Libraesva has released an urgent security advisory addressing a command injection vulnerability (CVE-2025-59689) in its Email Security Gateway (ESG). The flaw, which affects versions starting from 4.5, can be exploited by sending a specially crafted compressed email attachment.
According to the advisory, “Libraesva ESG is affected by a command injection flaw that can be triggered by a malicious e-mail containing a specially crafted compressed attachment, allowing potential execution of arbitrary commands as a non-privileged user.”
The root cause lies in improper sanitization during the removal of active code from files within certain compressed archive formats. Attackers can exploit this sanitization bypass to inject malicious commands.
The advisory explains, “within the archive, the payload files are constructed to manipulate the application’s sanitization logic, exploiting an improper sanitization of input parameters.”
If successful, attackers gain the ability to run arbitrary shell commands under a non-privileged account, which can still be leveraged for persistence, lateral movement, or further privilege escalation.
While Libraesva’s telemetry shows most customers were rapidly updated, the company confirmed that this flaw has already been abused:
“One confirmed incident of abuse has been identified. The threat actor is believed to be a foreign hostile state entity.”
The attack was notably precise, with researchers noting it was aimed at a single appliance, suggesting targeted espionage rather than widespread financial crime campaigns.
The following versions were impacted:
- 5.0 → fixed in 5.0.31
- 5.1 → fixed in 5.1.20
- 5.2 → fixed in 5.2.31
- 5.4 → fixed in 5.4.8
- 5.5 → fixed in 5.5.7
“Versions below 5.0 are EOS and must be manually upgraded.”
Libraesva cloud customers are fully protected as “all appliances in Libraesva cloud have been upgraded to the latest version containing the fix.” On-premise customers running ESG 5.x appliances have also received automated updates. However, users of 4.x appliances must manually migrate to supported versions.
