Barracuda, an enterprise security company, is advising customers impacted by a recently discovered zero-day vulnerability in its Email Security Gateway (ESG) appliances to replace them immediately. The recommendation for full replacement suggests that the threat actors behind the campaign may have tampered with the firmware at a deeper level that cannot be fully addressed by a patch. The critical flaw (CVE-2023-2868) has been exploited as a zero-day since October 2022, allowing attackers to deliver customized malware and steal data. The vulnerability involves remote code injection in ESG versions 5.1.3.001 through 9.2.0.006 and was partially addressed with patches released in May 2023. The extent of the incident is still unknown, but the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has advised federal agencies to apply the fixes by June 16, 2023.