Libraesva, the Italian provider of the Libraesva Email Security Gateway (ESG), said a security flaw in its ESG product has been exploited by state-sponsored threat actors. The vulnerability, tracked as CVE-2025-59689 and assigned a CVSS score of 6.1, enables a command injection under specific conditions, the company said in a security advisory.
According to Libraesva, the flaw can be triggered by a malicious email containing a specially crafted compressed attachment. The issue stems from improper sanitization during the removal of active code from files contained in some compressed archive formats, potentially allowing arbitrary commands to be executed as a non-privileged user.
The affected ESG versions are 4.5 through 5.5.x prior to 5.5.7. The vendor has released fixes in versions 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7. Libraesva also noted that versions below 5.0 have reached end-of-support and must be manually upgraded to a supported release. Details on upgrading can be found in Libraesva’s migration guide here.
In a brief update, Libraesva said it has identified one confirmed incident of abuse and that the threat actor is believed to be a foreign hostile state entity. The company did not provide further details about the activity, but it said a fix was deployed within 17 hours of flagging the abuse.
With active exploitation observed, users of the ESG software are urged to update to the latest version as soon as possible to mitigate potential threats. For those needing upgrade guidance, the migration document and related advisories are available through Libraesva’s security resources, and interested readers can also check the CIS Build Kits page CIS Build Kits for additional defensive tools.