module
Barracuda ESG Spreadsheet::ParseExcel Arbitrary Code Execution
| Disclosed | Created |
|---|---|
| Dec 24, 2023 | May 19, 2026 |
Disclosed
Dec 24, 2023
Created
May 19, 2026
Description
This module exploits CVE-2023-7102, an arbitrary code execution vulnerability
in Barracuda Email Security Gateway (ESG) appliances. The vulnerability exists
in how the Amavis scanner processes Excel attachments using the Perl
Spreadsheet::ParseExcel library.
The library's Utility.pm contains an unsafe eval() that processes Excel
Number format strings without validation. By crafting a malicious XLS file
with a specially formatted Number format string containing Perl code, an
attacker can achieve remote code execution when the ESG scans the email
attachment.
This module dynamically generates a minimal BIFF8 XLS file with the payload
embedded in a FORMAT record using Rex::OLE. Payload constraints: no ']' (terminates
format string) or single quotes (breaks Perl eval injection).
This vulnerability was exploited in the wild by UNC4841 (China-nexus threat
actor) starting November 2023. Barracuda deployed automatic patches on
December 21, 2023.
Affected versions: Barracuda ESG 5.1.3.001 through 9.2.1.001
in Barracuda Email Security Gateway (ESG) appliances. The vulnerability exists
in how the Amavis scanner processes Excel attachments using the Perl
Spreadsheet::ParseExcel library.
The library's Utility.pm contains an unsafe eval() that processes Excel
Number format strings without validation. By crafting a malicious XLS file
with a specially formatted Number format string containing Perl code, an
attacker can achieve remote code execution when the ESG scans the email
attachment.
This module dynamically generates a minimal BIFF8 XLS file with the payload
embedded in a FORMAT record using Rex::OLE. Payload constraints: no ']' (terminates
format string) or single quotes (breaks Perl eval injection).
This vulnerability was exploited in the wild by UNC4841 (China-nexus threat
actor) starting November 2023. Barracuda deployed automatic patches on
December 21, 2023.
Affected versions: Barracuda ESG 5.1.3.001 through 9.2.1.001
Authors
Mandiant
haile01
Curt Hyvarinen
haile01
Curt Hyvarinen
Platform
Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.