September 24, 2025
State-sponsored hackers exploited a vulnerability, tracked as CVE-2025-59689, in Libraesva Email Gateway via malicious attachments.
Nation-state actors exploited a command injection flaw, tracked as CVE-2025-59689, in Libraesva Email Security Gateway.
Libraesva Email Security Gateway is an advanced secure email gateway (SEG) solution developed by the Italian cybersecurity company Libraesva. It’s designed to protect organizations against email-borne threats, including Spam and phishing emails, Business email compromise (BEC) attempts, Malware and ransomware delivered via attachments or links, Advanced persistent threats (APTs) leveraging email as an entry point.
An attacker could trigger the vulnerability by sending malicious emails containing specially crafted compressed attachments. The flaw lets attackers run arbitrary commands as a non-privileged user due to improper sanitization of code in certain compressed archives.
“Libraesva ESG is affected by a command injection flaw that can be triggered by a malicious e-mail containing a specially crafted compressed attachment, allowing potential execution of arbitrary commands as a non-privileged user.” reads the company’s advisory. “This occurs due to an improper sanitization during the removal of active code from files contained in some compressed archive formats.”
The company identified at least one incident involving the vulnerability and attributes the attack to a nation-state actor.
“One confirmed incident of abuse has been identified. The threat actor is believed to be a foreign hostile state entity.” the company states. “The single‑appliance focus underscores the precision of the threat actor (believed to be a foreign hostile state) and highlights the importance of rapid, comprehensive patch deployment.”
The archive manipulates the app’s sanitization logic, allowing a bypass that lets the attacker execute arbitrary shell commands as a non-privileged user.
The vulnerability impacts versions of Libraesva ESG starting from version 4.5 up to 5.5. However, the company only addressed the issue for ESG 5.x versions because versions 4.x are no longer supported.
“An attacker can exploit this flaw by sending an e‑mail that contains a specially crafted compressed archive. The vulnerability is only triggered with specific archive formats. Within the archive, the payload files are constructed to manipulate the application’s sanitization logic, exploiting an improper sanitization of input parameters.” continues the advisory.
“Once the sanitization bypass is achieved, the attacker can execute arbitrary shell commands under a non‑privileged user account.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, nation-state hackers)
