Command Injection Vulnerability in Libraesva ESG Exploited by State Actors
Summary
Hide β²
Show βΌ
Libraesva released an emergency patch for a command injection vulnerability in its Email Security Gateway (ESG) solution. The flaw, tracked as CVE-2025-59689, allows arbitrary command execution via a maliciously crafted email attachment. The vulnerability carries a CVSS score of 6.1, indicating medium severity. State-sponsored actors exploited the vulnerability in at least one confirmed incident. The bug affects all versions from 4.5 onwards. Libraesva ESG is used by thousands of businesses and over 200,000 users worldwide. The patch includes a sanitization fix, an automated scan for indicators of compromise, and a self-assessment module. The vendor emphasized the need for quick remediation due to the precision of the attacks.
Timeline
-
23.09.2025 20:51 π° 2 articles Β· β± 21h ago
Libraesva ESG command injection vulnerability exploited by state actors
The vulnerability, CVE-2025-59689, carries a CVSS score of 6.1, indicating medium severity. The flaw is due to improper sanitization during the removal of active code from files in compressed archive formats. The patch includes a sanitization fix, an automated scan for indicators of compromise, and a self-assessment module. The vendor emphasized the need for quick remediation due to the precision of the attacks.
Show sources
- Libraesva ESG issues emergency fix for bug exploited by state hackers β www.bleepingcomputer.com β 23.09.2025 20:51
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability β thehackernews.com β 24.09.2025 09:24
Information Snippets
-
Libraesva ESG is a multi-layer email security solution protecting against phishing, malware, spam, business email compromise, and spoofing.
First reported: 23.09.2025 20:51π° 2 sources, 2 articlesShow sources
- Libraesva ESG issues emergency fix for bug exploited by state hackers β www.bleepingcomputer.com β 23.09.2025 20:51
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability β thehackernews.com β 24.09.2025 09:24
-
The vulnerability, CVE-2025-59689, is triggered by a maliciously crafted email attachment and allows arbitrary shell command execution from a non-privileged user account.
First reported: 23.09.2025 20:51π° 2 sources, 2 articlesShow sources
- Libraesva ESG issues emergency fix for bug exploited by state hackers β www.bleepingcomputer.com β 23.09.2025 20:51
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability β thehackernews.com β 24.09.2025 09:24
-
The flaw is due to improper sanitization during the removal of active code from files in compressed archive formats.
First reported: 23.09.2025 20:51π° 2 sources, 2 articlesShow sources
- Libraesva ESG issues emergency fix for bug exploited by state hackers β www.bleepingcomputer.com β 23.09.2025 20:51
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability β thehackernews.com β 24.09.2025 09:24
-
The vulnerability impacts all versions of Libraesva ESG from 4.5 and later.
First reported: 23.09.2025 20:51π° 2 sources, 2 articlesShow sources
- Libraesva ESG issues emergency fix for bug exploited by state hackers β www.bleepingcomputer.com β 23.09.2025 20:51
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability β thehackernews.com β 24.09.2025 09:24
-
Patches are available in versions 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7. Customers using versions below 5.0 must upgrade manually.
First reported: 23.09.2025 20:51π° 2 sources, 2 articlesShow sources
- Libraesva ESG issues emergency fix for bug exploited by state hackers β www.bleepingcomputer.com β 23.09.2025 20:51
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability β thehackernews.com β 24.09.2025 09:24
-
The patch includes a sanitization fix, an automated scan for indicators of compromise, and a self-assessment module.
First reported: 23.09.2025 20:51π° 2 sources, 2 articlesShow sources
- Libraesva ESG issues emergency fix for bug exploited by state hackers β www.bleepingcomputer.com β 23.09.2025 20:51
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability β thehackernews.com β 24.09.2025 09:24
-
The vendor detected the exploitation and released the patch 17 hours later, deploying it automatically to both cloud and on-premise deployments.
First reported: 23.09.2025 20:51π° 2 sources, 2 articlesShow sources
- Libraesva ESG issues emergency fix for bug exploited by state hackers β www.bleepingcomputer.com β 23.09.2025 20:51
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability β thehackernews.com β 24.09.2025 09:24
-
The threat actor focused on a single appliance, indicating a targeted and precise attack.
First reported: 23.09.2025 20:51π° 2 sources, 2 articlesShow sources
- Libraesva ESG issues emergency fix for bug exploited by state hackers β www.bleepingcomputer.com β 23.09.2025 20:51
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability β thehackernews.com β 24.09.2025 09:24
-
The vulnerability, CVE-2025-59689, carries a CVSS score of 6.1, indicating medium severity.
