CVE-2025-59689
CVE-2025-59689
Vexday Risk Score
43Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 6.1EPSS 1.9%KEV simPoC —Nuclei —Metasploit —Patch —
Lifecycle
19 Sep 2025Published on NVD
29 Sep 2025Active exploitation (CISA KEV)
Recommendation: Plan a near-term fix — a public PoC already exists.
In short
Libraesva ESG versions 4.5 through 5.5.6 are vulnerable to command injection when processing compressed email attachments, allowing attackers to execute arbitrary commands on the system.
Technical detail
CWE-77 command injection vulnerability in Libraesva ESG allows remote code execution through maliciously crafted compressed email attachments; exploitation requires sending a specially formatted attachment to the mail server, resulting in arbitrary command execution with the privileges of the ESG process.
Summary generated and translated by AI from the official description.
Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. For ESG 5.0 a fix has been released in 5.0.31. For ESG 5.1 a fix has been released in 5.1.20. For ESG 5.2 a fix has been released in 5.2.31. For ESG 5.4 a fix has been released in 5.4.8. For ESG 5.5. a fix has been released in 5.5.7.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products
Libraesva · Email Security Gateway