Voyager18 (research)

CVE-2023-7102: Another zero-day exploited in Barracuda ESG

For the second time in six months, a zero-day vulnerability has been found in Barrucada ESG. Here's what you need to know about CVE-2023-7102.

Yair Divinsky | January 10, 2024

Following recent disclosures by Barracuda Networks, Chinese threat actor UNC4841 exploited a new zero-day vulnerability (CVE-2023-7102) in Barracuda’s Email Security Gateway (ESG) appliances, targeting a limited number of devices with backdoors. This is the second zero-day vulnerability found in Barracuda ESG appliances within the past 6 months, with CVE-2023-2868 having been disclosed in August.

Here’s what you need to know:

CVE-2023-7102 at a glance

Affected products: 

Barracuda Networks’ Email Security Gateway (ESG) appliances 

Product category: 

Email/Network Security 


High (Given the ability to perform remote code execution) 


Remote Code Execution (RCE) / Zero-day Exploit 


Confidentiality (Low) 



Exploit in the wild 


CISA Catalog 


Remediation action 

Update to Security update automatically deployed on December 21, 2023 

Users of the unpatched Spreadsheet::ParseExcel Perl module (version 0.65) also need to take remedial actions. 

MITRE advisory 

 Read more


What is CVE-2023-7102?

The vulnerability, tracked as CVE-2023-7102, involves arbitrary code execution in Barracuda’s ESG appliances through a zero-day flaw in the Spreadsheet::ParseExcel Perl module used by the Amavis scanner. When triggered via a specially crafted Microsoft Excel email attachment, the flaw allows attackers, identified as UNC4841, to deploy new variants of SEASPY and SALTWATER implants, enabling persistence and command execution capabilities on compromised devices. 

Does CVE-2023-7102 affect me?

Yes, the CVE-2023-7102 vulnerability impacts Barracuda ESG appliances, targeting Microsoft Excel email attachments. Barracuda swiftly responded by automatically deploying a security update on December 21, 2023, and patching compromised devices to mitigate the risk posed by the newly identified malware variants. 



Has CVE-20237102 been actively exploited in the wild?

UNC4841 initiated the exploitation of CVE-2023-7102, targeting various high-tech companies, information technology providers, and government entities, predominantly in the U.S. and Asia-Pacific regions, from around November 30, 2023. Mandiant’s investigation suggests UNC4841’s persistence and adaptability in targeting high-priority victims through new tactics, emphasizing the need for continuous monitoring. 

How to fix CVE-2023-7102

Barracuda has released an automatic security update to remediate the CVE-2023-7102 vulnerability on December 21, 2023. Although the patch has been applied, downstream users relying on the unpatched Spreadsheet::ParseExcel Perl module (version 0.65) need to take necessary remedial actions to address the unpatched CVE-2023-7101 flaw. 

Next steps 

Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. 2023 Vulnerability watch reports 
  2. MITRE ATTACK framework – Mapping techniques to CVEs  
  3. The true impact of exploitable vulnerabilities for 2024
  4. MITRE’s CWE Top 10 KEV Weaknesses: What we learned
  5. How to properly tackle zero-day threats

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy