CVE-2025-59689
Published: 19 September 2025
Summary
CVE-2025-59689 is a medium-severity Command Injection (CWE-77) vulnerability in Libraesva Email Security Gateway. Its CVSS base score is 6.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-44 (Detonation Chambers) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the command injection vulnerability by requiring timely installation of vendor patches released for affected Libraesva ESG versions.
Prevents command injection attacks by validating and sanitizing inputs extracted from untrusted compressed email attachments before processing.
Mitigates exploitation by executing suspicious compressed attachments in isolated detonation chambers to identify malicious command injection behaviors without compromising the system.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection via malicious email attachment directly enables exploitation of public-facing ESG application (T1190) and arbitrary Unix command execution (T1059.004).
NVD Description
Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. For ESG 5.0 a fix has been released in 5.0.31. For ESG 5.1 a fix has been released in 5.1.20. For ESG 5.2 a fix…
more
has been released in 5.2.31. For ESG 5.4 a fix has been released in 5.4.8. For ESG 5.5. a fix has been released in 5.5.7.
Deeper analysisAI
CVE-2025-59689 is a command injection vulnerability (CWE-77) in Libraesva ESG versions 4.5 through 5.5.x prior to 5.5.7. The issue arises from inadequate handling of compressed email attachments, enabling attackers to inject and execute arbitrary commands on the affected system.
A remote unauthenticated attacker can exploit this vulnerability over the network with low complexity by sending a malicious compressed email attachment to a target running a vulnerable ESG instance. Exploitation requires user interaction, such as processing or scanning the attachment, after which the attacker gains low-level confidentiality and integrity impacts with a changed scope, as reflected in the CVSS v3.1 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Libraesva advisories detail patches for affected branches: version 5.0.31 for ESG 5.0, 5.1.20 for 5.1, 5.2.31 for 5.2, 5.4.8 for 5.4, and 5.5.7 for 5.5. Security teams should apply these updates immediately and review the vendor's knowledgebase advisory at https://docs.libraesva.com/knowledgebase/security-advisory-command-injection-vulnerability-cve-2025-59689/ and security blog at https://www.libraesva.com/security-blog/ for implementation guidance.
The vulnerability appears in CISA's Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59689), indicating active real-world exploitation.
Details
- CWE(s)
- KEV Date Added
- 29 September 2025