Libraesva ESG Vulnerability Allows Attackers to Execute Malicious Commands

A critical command injection vulnerability in Libraesva ESG email security gateways has been discovered, allowing attackers to execute arbitrary commands through specially crafted compressed email attachments.

The vulnerability, designated CVE-2025-59689, affects versions starting from 4.5 and has already been exploited by what appears to be a foreign state actor.

Diagram showing how command injection attacks exploit web server vulnerabilities to access sensitive information through network scanning and malicious commands 

Technical Overview of the Security Flaw

The vulnerability stems from improper sanitization during the removal of active code from files contained in compressed archive formats.

When processing certain types of compressed attachments, the Libraesva ESG system fails to properly validate input parameters, creating an opportunity for command injection attacks.

Illustration of command injection vulnerability showing normal command execution versus attacker executing arbitrary commands 

Attackers can exploit this flaw by sending emails containing specially crafted compressed archives. The payload files within these archives are constructed to manipulate the application’s sanitization logic, effectively bypassing security controls.

Once the sanitization bypass is achieved, threat actors can execute arbitrary shell commands under a non-privileged user account on the affected system.

The vulnerability specifically targets the email scanning engine’s archive processing functionality.

When the system attempts to scan compressed attachments for malicious content, the improper handling of certain archive formats allows embedded commands to escape the security sandbox and execute on the underlying system.

Libraesva has released emergency patches across multiple product versions.

ESG 5.0 users should upgrade to version 5.0.31, while ESG 5.1 requires version 5.1.20. ESG 5.2 customers need version 5.2.31, ESG 5.3 requires 5.3.16, ESG 5.4 needs 5.4.8, and ESG 5.5 requires version 5.5.7.

The company implemented an automated patch deployment system that pushed fixes to all ESG 5.x installations within 17 hours of discovery.

Cloud customers received automatic updates with no action required, while on-premise installations with version 5.x also received automatic patches through the update channel.

Libraesva’s rapid response included deploying a comprehensive patch containing the core sanitization fix, automated scanning for indicators of compromise, and a self-assessment module to verify patch integrity and detect residual threats.

The company confirmed one incident of active exploitation, attributed to a foreign hostile state entity.

Customers running legacy 4.x versions, which are now end-of-support, must manually upgrade to version 5.x to receive protection.

The precision of the attack and the single-appliance focus suggests sophisticated threat actors specifically targeted this vulnerability for strategic purposes.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.