Command injection flaw in Libraesva ESG exploited by state actors
Summary
Hide ▲
Show ▼
Libraesva has released an emergency update for its Email Security Gateway (ESG) solution to address a command injection vulnerability (CVE-2025-59689). This flaw, exploited by a state-sponsored actor, allows arbitrary shell command execution via a crafted email attachment. The vulnerability affects all versions from 4.5 onwards and has been patched in versions 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7. The exploit was discovered and patched within 17 hours of detection. The vulnerability is triggered by improper sanitization of compressed archive formats, enabling non-privileged users to execute arbitrary commands. The patch includes a sanitization fix, automated scans for indicators of compromise, and a self-assessment module to verify the update's application. The vulnerability has a CVSS score of 6.1, indicating medium severity. Libraesva has identified one confirmed incident of abuse by a foreign hostile state entity. Customers using versions below 5.0 must upgrade manually to a supported release, as they have reached end-of-life and will not receive a patch for CVE-2025-59689.
Timeline
-
23.09.2025 20:51 2 articles · 6d ago
Libraesva ESG command injection flaw exploited by state actors
The vulnerability has a CVSS score of 6.1, indicating medium severity. The flaw affects Libraesva ESG versions 4.5 through 5.5.x before 5.5.7. Libraesva has identified one confirmed incident of abuse by a foreign hostile state entity.
Show sources
- Libraesva ESG issues emergency fix for bug exploited by state hackers — www.bleepingcomputer.com — 23.09.2025 20:51
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability — thehackernews.com — 24.09.2025 09:24
Information Snippets
-
Libraesva ESG is used by thousands of small and medium businesses and large enterprises worldwide, serving over 200,000 users.
First reported: 23.09.2025 20:512 sources, 2 articlesShow sources
- Libraesva ESG issues emergency fix for bug exploited by state hackers — www.bleepingcomputer.com — 23.09.2025 20:51
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability — thehackernews.com — 24.09.2025 09:24
-
The vulnerability, CVE-2025-59689, is triggered by sending a maliciously crafted email attachment and allows executing arbitrary shell commands from a non-privileged user account.
First reported: 23.09.2025 20:512 sources, 2 articlesShow sources
- Libraesva ESG issues emergency fix for bug exploited by state hackers — www.bleepingcomputer.com — 23.09.2025 20:51
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability — thehackernews.com — 24.09.2025 09:24
-
The flaw is due to improper sanitization during the removal of active code from files in some compressed archive formats.
First reported: 23.09.2025 20:512 sources, 2 articlesShow sources
- Libraesva ESG issues emergency fix for bug exploited by state hackers — www.bleepingcomputer.com — 23.09.2025 20:51
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability — thehackernews.com — 24.09.2025 09:24
-
The exploit was discovered and patched within 17 hours of detection.
First reported: 23.09.2025 20:512 sources, 2 articlesShow sources
- Libraesva ESG issues emergency fix for bug exploited by state hackers — www.bleepingcomputer.com — 23.09.2025 20:51
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability — thehackernews.com — 24.09.2025 09:24
-
The patch includes a sanitization fix, automated scans for indicators of compromise, and a self-assessment module.
First reported: 23.09.2025 20:512 sources, 2 articlesShow sources
- Libraesva ESG issues emergency fix for bug exploited by state hackers — www.bleepingcomputer.com — 23.09.2025 20:51
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability — thehackernews.com — 24.09.2025 09:24
-
The vulnerability impacts all versions of Libraesva ESG from 4.5 and later, with fixes available in versions 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7.
First reported: 23.09.2025 20:512 sources, 2 articlesShow sources
- Libraesva ESG issues emergency fix for bug exploited by state hackers — www.bleepingcomputer.com — 23.09.2025 20:51
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability — thehackernews.com — 24.09.2025 09:24
-
Customers using versions below 5.0 must upgrade manually to a supported release, as they have reached end-of-life and will not receive a patch for CVE-2025-59689.
First reported: 23.09.2025 20:512 sources, 2 articlesShow sources
- Libraesva ESG issues emergency fix for bug exploited by state hackers — www.bleepingcomputer.com — 23.09.2025 20:51
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability — thehackernews.com — 24.09.2025 09:24
-
The vulnerability has a CVSS score of 6.1, indicating medium severity.
