Barracuda: Immediately rip out and replace our security hardware

Barracuda: Immediately rip out and replace our security hardware

The URL should have given away that things were serious.

Filed under "Legal"
Barracuda Networks filed the security advisory under “Legal”

And then there was the very keen attempt to underline the firm’s commitment to securing your data… they definitely didn’t want you to miss that.

Barracuda friendly

We are committed to securing your data

The big friendly letters reminded me – rather aptly – of the famous words “Don’t panic!” on the front of the “HitchHiker’s Guide to the Galaxy”…

But if you were feeling a sense of panic, I probably couldn’t blame you, because security firm Barracuda Networks is warning people of a security vulnerability in its Email Security Gateway (ESG) appliance.

But more than that, Barracuda is taking the unusual step for a network security vendor of telling its customers to physically remove and decommission its hardware.

ACTION NOTICE: Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now ([email protected]).

Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.

That’s right. Barracuda is not telling you to apply a patch to the appliance that scans your incoming and outgoing email for malware. They want you to rip it out and replace it instead.

Sign up to our free newsletter.
Security news, advice, and tips.

Clearly hackers have managed to exploit security vulnerabilities on the Barracuda Email Security Gateway appliance to such an extent that any patch simply isn’t up to the job of kicking them out.

There are likely to be 10,000+ Barracuda ESG appliances in use around the world. And it appears malicious exploitation of vulnerable Barracuda ESG appliances has been taking place since at least October 2022.

No wonder Barracuda is getting some legal advice on how to communicate this to its customers.

“Don’t panic?”

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.

2 comments on “Barracuda: Immediately rip out and replace our security hardware”

  1. Jim

    Those boxes aren't cheap! If Barracuda doesn't somehow help out with the replacement, I can see some enterprises switching to another vendor.

    1. Jim · in reply to Jim

      OK, excuse the cynicism above. I'm now reading elsewhere that Barracuda are replacing the hardware free of charge.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.