Cyber Resilience

CVE-2025-59689

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 19 September 2025

Published
19 September 2025
Modified
05 November 2025
KEV Added
29 September 2025
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0692 91.6th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59689 is a medium-severity Command Injection (CWE-77) vulnerability in Libraesva Email Security Gateway. Its CVSS base score is 6.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-44 (Detonation Chambers) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-59689 is a command injection vulnerability (CWE-77) in Libraesva ESG versions 4.5 through 5.5.x prior to 5.5.7. The issue arises from inadequate handling of compressed email attachments, enabling attackers to inject and execute arbitrary commands on the affected system.

A remote unauthenticated attacker can exploit this vulnerability over the network with low complexity by sending a malicious compressed email attachment to a target running a vulnerable ESG instance. Exploitation requires user interaction, such as processing or scanning the attachment, after which the attacker gains low-level confidentiality and integrity impacts with a changed scope, as reflected in the CVSS v3.1 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Libraesva advisories detail patches for affected branches: version 5.0.31 for ESG 5.0, 5.1.20 for 5.1, 5.2.31 for 5.2, 5.4.8 for 5.4, and 5.5.7 for 5.5. Security teams should apply these updates immediately and review the vendor's knowledgebase advisory at https://docs.libraesva.com/knowledgebase/security-advisory-command-injection-vulnerability-cve-2025-59689/ and security blog at https://www.libraesva.com/security-blog/ for implementation guidance.

The vulnerability appears in CISA's Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59689), indicating active real-world exploitation.

EU & UK References

Vulnerability details

Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. For ESG 5.0 a fix has been released in 5.0.31. For ESG 5.1 a fix has been released in 5.1.20. For ESG 5.2 a fix…

more

has been released in 5.2.31. For ESG 5.4 a fix has been released in 5.4.8. For ESG 5.5. a fix has been released in 5.5.7.

CWE(s)
KEV Date Added
29 September 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection via malicious email attachment directly enables exploitation of public-facing ESG application (T1190) and arbitrary Unix command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-29635Shared CWE-77both on KEV
CVE-2026-22719Shared CWE-77both on KEV
CVE-2026-4048Shared CWE-77
CVE-2026-31059Shared CWE-77
CVE-2026-22284Shared CWE-77
CVE-2024-39783Shared CWE-77
CVE-2024-57583Shared CWE-77
CVE-2026-46368Shared CWE-77
CVE-2024-39781Shared CWE-77
CVE-2024-39367Shared CWE-77

Affected Assets

libraesva
email security gateway
4.5 — 5.0.31 · 5.1.0 — 5.1.20 · 5.2.0 — 5.2.31

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the command injection vulnerability by requiring timely installation of vendor patches released for affected Libraesva ESG versions.

prevent

Prevents command injection attacks by validating and sanitizing inputs extracted from untrusted compressed email attachments before processing.

preventdetect

Mitigates exploitation by executing suspicious compressed attachments in isolated detonation chambers to identify malicious command injection behaviors without compromising the system.

References