Tracked as CVE-2025-59689, the command injection bug could be triggered via malicious emails containing crafted compressed attachments.
September 24, 2025 By Ionut Arghire
Libraesva has addressed a vulnerability in its integrated email security platform that has been exploited in the wild.
Tracked as CVE-2025-59689 (CVSS score of 6.1), the flaw is described as a command injection issue that could lead to the execution of arbitrary commands as a non-privileged user.
According to Libraesva’s advisory, the bug could be exploited via malicious emails containing crafted compressed attachments.
“This occurs due to an improper sanitization during the removal of active code from files contained in some compressed archive formats,” the company explains.
The CVE is triggered with specific archive formats containing payloads that exploit an improper input sanitization bug to execute arbitrary shell commands.
The security defect affects Libraesva ESG versions 4.5 through 5.5, but fixes were released only for ESG 5.x versions, as the 4.x versions have been discontinued.
