Libraesva ESG Zero-Day Exploited in Active Attacks (CVE-2025-59689)
▼ Summary
– Suspected state-sponsored attackers exploited a zero-day vulnerability (CVE-2025-59689) in the Libraesva Email Security Gateway.
– The vulnerability is a command injection flaw triggered by emails containing a specially crafted compressed attachment.
– This flaw affects Libraesva ESG versions from 4.5 up to and including version 5.5.
– Libraesva has released automatic fixes for the 5.x branch, while 4.x on-premise customers must manually upgrade.
– The company attributes the attack to a foreign hostile state actor based on the tactics, techniques, and procedures used.
A critical security flaw in the Libraesva Email Security Gateway, identified as CVE-2025-59689, is currently being exploited in active attacks believed to originate from a state-sponsored threat actor. This zero-day vulnerability allows attackers to execute arbitrary commands on affected systems. The Italian cybersecurity firm has confirmed the exploitation and has already rolled out automatic patches to address the issue for supported versions of its software.
The vulnerability itself is a command injection flaw. It arises from inadequate sanitization of input when the system processes files contained within specific compressed archives. An attacker can exploit this weakness by sending a carefully crafted email that includes a malicious compressed attachment. The payload within the archive is designed to bypass the application’s security checks, ultimately granting the attacker the ability to run shell commands with the permissions of a non-privileged user account.
This security gap impacts a significant range of Libraesva ESG deployments. All versions starting from 4.5 up to and including version 5.5 are vulnerable to this exploit. The company has acted swiftly to mitigate the threat for customers on the 5.x branch, pushing fixes automatically. These updates have upgraded affected appliances to the following patched versions: 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, or 5.5.7. This applies to both cloud and on-premise installations.
For organizations still operating on the older 4.x versions, the situation requires immediate manual intervention. Since these versions are no longer under active support, customers must manually upgrade to a fixed 5.x release to secure their systems. The deployed patch not only closes the security hole but also initiates an automated scan across appliances to hunt for any indicators that a compromise may have already occurred. An additional module runs to verify the integrity of the patch itself and to detect any lingering threats.
Libraesva has characterized the attack as highly precise, suggesting the involvement of a sophisticated actor. The company stated, “The single-appliance focus underscores the precision of the threat actor (believed to be a foreign hostile state) and highlights the importance of rapid, comprehensive patch deployment.” The initial details about which organization was targeted and how the compromise was discovered remain unclear.
In a subsequent update, a Libraesva spokesperson provided further context, noting the incident is considered a matter of national security, which limits the disclosure of specific details about the targeted entity. The spokesperson confirmed that based on the tactics, techniques, and procedures observed, the evidence strongly points to a foreign hostile state actor. They emphasized that the company’s existing security infrastructure, including real-time telemetry and an efficient update mechanism, enabled an extremely rapid response. This swift action allowed them to confirm that no other appliances showed signs of being compromised beyond the initial target. Forensic analysis of the attack is ongoing to fully understand the adversary’s methods.
(Source: HelpNet Security)