cbcvebase.
CVE-2025-59689
published 2025-09-19

CVE-2025-59689: Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. For ESG 5.0 a fix has been released in 5.0.31. For…

PriorityP181medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-10-20
Exploited in the wild
EPSS
1.93%
77.4th percentile
Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. For ESG 5.0 a fix has been released in 5.0.31. For ESG 5.1 a fix has been released in 5.1.20. For ESG 5.2 a fix has been released in 5.2.31. For ESG 5.4 a fix has been released in 5.4.8. For ESG 5.5. a fix has been released in 5.5.7.

Affected

10 ranges
VendorProductVersion rangeFixed in
libraesvaemail_security_gateway>= 4.5 < 5.0.315.0.31
libraesvaemail_security_gateway>= 5.1 < 5.1.205.1.20
libraesvaemail_security_gateway>= 5.1.0 < 5.1.205.1.20
libraesvaemail_security_gateway>= 5.2 < 5.2.315.2.31
libraesvaemail_security_gateway>= 5.2.0 < 5.2.315.2.31
libraesvaemail_security_gateway>= 5.3 < 5.4.85.4.8
libraesvaemail_security_gateway>= 5.3.0 < 5.3.165.3.16
libraesvaemail_security_gateway>= 5.4.0 < 5.4.85.4.8
libraesvaemail_security_gateway>= 5.5 < 5.5.75.5.7
libraesvaemail_security_gateway>= 5.5.0 < 5.5.75.5.7

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger vector is a maliciously crafted compressed email attachment — monitor for inbound emails with compressed archive attachments (e.g., ZIP, TAR, etc.) being processed by Libraesva ESG, especially those resulting in unexpected process spawning from the ESG mail-processing service.
  • Root cause is improper sanitization during active-code removal from files inside compressed archives — look for anomalous child process execution (e.g., shell spawning) from Libraesva ESG mail-processing components.
  • Commands execute as a non-privileged user — on ESG appliances, alert on unexpected shell commands or process trees spawned under non-root/non-admin service accounts associated with email processing.
  • The vendor's patch includes an automated IOC scan — use the self-assessment module shipped with the emergency update to verify whether the environment has already been breached.
  • ·The emergency patch was deployed automatically to both cloud and on-premise deployments — verify patch application using the vendor's self-assessment module, as automatic deployment does not guarantee successful application.
  • ·CISA KEV remediation deadline is 2025-10-20; vendor advisory and full details available at the official Libraesva knowledge base URL.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
cisa6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.