Libraesva, an Italian email security firm, has recently addressed a significant security flaw in its Email Security Gateway (ESG) software. This vulnerability, identified as CVE-2025-59689 with a CVSS score of 6.1, has been actively exploited by state-sponsored cyber actors.
The flaw is a command injection vulnerability that can be triggered when the ESG processes a malicious email containing a specially crafted compressed attachment. This exploit allows attackers to execute arbitrary commands on the system with the privileges of a non-privileged user. The root cause lies in inadequate sanitization during the removal of active code from files within certain compressed archive formats.
In a potential attack scenario, an adversary could send an email with a malicious compressed archive. Upon processing this email, the ESG’s improper sanitization could be exploited, enabling the execution of arbitrary shell commands.
The affected versions include Libraesva ESG from 4.5 up to 5.5.x prior to 5.5.7. The company has released patches in versions 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7. Users operating versions below 5.0 are advised to manually upgrade to a supported release, as these older versions have reached end-of-support.
Libraesva has confirmed at least one incident where this vulnerability was exploited by a threat actor believed to be associated with a foreign hostile state. Specific details about the nature of the attack or the identity of the perpetrators have not been disclosed. The company emphasized the precision of the attack, noting that it targeted a single appliance, underscoring the importance of swift and comprehensive patch deployment. Remarkably, Libraesva developed and deployed a fix within 17 hours of detecting the abuse.
Given the active exploitation of this vulnerability, it is imperative for all ESG users to update their systems to the latest version promptly to mitigate potential threats.
