Chinese threat actors [1] [2] [3] [4] [5] [6] [7], known as UNC4841 [2] [4] [5] [6] [7], have targeted Barracuda Networks’ Email Security Gateway (ESG) appliances multiple times [4]. In this article, we will provide a detailed description of their latest attack and the vulnerabilities they exploited.


In October 2022 [1] [2] [3] [5] [6] [7], UNC4841 launched an attack on Barracuda Networks’ Email Security Gateway (ESG) appliances [4]. This attack was discovered by Mandiant and involved the exploitation of an arbitrary code execution (ACE) zero-day vulnerability, tracked as CVE-2023-7102 [1] [4] [5] [6] [7]. The vulnerability was found in a third-party open source software library called SpreadsheetParseExcel, which is used by the Amavis scanner [1] [2]. By exploiting this vulnerability, UNC4841 was able to deploy a backdoor on a limited number of devices and send malicious Excel email attachments.

Barracuda Networks promptly released a security update to address the vulnerability, ensuring that customers did not need to take any action. However, UNC4841 also deployed new variants of Seaspy and Saltwater malware in previous ESG attacks [4], creating additional backdoors. To address this, Barracuda Networks released a patch to fix the compromised ESG appliances and disclosed a second flaw [4], CVE-2023-7101 [1] [2] [3] [4] [5] [6] [7], in the SpreadsheetParseExcel Perl module [3] [4] [5] [6] [7]. While the specific details of the activity surrounding CVE-2023-7101 are unknown, organizations using SpreadsheetParseExcel are advised to review and implement necessary remediation measures [4].

The impact of these attacks has been significant, affecting organizations in at least 16 countries [2] [3] [5] [6] [7]. UNC4841 has demonstrated adaptability in targeting high priority targets using new tactics and techniques [5].


The recent attack by UNC4841 on Barracuda Networks’ Email Security Gateway appliances highlights the ongoing threat posed by Chinese threat actors. While Barracuda Networks has taken steps to address the vulnerabilities and provide security updates, organizations using SpreadsheetParseExcel should remain vigilant and review their security measures. The adaptability shown by UNC4841 suggests that they will continue to target high priority targets with new tactics and techniques, emphasizing the need for constant vigilance and proactive security measures.