Barracuda, a provider of email and network security solutions, has warned its customers that some of its Email Security Gateway (ESG) appliances have been compromised using a zero-day vulnerability in one of the modules.

Tracked as CVE-2023-2868, the flaw is an OS command injection issue that can be exploited by a remote hacker to execute arbitrary Perl commands on the target system.

The vulnerability was identified on May 19 and a security patch to address the bug was applied to all ESG appliances worldwide on May 20, 2023, the vendor said.

The vulnerability resided in a module which initially screens the attachments of incoming emails. Other Barracuda’s products, including SaaS email security services, are not affected, the company assured.

”We took immediate steps to investigate this vulnerability. Based on our investigation to date, we’ve identified that the vulnerability resulted in unauthorized access to a subset of email gateway appliances,” the vendor said, without disclosing any additional details regarding attacks on its equipment.

“Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take. Barracuda has also reached out to these specific customers.”