Flaw in Libraesva Email Security Gateway exploited by State-Sponsored attackers

Libraesva has patched a command injection vulnerability in its Email Security Gateway (ESG) platform that allows attackers to execute arbitrary commands on affected systems through specially crafted compressed email attachments. The flaw is already actively exploited. The confirmed exploitation incident involved a foreign hostile state entity that focused on a single appliance.

The flaw is tracked as CVE-2025-59689 (CVSS score 6.1) and is caused by improper sanitization during the removal of active code from files contained within certain compressed archive formats. When the ESG processes emails containing specially crafted compressed attachments, the system fails to properly validate input parameters during its active code removal routines. This sanitization bypass creates an opportunity for command injection attacks.

It affects all versions of Libraesva ESG starting from version 4.5. Libraesva ESG serves over 200,000 users worldwide

The company released emergency patches for multiple product versions, including ESG 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7. These patches were automatically deployed to all ESG 5.x installations through the platform's automated update channel.

Cloud customers received automatic updates immediately after patch deployment. On-premise customers with version 5.x appliances were also automatically upgraded through telemetry-confirmed deployments. For organizations still running version 4.x will not receive patches since these versions have reached end-of-support status. These customers must manually upgrade to version 5.x.