China-linked state-sponsored hackers are exploiting a zero-day vulnerability in Barracuda’s Email Security Gateway (ESG) appliances to deploy new variants of Seaspy and Saltwater malware, email and network security solutions provider has warned.

Tracked as CVE-2023-7102, the issue is related to improper input validation (CVE-2023-7101) within the third-party Perl library called ‘Spreadsheet::ParseExcel’ used to parse Excel files. A remote attacker can send a specially crafted email with a malicious file inside and execute arbitrary code on the device. The flaw impacts ESG versions 5.1.3 - 9.2.1.001.

Spreadsheet::ParseExcel is an open source library used by the Amavis virus scanner within the ESG appliance.

On December 21, 2023, Barracuda deployed a security update to all active ESGs to fix the bug, however, the maintainers of Spreadsheet::ParseExcel have yet to release a patch to address CVE-2023-7101.

According to Barracuda, a Chinese threat actor tracked as UNC4841 has been exploiting the flaw “to deploy a specially crafted Excel email attachment to target a limited number of ESG devices,” on which the new variants of Seaspy and Saltwater backdoors have been deployed. In May, it came to light that the same hacker group targeted another zero-day (CVE-2023-2868) in ESG devices to install Saltwater, Seaside and Seaspy malware.

“On December 22, 2023, Barracuda deployed a patch to remediate compromised ESG appliances which exhibited indicators of compromise related to the newly identified malware variants,” the vendor said in a security advisory.

The company further noted that only a limited number of ESG appliances worldwide were compromised and that no other Barracuda product, including its SaaS email solutions, was impacted by this vulnerability.