The company is struggling to combat a sprawling malware threat that appears to have undermined its email security appliances, so they can no longer be safely updated with software fixes.
Barracuda said it hired incident response firm Mandiant on 18 May after receiving reports about unusual traffic originating from its Email Security Gateway (ESG) devices, designed to sit at the edge of an organisation's network and scan all incoming and outgoing email for malware.
On 19 May, Barracuda identified that the malicious traffic was taking advantage of a previously unknown vulnerability in its ESG appliances, and on 20 May the company pushed a patch for the flaw to all affected appliances (CVE-2023-2868).
In its security advisory, Barracuda said the vulnerability existed in the Barracuda software component responsible for screening attachments for malware. More alarmingly, the company said attackers first started exploiting the flaw in October 2022.
On 6 June Barracuda began urging its ESG customers to wholesale rip out and replace -- not patch -- affected appliances.
"Impacted ESG appliances must be immediately replaced regardless of patch version level," the company's advisory warned. "Barracuda's recommendation at this time is a replacement of the impacted ESG."
Barracuda says ESG customers should rotate any credentials connected to the appliances and check for signs of compromise dating back to at least October 2022 using the network and endpoint indicators the company has released publicly.