cve.org/CVERecord?id=CVE-2023-7101https://github.com/haile01/perl_spreadsheet_excel_rce_pochttps://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.mdhttps://metacpan.org/dist/Spreadsheet-ParseExcelhttps://www.barracuda.com/company/legal/esg-vulnerabilityhttps://www.cve.org/CVERecord?id=CVE-2023-7101
2023-12-24
Published
Exploited in the wild