The FBI has issued an urgent warning regarding Barracuda Network’s Email Security Gateway (ESG) devices, saying they are still vulnerable to a zero-day exploit.

Barracuda identified a vulnerability in its ESG devices in late May. While the company issued fixes in an effort to address the flaw, the FBI says the fixes are “ineffective” and the devices are still vulnerable to attack.

The FBI announced its findings in an FBI Flash:

As a part of the FBI investigation into the exploitation of CVE-2023-2868, a zero day vulnerability in Barracuda Network’s Email Security Gateway (ESG) appliances, the FBI has independently verified that all exploited ESG appliances, even those with patches pushed out by Barracuda, remain at risk for continued computer network compromise from suspected PRC cyber actors exploiting this vulnerability.

Barracuda is now advising customers to completely replace the devices as soon as possible:

Barracuda’s recommendation is unchanged. Customers should discontinue use of the compromised ESG appliance and contact Barracuda support ([email protected]) to obtain a new ESG virtual or hardware appliance.

Given the severity of the issue, users of the impacted Barracuda ESG devices should contact the company immediately to get a replacement.

In the meantime, customers can learn more here.