Libraesva ESG zero-day vulnerability exploited by attackers (CVE-2025-59689) - Help Net Security

Zeljka Zorz, Editor-in-Chief, Help Net Security September 24, 2025 Share Libraesva ESG zero-day vulnerability exploited by attackers (CVE-2025-59689) Suspected state-sponsored attackers have exploited a zero-day vulnerability (CVE-2025-59689) in the Libraesva Email Security Gateway (ESG), the Italian email security company has confirmed. About CVE-2025-59689 CVE-2025-59689 is a command injection vulnerability caused by improper sanitization when removing active code from files inside certain compressed archive formats. It can be triggered by emails containing a specially crafted compressed attachment. “Within the archive, the payload files are constructed to manipulate the application’s sanitization logic, exploiting an improper sanitization of input parameters,” Libraesva explained. “Once the sanitization bypass is achieved, the attacker can execute arbitrary shell commands under a non‑privileged user account.” CVE-2025-59689 affects versions of Libraesva ESG starting from version 4.5 and up to (and including) version 5.5. Fixes have been rolled out The company has released fixes for the 5.x branches through the automatic updates channel. Whether they are cloud or on-premise appliances, all deployments running one of those branches have been upgraded to a version containing the fix: 5.0.31 5.1.20 5.2.31 5.3.16 5.4.8, or 5.5.7 On-premise customers with 4.x versions must manually upgrade to a fixed 5.x version, as the former are no longer supported. The patch includes a fix for the flaw, triggers an automated scan searching for indicators of compromise, and module that runs on all affected appliances “to verify patch integrity and detect residual threats.” “The single‑appliance focus underscores the precision of the threat actor (believed to be a foreign hostile state) and highlights the importance of rapid, comprehensive patch deployment,” the firm noted. Whether Libraesva has been notified of the compromise or were able to detect it themselves is currently unclear. We’ve reached out to Libraesva to find out more about the targeted organization and the attack, and we’ll update this article if we hear back from them. UPDATE (September 25, 2025, 05:10 a.m. ET): “This attack is a national security matter, so as you would expect, we’re not in a position to share details about the particular organization that detected the intrusion. Libraesva immediately release a security update, and our forensic teams are now painstakingly analyzing every detail of the attack to understand the exact steps the threat actor took. We’re still learning from this, and if there’s more we can share down the line, we will,” a Libraesva spokesperson told Help Net Security. “Based on what we’ve seen so far—the tactics, techniques, and procedures (TTPs)—we’re confident this was the work of a foreign hostile state actor. While we can’t share the specifics, the patterns match what we’ve come to expect from these kinds of state sponsored operations,” they added. “The good news is that thanks to the tools and processes we have in place, we were able to react incredibly fast. Our telemetry gave us real-time visibility, our emergency update infrastructure let us deploy fixes almost instantly, and our security update pipeline ensured those fixes were both effective and reliable. Because of that, we were able to quickly confirm that no other appliances showed signs of compromise.” Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here! More about 0-day email security government-backed attacks security update Share