πŸ”΄ CVE-2025-59689

Critical command injection vulnerability in Libraesva Email Security Gateway allowing remote code execution via malicious compressed email attachments. This vulnerability is actively exploited in the wild and affects internet-facing email security appliances.

← Back to Overview
HIGH_RISK
Risk Level
6.1
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 β€” Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

πŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-09-19

Added to CISA KEV: 2025-09-29 10 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

πŸ” Web Intelligence (Kagi Β· 2025-09-29)

CVE-2025-59689 is a critical command injection vulnerability affecting Libraesva Email Security Gateway (ESG) versions 4.5 through 5.5.x before 5.5.7 [5][3]. Here's what is known about its exploitation:

  • Internet-facing applications or services: The vulnerability affects internet-facing applications as it is triggered via email, a common internet service [1].
  • Active exploitation: It has been actively exploited in the wild [1][2].
  • Attack vectors and exploitation methods: Attackers can execute arbitrary commands by sending a specially crafted malicious email with a compressed attachment [1]. The vulnerability is caused by improper sanitization when removing active code from files inside certain compressed archive formats [6][3].
  • Targeted attacks: There are indications that state-sponsored threat actors have exploited this vulnerability [4][3].
  • CISA Known Exploited Vulnerabilities status: CISA has added this CVE to its Known Exploited Vulnerabilities Catalog [2].
  • Technical details about internet exploitability: The vulnerability is triggered via email [1].

Sources

  1. Hackers Exploiting Libraesva Email Security Gateway Vulnerability to ...

    The flaw, identified as CVE-2025-59689, allowed attackers to execute arbitrary commands by sending a malicious email with a specially crafted compressed attachment. The company responded by deploying an automated fix to customers within 17 hours of discovering the active exploitation.

  2. CISA Adds Three Known Exploited Vulnerabilities to Catalog

    CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2025-38352…

  3. Libraesva ESG Vulnerability Let Attackers Inject Malicious Commands

    The vulnerability, tracked as CVE-2025-59689, affects multiple versions of the popular email security platform and has already been exploited by what security researchers believe to be a foreign state-sponsored threat actor. The vulnerability stems from improper input sanitization during the removal…

  4. Week in review: Cisco ASA zero-day vulnerabilities exploited, Fortra...

    Kali Linux 2025.3 brings improved virtual machine tooling, 10 new tools OffSec has released Kali Linux 2025.3, the most up-to-date version of its popular penetration testing and digital forensics platform. Libraesva ESG zero-day vulnerability exploited by attackers (CVE-2025-59689) Suspected state-s…

  5. command injection vulnerability (CVE-2025-59689)

    Description. Libraesva ESG is affected by a command injection flaw that can be triggered by a malicious e-mail containing a specially ...

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

πŸ“„ Download JSON Data | πŸ“‘ RSS Feed