CVE-2025-59689

What is Libraesva Email Security Gateway?

Libraesva Email Security Gateway (ESG) is an enterprise email security appliance developed by the Italian company Libraesva. It sits inline on an organization's email path, scanning and filtering all inbound and outbound messages for spam, malware, phishing, and active content before they reach end users. Libraesva ESG is deployed primarily across European enterprise, government, education, and financial sector organizations, with over 200,000 users. Because the ESG processes every email an organization receives — including the most sensitive communications — compromise of the appliance provides a threat actor with a covert, persistent window into the organization's entire email stream.

Overview

CVE-2025-59689 is a command injection vulnerability in Libraesva ESG triggered when the appliance processes emails containing compressed attachments. An attacker sends a specially crafted archive to any address served by a vulnerable ESG; the appliance's automated attachment sanitization routine executes the injected command without any user interaction beyond normal mail delivery. Libraesva patched the vulnerability within 17 hours of confirming the incident — but not before a confirmed exploitation by what Libraesva attributed to a "foreign hostile state actor." The UI:R in the CVSS vector refers to the appliance's automated email processing, not a deliberate user action; the attack is functionally unauthenticated and requires no human click.

Affected Versions

Technical Details

CWE-77 (Improper Neutralization of Special Elements used in a Command / Command Injection). When the ESG processes emails with compressed attachments, it runs a sanitization routine that strips active content (macros, scripts, executables) from files inside the archive. The routine passes filenames or file content to a shell command without adequately escaping shell metacharacters. An attacker embeds shell metacharacters in filenames or file content within the archive; when the sanitization command processes the archive, the metacharacters break out of the intended command and execute arbitrary OS commands under the process user account.

CVSS characteristics:

• AV:N / PR:N — the attacker simply sends an email; no credentials or prior access required.
• UI:R — the "required interaction" is the appliance's automated email scanning, not a human action; in practice this is effectively zero-click from the attacker's perspective.
• S:C (Scope Changed) — the injected command escapes the sanitization process context and affects the broader appliance OS.
• Impact: C:L/I:L — reflects the non-root process context of the sanitization service; post-exploitation privilege escalation would be required for full appliance control.

Discovery

Discovered by Libraesva's own security team in response to a customer incident. Upon detecting anomalous behavior on a customer's ESG, Libraesva identified the root cause, developed patches across all supported branches, and deployed them within 17 hours — an unusually rapid response. The vulnerability was published on September 19, 2025.

Exploitation Context

Libraesva confirmed a single documented exploitation incident, attributing it to a foreign hostile state actor based on the observed tactics, techniques, and procedures. The targeting of a European organization's email security appliance — rather than endpoint devices — is consistent with intelligence collection objectives: persistent access to an organization's email gateway provides a long-term, passive interception capability that is difficult to detect and survives endpoint security controls. SecurityWeek characterized the attacker as "nation-state hackers exploiting Libraesva."

CISA added CVE-2025-59689 to the KEV catalog on September 29, 2025 with a 21-day deadline, confirming the exploitation assessment.

Remediation

1. Apply the fixed ESG release for your version branch (see table above). Libraesva released patches across all supported branches simultaneously.
2. Review ESG system logs around the time of patch for indicators of compromise: unexpected process spawning from the mail sanitization service, outbound connections to unusual external hosts, new scheduled jobs or cron entries, unfamiliar user accounts.
3. If exploitation cannot be ruled out, treat the appliance as compromised: collect forensic artifacts, isolate the appliance, and restore from a known-good backup or perform a fresh installation.
4. Restrict ESG management interfaces to trusted internal IP ranges only.
5. Monitor email attachment processing logs for anomalous archive filenames containing shell special characters ($, `, ;, |, &&, etc.).
6. Consider supplemental email security controls (additional sandboxing layer) for compressed attachment processing during the window between incident detection and patching.