A critical security flaw in Libraesva ESG email security gateways has been identified and patched, allowing threat actors to execute arbitrary commands through specially crafted email attachments.
The vulnerability, tracked as CVE-2025-59689, affects multiple versions of the popular email security platform and has already been exploited by what security researchers believe to be a foreign state-sponsored threat actor.
The vulnerability stems from improper input sanitization during the removal of active code from files contained within compressed archive formats.
When Libraesva ESG processes emails containing specially crafted compressed attachments, the security gateway fails to properly sanitize input parameters, creating an opportunity for command injection attacks.
Libraesva ESG Command Injection Vulnerability
This flaw affects all Libraesva ESG versions starting from version 4.5, making it a widespread security concern for organizations relying on the platform for email security.
The attack vector requires minimal user interaction, as the malicious payload is delivered through standard email channels.
Attackers can craft compressed archives containing payload files designed to manipulate the application’s sanitization logic.
Once the sanitization bypass is achieved, threat actors gain the ability to execute arbitrary shell commands under a non-privileged user account, potentially compromising the entire email security infrastructure.
| Risk Factors | Details |
| Affected Products | Libraesva ESG 4.5 through 5.5 |
| Impact | Execution of arbitrary shell commands as a non-privileged user |
| Exploit Prerequisites | Receipt and processing of a specially crafted compressed email attachment using specific archive formats |
| CVSS 3.1 Score | 6.1 (Medium) |
Mitigations
Libraesva demonstrated exceptional incident response capabilities, deploying fixes across all affected systems within 17 hours of discovery.
The company released emergency patches for multiple versions: ESG 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7.
These patches were automatically deployed to all ESG 5.x installations through the platform’s automated update channel, ensuring comprehensive coverage for both cloud and on-premise deployments.
The remediation package included not only the core fix addressing the sanitization flaw but also automated indicators of compromise (IoCs) scanning capabilities and a self-assessment module.
This comprehensive approach ensures that affected appliances can verify patch integrity and detect any residual threats from potential exploitation attempts.
Cloud customers received automatic updates without requiring manual intervention, while on-premise customers with version 5.x appliances were automatically upgraded through telemetry-confirmed deployments.
Organizations still running version 4.x installations, which have reached end-of-support status, must manually upgrade to version 5.x to receive protection against this vulnerability.
The single confirmed exploitation incident, attributed to a foreign hostile state entity, underscores the critical nature of this security flaw and the importance of maintaining current software versions in email security infrastructure deployments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
Source link
