Libraesva ESG issues emergency fix for bug exploited by state hackers

Libraesva rolled out an emergency update for its Email Security Gateway (ESG) solution to fix a vulnerability exploited by threat actors believed to be state sponsored. The email security product protects email systems from phishing, malware, spam, business email compromise, and spoofing, using a multi-layer protection architecture. According to the vendor, Libraesva ESG is used by thousands of small and medium businesses as well as large enterprises worldwide, serving over 200,000 users. The security issue, tracked under CVE-2025-59689, received a medium-severity score. It is triggered by sending a maliciously crafted email attachment and allows executing arbitrary shell commands from a non-privileged user account. “Libraesva ESG is affected by a command injection flaw that can be triggered by a malicious e-mail containing a specially crafted compressed attachment, allowing potential execution of arbitrary commands as a non-privileged user,” reads the security bulletin. “This occurs due to an improper sanitization during the removal of active code from files contained in some compressed archive formats,” Libraesva explains. According to the vendor, there has been at least one confirmed incident of an attacker "believed to be a foreign hostile state entity" leveraging the flaw in attacks. CVE-2025-59689 impacts all versions of Libraesva ESG from 4.5 and later, but fixes are available in the following: 5.0.31 5.1.20 5.2.31 5.3.16 5.4.8 5.5.7 Customers using versions below 5.0 must upgrade manually to a supported release, as they have reached end-of-life and will not be receiving a patch for CVE-2025-59689. Libraesva says that the patch was released as an emergency update 17 hours after discovering the exploitation. The fix was deployed automatically to both cloud and on-premise deployments. The patch includes a sanitization fix to address the root cause of the flaw, an automated scan for indicators of compromise to determine if the environment has already been breached, and a self-assessment module that verifies the correct application of the security update. The vendor also commented on the attack, saying that the threat actor focusing on a single appliance indicates precision, highlighting the importance of quick remediation action.