A dilemma recently arose for Barracuda Networks when it discovered two zero-day vulnerabilities, CVE-2023-7102 and CVE-2023-7101. An Arbitrary Code Execution (ACE) vulnerability in the third-party library, Spreadsheet::ParseExcel, was discovered after these Barracuda vulnerabilities were closely connected to it. These security holes presented a significant risk since they were used by the China Nexus actor UNC4841 to target Barracuda Email Security Gateway Appliance (ESG) systems with malicious Excel email attachments.
The first Barracuda ESG vulnerability, CVE-2023-7102, was looked into by the Barracuda security team and Mandiant. Due to this vulnerability, threat actors were able to run any code inside the Spreadsheet::ParseExcel third-party library that is part of the ESG appliance.