Barracuda: Immediately rip out and replace our security hardware

Barracuda: Immediately rip out and replace our security hardware

The URL should have given away that things were serious.

https://www.barracuda.com/company/legal/esg-vulnerability

Filed under "Legal"
Barracuda Networks filed the security advisory under “Legal”

And then there was the very keen attempt to underline the firm’s commitment to securing your data… they definitely didn’t want you to miss that.

Barracuda friendly

We are committed to securing your data

The big friendly letters reminded me – rather aptly – of the famous words “Don’t panic!” on the front of the “HitchHiker’s Guide to the Galaxy”…

But if you were feeling a sense of panic, I probably couldn’t blame you, because security firm Barracuda Networks is warning people of a security vulnerability in its Email Security Gateway (ESG) appliance.

But more than that, Barracuda is taking the unusual step for a network security vendor of telling its customers to physically remove and decommission its hardware.

ACTION NOTICE: Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now ([email protected]).

Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.

That’s right. Barracuda is not telling you to apply a patch to the appliance that scans your incoming and outgoing email for malware. They want you to rip it out and replace it instead.

Sign up to our free newsletter.
Security news, advice, and tips.

Clearly hackers have managed to exploit security vulnerabilities on the Barracuda Email Security Gateway appliance to such an extent that any patch simply isn’t up to the job of kicking them out.

There are likely to be 10,000+ Barracuda ESG appliances in use around the world. And it appears malicious exploitation of vulnerable Barracuda ESG appliances has been taking place since at least October 2022.

No wonder Barracuda is getting some legal advice on how to communicate this to its customers.

“Don’t panic?”


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Barracuda: Immediately rip out and replace our security hardware”

  1. Jim

    Those boxes aren't cheap! If Barracuda doesn't somehow help out with the replacement, I can see some enterprises switching to another vendor.

    1. Jim · in reply to Jim

      OK, excuse the cynicism above. I'm now reading elsewhere that Barracuda are replacing the hardware free of charge.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.