External risk intelligence

Libraesva ESG Attachment Vulnerability Allows Command Injection.

CVE advisoryKnown Exploit

CVE-2025-59689

A vulnerability in Libraesva Email Security Gateway allows command injection via compressed email attachments. This could permit unauthorized command execution, potentially leading to data access or service disruption. The risk warrants attention to protect affected organizations.

5Halo Surface Signal

Command Injection

Libraesva Email Security Gateway

4.5 to before 5.0.315.1.0 to before 5.1.205.2.0 to before 5.2.315.3.0 to before 5.3.165.4.0 to before 5.4.85.5.0 to before 5.5.7

External exposure likelihood

Halo Surface Signal score for CVE-2025-59689

The product is an Email Security Gateway, which is an internet-facing appliance designed to receive, process, and inspect inbound traffic from the public internet by default in all standard deployments.

Horizon Alert

Summary of the vulnerability and why it matters

Libraesva Email Security Gateway versions 4.5 through 5.5.x are susceptible to a vulnerability that allows for command injection through compressed email attachments. This flaw could enable unauthorized execution of commands on the affected systems. The business impact may include unauthorized access to sensitive data and potential disruption of email security services.

Vulnerable email security system
Attachment permits command execution
Potential data access and service disruption

Attack Path

How an attacker could exploit the issue

This vulnerability allows an attacker to inject commands into a system by sending a specially crafted compressed email attachment. The email security gateway processes the attachment, leading to the execution of unauthorized commands. This could result in unauthorized access to systems, modification of data, or disruption of services. The Libraesva Email Security Gateway is exposed to the network, making it a potential target.

An email security gateway is exposed to the network.
An attacker sends a compressed email attachment.
The gateway processes the attachment, executing commands.

Live Threat

Current exploitation, exposure, and threat context

The Libraesva Email Security Gateway is affected by a command injection vulnerability that could be exploited through a specially crafted email attachment. This vulnerability allows an attacker to execute arbitrary commands on the affected system. Remediation involves applying specific vendor-released patches to affected versions of the software.

Low attacker skill level required.
No user interaction needed for exploitation.
Business risk is moderate, treat as urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The organization's Email Security Gateway is susceptible to command injection through compressed email attachments. This vulnerability could allow attackers to execute arbitrary commands on affected systems, potentially leading to data compromise or system disruption. Addressing this requires a structured approach to identify, contain, and remediate the risk.

Identify all instances of the affected product.
Restrict email attachment processing.
Apply vendor updates and verify remediation.

Frequently asked questions

What is the Libraesva Email Security Gateway?

Libraesva Email Security Gateway (ESG) is a system designed to protect email by inspecting and filtering incoming and outgoing messages. It helps organizations prevent threats like malware and spam and ensures compliance with email policies.

How does CVE-2025-59689 enable command injection?

This vulnerability (CWE-77) allows attackers to inject commands by sending a specially crafted compressed email attachment. Improper sanitization during the removal of active code from files within certain compressed archive formats enables the execution of arbitrary commands.

What is the trigger path for CVE-2025-59689?

Attackers can trigger this vulnerability by sending an email with a specially crafted compressed attachment. The malicious payload within the archive manipulates the application's sanitization logic, bypassing security checks and allowing arbitrary shell commands to be executed as a non-privileged user.

What is the relevance of CVE-2025-59689 according to Halo Surface Signal?

Halo classifies this CVE as external because the Attack Vector is Network (AV:N). Furthermore, the product, an Email Security Gateway, is inherently internet-facing and designed to process inbound traffic from the public internet.

What actions should be taken to respond to CVE-2025-59689?

Organizations should apply vendor-released patches to affected versions of Libraesva ESG. Versions 4.x require a manual upgrade to a supported 5.x version. For 5.x versions, specific patches are available (e.g., 5.0.31, 5.1.20, 5.2.31, 5.4.8, 5.5.7). Tightening policies for compressed file handling and monitoring ESG logs for unusual activity are also recommended.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.