Hackers Exploiting Libraesva Email Security Gateway Vulnerability to Inject Malicious Commands

Libraesva has issued an emergency patch for a significant command injection vulnerability in its Email Security Gateway (ESG) after confirming state-sponsored hackers exploited it.

The flaw, identified as CVE-2025-59689, allowed attackers to execute arbitrary commands by sending a malicious email with a specially crafted compressed attachment. The company responded by deploying an automated fix to customers within 17 hours of discovering the active exploitation.

The vulnerability originates from improper sanitization when the ESG product processes certain compressed archive formats. Attackers could construct a malicious email attachment that, when scanned by the gateway, would bypass security checks and allow the injection of shell commands.

A successful exploit would grant the attacker the ability to execute arbitrary commands on the affected system, albeit as a non-privileged user.

From there, the actor could potentially engage in lateral movement, establish persistence, or attempt to escalate privileges. The flaw impacts all Libraesva ESG versions from 4.5 onwards.

Confirmed State-Sponsored Attack

Libraesva confirmed at least one incident where the vulnerability was actively abused in the wild. The company attributes the attack to a “foreign hostile state entity,” highlighting the sophisticated nature of the threat actor.

According to Libraesva, the targeted nature of the attack, which focused on a single appliance, underscores the precision and strategic intent of the adversary.

This targeted approach suggests the attackers were not conducting a widespread campaign but rather a focused operation against a specific organization.

In response to the exploit, Libraesva took swift action, developing and deploying a patch in just 17 hours. The emergency update was automatically pushed to all cloud-based and on-premise ESG appliances running version 5.x.

The comprehensive patch not only addressed the root sanitization flaw but also included an automated scanner to detect Indicators of Compromise (IoCs) and a self-assessment module to verify the patch’s integrity.

Libraesva has provided the following guidance for its customers:

• Cloud Customers: All cloud appliances have been automatically updated, and no further action is required.
• On-Premise 5.x Customers: These appliances should have received the automatic update. Administrators are advised to verify that their system is running a patched version.
• On-Premise 4.x Customers: Versions below 5.0 are End of Support (EOS) and did not receive the automatic patch. These customers must manually upgrade to a supported 5.x version to protect their systems from this exploited vulnerability.

The fixes are available in versions 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7. Given the active exploitation by a nation-state actor, organizations using Libraesva ESG are urged to ensure their appliances are running a patched version immediately.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Exploiting Libraesva Email Security Gateway Vulnerability to Inject Malicious Commands appeared first on Cyber Security News.