What is Spreadsheet::ParseExcel?
Spreadsheet::ParseExcel is a widely used open-source Perl library (CPAN module) for parsing Microsoft Excel files in the legacy .xls (BIFF8) format. It is used by applications, security appliances, and services that need to process or scan Excel attachments — including email security gateways, malware scanners, and data processing pipelines. The Barracuda Email Security Gateway (ESG) uses Spreadsheet::ParseExcel as part of its email attachment scanning capability, which is how CVE-2023-7101 became the vector for a targeted Barracuda ESG exploitation campaign by Chinese nation-state actors.
Overview
CVE-2023-7101 is a remote code execution vulnerability in the Spreadsheet::ParseExcel Perl library arising from the use of Perl's eval function to evaluate Number format strings extracted from Excel files without sanitization. An attacker can create a malicious .xls file containing a crafted Number format string that, when processed by Spreadsheet::ParseExcel, causes the library to eval attacker-controlled Perl code on the host system. The vulnerability was exploited by UNC4841 — the same China-nexus group responsible for the earlier Barracuda ESG zero-day campaign (CVE-2023-2868) — to compromise Barracuda ESG appliances a second time through a new attack path (tracked as CVE-2023-7102, the Barracuda-specific downstream issue).
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Spreadsheet::ParseExcel (CPAN) | 0.65 and earlier | 0.66 (patch available on CPAN) |
| Barracuda ESG (downstream CVE-2023-7102) | Multiple versions | Barracuda ESG hotfix — apply per Barracuda advisory |
Any application using Spreadsheet::ParseExcel to process untrusted Excel files is potentially vulnerable.
Technical Details
CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code — Eval Injection). Spreadsheet::ParseExcel's Excel parsing logic extracts Number format strings from the .xls binary format and uses Perl's eval function to evaluate these format strings for display formatting purposes. The eval function in Perl executes the string as Perl code. If an attacker embeds a malicious Perl expression inside a Number format string in an Excel file (e.g., system("malicious_command")), the library evaluates it as Perl code when parsing the file.
The attack vector is AV:L (Local) with UI:R because the exploit requires processing a malicious file — but in the context of an email security gateway that automatically processes all incoming email attachments, a remote attacker can trigger exploitation simply by sending a malicious email containing a crafted .xls attachment to any address handled by the vulnerable appliance.
For Barracuda ESG specifically (CVE-2023-7102), UNC4841 exploited this to install the SEASPY backdoor and SALTWATER web shell on ESG appliances — repeating the pattern from their earlier CVE-2023-2868 campaign against the same product.
Discovery
The eval injection vulnerability in Spreadsheet::ParseExcel was identified by Barracuda's security team while investigating the CVE-2023-7102 Barracuda ESG compromise campaign attributed to UNC4841. The upstream library vulnerability was disclosed simultaneously with the Barracuda-specific downstream CVE.
Exploitation Context
UNC4841 — a China-nexus espionage actor previously confirmed exploiting CVE-2023-2868 (Barracuda ESG TAR injection zero-day) — returned with a second exploitation campaign targeting Barracuda ESG appliances using the Spreadsheet::ParseExcel vulnerability. The actor sent targeted malicious emails with crafted .xls attachments to Barracuda ESG customers; when the gateway scanned the attachments, it triggered code execution and deployed the SEASPY and SALTWATER implants.
The CPAN library nature of CVE-2023-7101 means the vulnerability affects any application using Spreadsheet::ParseExcel to process untrusted Excel files — not only Barracuda products. Organizations using custom Perl applications, security tools, or data processing pipelines that call this library are independently at risk.
Remediation
- Update Spreadsheet::ParseExcel to version 0.66 or later via CPAN (
cpan Spreadsheet::ParseExcel). - Barracuda ESG customers: apply the Barracuda-specific hotfix for CVE-2023-7102 per Barracuda's advisory — Barracuda ESG appliances receive automatic updates for security fixes.
- If running a Barracuda ESG and previously compromised via CVE-2023-2868: assume CVE-2023-7102 re-compromise may have occurred — review for SEASPY/SALTWATER persistence.
- Audit all Perl applications and security tools in your environment for use of Spreadsheet::ParseExcel — update all instances.
- For any application processing untrusted Excel files, consider adding file type validation and sandboxing attachment scanning in isolated environments.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-7101 |
| Vendor / Product | Spreadsheet::ParseExcel — Spreadsheet::ParseExcel |
| NVD Published | 2023-12-24 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-95 find similar ↗ |
| CISA KEV Added | 2024-01-02 |
| CISA KEV Deadline | 2024-01-23 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-12-24 | CVE-2023-7101 published — eval injection in Spreadsheet::ParseExcel Perl library via malicious Number format strings |
| 2023-12-24 | Barracuda discloses CVE-2023-7102 — Barracuda ESG-specific downstream exploitation of CVE-2023-7101 by UNC4841 |
| 2024-01-02 | CISA adds CVE-2023-7101 to Known Exploited Vulnerabilities catalog |
| 2024-01-23 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Spreadsheet::ParseExcel on CPAN | Vendor Advisory |
| Barracuda Security Advisory — CVE-2023-7102 (Barracuda ESG Downstream) | Vendor Advisory |
| NVD — CVE-2023-7101 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |