cbcvebase.
CVE-2023-7102
published 2023-12-24

CVE-2023-7102: Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
43.32%
98.6th percentile
Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic.

Affected

6 ranges
VendorProductVersion rangeFixed in
barracudaemail_security_gateway_300_firmware5.1.3.001 – 9.2.1.001
barracudaemail_security_gateway_400_firmware5.1.3.001 – 9.2.1.001
barracudaemail_security_gateway_600_firmware5.1.3.001 – 9.2.1.001
barracudaemail_security_gateway_800_firmware5.1.3.001 – 9.2.1.001
barracudaemail_security_gateway_900_firmware5.1.3.001 – 9.2.1.001
barracuda_networks_incbarracuda_esg_appliance5.1.3.001 – 9.2.1.001

Detection & IOCsextracted from sources · hover to see the quote

otherSeaSpy
otherSaltwater
otherSeaSide
otherSubmarine (aka DepthCharge)
otherWhirlpool
commandeval() on Excel Number format strings in Spreadsheet::ParseExcel Utility.pm
filenameUtility.pm
otherBIFF8 XLS file with payload embedded in a FORMAT record
sigma
Barracuda Email Security Gateway Remote Code Execution (CVE-2023-7102)
  • Detect malicious XLS email attachments with Perl code injected into Excel Number format strings (FORMAT records in BIFF8 XLS files) delivered via email to ESG appliances running Amavis/Spreadsheet::ParseExcel.
  • The exploit payload must not contain ']' (terminates format string) or single quotes — use these character constraints as a signature heuristic when inspecting XLS FORMAT record strings for injected Perl eval payloads.
  • Hunt for post-exploitation malware families SeaSpy, Saltwater, SeaSide, Submarine/DepthCharge, and Whirlpool on Barracuda ESG appliances as indicators of successful CVE-2023-7102 exploitation by UNC4841.
  • Monitor for reverse shell activity originating from Barracuda ESG appliances, as UNC4841 used SeaSide to establish reverse shells on compromised devices.
  • The exploitation campaign began as early as November 2023; threat hunt on ESG appliances for compromise indicators starting from that date.
  • The attack vector is a specially crafted Excel file delivered as an email attachment; inspect inbound email attachments for XLS files with anomalous FORMAT record strings containing eval-injectable Perl syntax.
  • ·Affected Barracuda ESG versions span 5.1.3.001 through 9.2.1.001; the vulnerability was present until Barracuda removed the vulnerable logic via automatic update.
  • ·CISA remediation due date for CVE-2023-7101 (the upstream library) was 2024-01-23; organizations should verify their own Spreadsheet::ParseExcel deployments are patched per vendor instructions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.