First reported: 24.09.2025 09:24π° 1 source, 1 articleShow sources
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability β thehackernews.com β 24.09.2025 09:24
Similar Happenings
GeoServer RCE Vulnerability Exploited in Federal Agency Breach
Attackers breached a U.S. federal agency's network in July 2024 by exploiting an unpatched GeoServer instance. The vulnerability (CVE-2024-36401) allowed remote code execution, enabling lateral movement and data exfiltration. The breach remained undetected for three weeks until an Endpoint Detection and Response (EDR) tool flagged suspicious activity. The attackers used web shells, scripts for remote access, and brute force techniques for lateral movement and privilege escalation. The breach highlights the importance of timely patching and continuous monitoring of EDR alerts. CISA has urged organizations to expedite patching critical vulnerabilities and strengthen incident response plans.
Critical Remote Code Execution Vulnerability in SolarWinds Web Help Desk
SolarWinds has released a third hotfix for a critical deserialization vulnerability (CVE-2025-26399) in its Web Help Desk software. The flaw allows unauthenticated remote code execution on affected systems. The vulnerability impacts versions 12.8.7 and earlier. Users are advised to update to version 12.8.7 HF1. The flaw was discovered by an anonymous researcher working with the Trend Micro Zero Day Initiative (ZDI). The vulnerability is a patch bypass for CVE-2024-28988, which itself was a bypass for CVE-2024-28986. The original bug (CVE-2024-28986) was exploited in the wild and added to the Known Exploited Vulnerabilities (KEV) catalog by CISA.
GitHub Strengthens npm Supply Chain Security with 2FA and Short-Lived Tokens
GitHub has announced upcoming changes to its authentication and publishing options in response to recent supply chain attacks targeting the npm ecosystem. These changes aim to mitigate threats posed by token abuse and self-replicating malware. The updates include mandatory two-factor authentication (2FA), short-lived tokens, and trusted publishing via OpenID Connect (OIDC). The Shai-Hulud attack, which injected a self-replicating worm into hundreds of npm packages, highlighted the need for these security enhancements. Additionally, a malicious npm package named fezbox was discovered, which used a QR code-based technique to steal browser credentials. The fezbox package was downloaded at least 327 times before being removed from the npm registry, and it employed advanced obfuscation techniques to evade detection. Recent attacks, including the s1ngularity and GhostAction campaigns, have further underscored the need for these security measures. Ruby Central has also announced tighter governance of the RubyGems package manager to improve supply-chain protections. GitHub has removed over 500 compromised packages and blocked new packages containing Shai-Hulud malware indicators of compromise. The company will gradually roll out changes to strengthen the security posture of npm, including expanding the list of eligible providers for trusted publishing and providing future updates with clear timelines, documentation, migration guides, and support channels for the transition.
Critical deserialization vulnerability in Fortra GoAnywhere MFT
Fortra disclosed a critical deserialization vulnerability in GoAnywhere Managed File Transfer (MFT) software (CVE-2025-10035). This flaw, with a CVSS score of 10.0, allows arbitrary command execution through a forged license response signature. The vulnerability affects systems accessible over the internet and was patched in versions 7.8.4 and 7.6.3. Fortra has not confirmed exploitation in the wild, but similar vulnerabilities in the same product were previously exploited by ransomware actors. Users are advised to update to the patched versions immediately or restrict public access to the GoAnywhere Admin Console. Fortra discovered the vulnerability during a security check on September 11, 2025. The vulnerability was identified in the License Servlet of GoAnywhere MFT. Over 470 GoAnywhere MFT instances are being monitored by the Shadowserver Foundation.
Malware exploitation of Ivanti EPMM vulnerabilities CVE-2025-4427 and CVE-2025-4428
Two sets of malware have been discovered in an unnamed organization's network following the exploitation of vulnerabilities CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities were exploited around May 15, 2025, to gain access to the server running EPMM. This allowed attackers to execute arbitrary code, collect system information, download malicious files, and exfiltrate data. The malware sets included loaders that enabled persistence by injecting and running arbitrary code on the compromised server. The attacks leveraged two vulnerabilities: an authentication bypass (CVE-2025-4427) and a remote code execution flaw (CVE-2025-4428). The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0. The attackers targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests to send malicious remote commands. The malware sets included distinct loaders with the same name, and malicious listeners for injecting and running arbitrary code. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. CISA provided detailed indicators of compromise (IOCs), YARA rules, and a SIGMA rule to help organizations detect such attacks. CISA recommends patching affected Ivanti EPMM immediately and treating mobile device management (MDM) systems as high-value assets (HVAs).