Libraesva has released a security update to address a vulnerability in its Email Security Gateway (ESG) solution that it said has been exploited by state-sponsored threat actors.
The vulnerability, tracked as CVE-2025-59689, carries a CVSS score of 6.1, indicating medium severity.
“Libraesva ESG is affected by a command injection flaw that can be triggered by a malicious email containing a specially crafted compressed attachment, allowing potential execution of arbitrary commands as a non-privileged user,” Libraesva said in an advisory.
“This occurs due to an improper sanitization during the removal of active code from files contained in some compressed archive formats.”
In a hypothetical attack scenario, an attacker could exploit the flaw by sending an email containing a specially crafted compressed archive, allowing a threat actor to leverage the application’s improper sanitization logic to ultimately execute arbitrary shell commands.
The shortcoming affects Libraesva ESG versions 4.5 through 5.5.x before 5.5.7, with fixes released in 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7. Libraesva noted in the alert that versions below 5.0 have reached end-of-support and must be manually upgraded to a supported release.
The Italian email security company also acknowledged that it has identified one confirmed incident of abuse, and that the threat actor is “believed to be a foreign hostile state entity.” It did not share any further details on the nature of the activity, or who may be behind it.
“The single‑appliance focus underscores the precision of the threat actor (believed to be a foreign hostile state) and highlights the importance of rapid, comprehensive patch deployment,” Libraesva said, adding it deployed a fix within 17 hours of flagging the abuse.
In light of active exploitation, it’s essential that users of the ESG software update their instances to the latest version as soon as possible to mitigate potential threats.
