Email and network security solutions provider Barracuda Networks has urged its customers to immediately replace compromised Email Security Gateway (ESG) appliances.

“Impacted ESG appliances must be immediately replaced regardless of patch version level. Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG,” the company said in an update to its initial security alert.

The advisory pertains to a series of attacks using a zero-day vulnerability in ESG devices disclosed in the beginning of June 2023.

Tracked as CVE-2023-2868, the flaw is an OS command injection issue that can be exploited by a remote hacker to execute arbitrary Perl commands on the target system. The vulnerability was identified on May 19 and a security patch to address the bug was applied to all ESG appliances worldwide on May 20, 2023. The vulnerability resided in a module which initially screens the attachments of incoming emails. Other Barracuda’s products, including SaaS email security services, are not affected.

An investigation into the incident revealed that threat actors had been exploiting said zero-day since October 2022 to backdoor devices using at least three malware families, namely, Saltwater, Seaspy, and Seaside.