← back
CVE-2025-59689

CVE-2025-59689

CVSS 6.1 MEDIUMEPSS 1.9%● KEVCWE-77
In short

Libraesva ESG versions 4.5 through 5.5.6 are vulnerable to command injection when processing compressed email attachments, allowing attackers to execute arbitrary commands on the system.

Technical detail

CWE-77 command injection vulnerability in Libraesva ESG allows remote code execution through maliciously crafted compressed email attachments; exploitation requires sending a specially formatted attachment to the mail server, resulting in arbitrary command execution with the privileges of the ESG process.

Summary generated and translated by AI from the official description.
Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. For ESG 5.0 a fix has been released in 5.0.31. For ESG 5.1 a fix has been released in 5.1.20. For ESG 5.2 a fix has been released in 5.2.31. For ESG 5.4 a fix has been released in 5.4.8. For ESG 5.5. a fix has been released in 5.5.7.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products
Libraesva · Email Security Gateway

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://docs.libraesva.com/knowledgebase/security-advisory-command-injection-vulnerability-cve-2025-59689/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59689https://www.libraesva.com/security-blog/