{"uuid": "78c7cc22-0d87-4e5e-ad1e-553f34850a47", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-7102", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/smtp/barracuda_esg_spreadsheet_rce.rb", "content": "{\"aliases\": [], \"arch\": \"cmd\", \"author\": [\"Mandiant\", \"haile01\", \"Curt Hyvarinen\"], \"autofilter_ports\": [25, 465, 587, 2525, 25025, 25000], \"autofilter_services\": [\"smtp\", \"smtps\"], \"check\": true, \"default_credential\": false, \"description\": \"This module exploits CVE-2023-7102, an arbitrary code execution vulnerability\\n          in Barracuda Email Security Gateway (ESG) appliances. The vulnerability exists\\n          in how the Amavis scanner processes Excel attachments using the Perl\\n          Spreadsheet::ParseExcel library.\\n\\n          The library's Utility.pm contains an unsafe eval() that processes Excel\\n          Number format strings without validation. By crafting a malicious XLS file\\n          with a specially formatted Number format string containing Perl code, an\\n          attacker can achieve remote code execution when the ESG scans the email\\n          attachment.\\n\\n          This module dynamically generates a minimal BIFF8 XLS file with the payload\\n          embedded in a FORMAT record using Rex::OLE. Payload constraints: no ']' (terminates\\n          format string) or single quotes (breaks Perl eval injection).\\n\\n          This vulnerability was exploited in the wild by UNC4841 (China-nexus threat\\n          actor) starting November 2023. Barracuda deployed automatic patches on\\n          December 21, 2023.\\n\\n          Affected versions: Barracuda ESG 5.1.3.001 through 9.2.1.001\", \"disclosure_date\": \"2023-12-24\", \"fullname\": \"exploit/linux/smtp/barracuda_esg_spreadsheet_rce\", \"is_install_path\": true, \"mod_time\": \"2026-05-19 10:12:39 +0000\", \"name\": \"Barracuda ESG Spreadsheet::ParseExcel Arbitrary Code Execution\", \"needs_cleanup\": null, \"notes\": {\"Reliability\": [\"repeatable-session\"], \"SideEffects\": [\"ioc-in-logs\", \"artifacts-on-disk\"], \"Stability\": [\"crash-safe\"]}, \"path\": \"/modules/exploits/linux/smtp/barracuda_esg_spreadsheet_rce.rb\", \"platform\": \"Unix\", \"post_auth\": false, \"rank\": 600, \"ref_name\": \"linux/smtp/barracuda_esg_spreadsheet_rce\", \"references\": [\"CVE-2023-7102\", \"CVE-2023-7101\", \"URL-https://github.com/haile01/perl_spreadsheet_excel_rce_poc\", \"URL-https://trust.barracuda.com/security/information/esg-vulnerability\", \"URL-https://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation\", \"URL-https://nvd.nist.gov/vuln/detail/CVE-2023-7101\"], \"rport\": 25, \"session_types\": false, \"targets\": [\"Unix Command\"], \"type\": \"exploit\"}", "creation_timestamp": "2026-05-19T17:10:22.000000Z"}