First reported: 24.09.2025 09:241 source, 1 articleShow sources
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability — thehackernews.com — 24.09.2025 09:24
-
The flaw affects Libraesva ESG versions 4.5 through 5.5.x before 5.5.7.
First reported: 24.09.2025 09:241 source, 1 articleShow sources
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability — thehackernews.com — 24.09.2025 09:24
-
Libraesva has identified one confirmed incident of abuse by a foreign hostile state entity.
First reported: 24.09.2025 09:241 source, 1 articleShow sources
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability — thehackernews.com — 24.09.2025 09:24
Similar Happenings
CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.
Cisco IOS and IOS XE SNMP Zero-Day Exploited in Attacks
Cisco has released security updates to address a high-severity zero-day vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE Software. The flaw is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem, actively exploited in attacks. This vulnerability allows authenticated, remote attackers to cause denial-of-service (DoS) conditions or gain root control of affected systems. The vulnerability impacts all devices with SNMP enabled, including specific Cisco devices running Meraki CS 17 and earlier. Cisco advises customers to upgrade to a fixed software release, specifically Cisco IOS XE Software Release 17.15.4a, to remediate the vulnerability. Temporary mitigation involves limiting SNMP access to trusted users and disabling the affected Object Identifiers (OIDs) on devices. Additionally, Cisco patched 13 other security vulnerabilities, including two with available proof-of-concept exploit code. Cisco also released patches for 14 vulnerabilities in IOS and IOS XE, including eight high-severity vulnerabilities. Proof-of-concept exploit code exists for two of the vulnerabilities, but exploitation is not confirmed. Three additional medium-severity bugs affect Cisco’s SD-WAN vEdge, Access Point, and Wireless Access Point (AP) software.
Critical Deserialization RCE Vulnerability in SolarWinds Web Help Desk
SolarWinds has released a third patch to address a critical deserialization vulnerability (CVE-2025-26399) in Web Help Desk 12.8.7 and earlier versions. This flaw allows unauthenticated remote code execution (RCE) on affected systems. The vulnerability was discovered by an anonymous researcher and reported through Trend Micro's Zero Day Initiative (ZDI). The flaw is a patch bypass for CVE-2024-28988, which itself was a bypass for CVE-2024-28986. The original vulnerability was exploited in the wild and added to the Known Exploited Vulnerabilities (KEV) catalog by CISA. SolarWinds advises users to update to version 12.8.7 HF1 to mitigate the risk. SolarWinds Web Help Desk is a help desk and ticketing suite used by medium-to-large organizations for IT support request tracking, workflow automation, asset management, and compliance assurance. The vulnerability affects the AjaxProxy component, and the hotfix requires replacing specific JAR files.
Zero-day in Google Chrome exploited in the wild
Google has patched a zero-day vulnerability (CVE-2025-10585) in the Chrome web browser that has been actively exploited in the wild. The vulnerability is a type confusion issue in the V8 JavaScript and WebAssembly engine. The exploit details, actors involved, and the scale of exploitation remain undisclosed. The flaw is the sixth zero-day in Chrome that has been actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year. Google has released security updates to address the vulnerability.
Discovery of MalTerminal Malware Leveraging GPT-4 for Ransomware and Reverse Shell
Researchers have identified MalTerminal, a malware that incorporates GPT-4 for generating ransomware code and reverse shells. This marks the earliest known instance of LLM-embedded malware. The malware was presented at the LABScon 2025 security conference. MalTerminal was likely a proof-of-concept or red team tool, never deployed in the wild. It includes Python scripts and a defensive tool called FalconShield. The use of LLMs in malware represents a new challenge for cybersecurity defenses. Additionally, threat actors are using LLMs to bypass email security layers by embedding hidden prompts in phishing emails. This technique deceives AI-powered security scanners, allowing malicious emails to reach users' inboxes. The emails exploit the Follina vulnerability (CVE-2022-30190) to deliver additional malware and disable Microsoft Defender Antivirus. AI-powered site builders are also being exploited to host fake CAPTCHA pages leading to phishing websites, stealing user credentials and sensitive information.