Italian cybersecurity firm Libraesva has released a critical security update for its Email Security Gateway (ESG) solution, addressing a command injection vulnerability that has been actively exploited by a state-sponsored threat actor.
The flaw, tracked as CVE-2025-59689, impacts ESG versions 4.5 through 5.5.x, up to but not including 5.5.7. The company confirmed that the issue stems from improper sanitization of active code within compressed email attachments. When exploited, it allows attackers to execute arbitrary shell commands as a non-privileged user.
According to Libraesva’s advisory, the vulnerability can be triggered via a specially crafted compressed archive sent by email, which bypasses ESG's sanitization logic during file inspection.
Libraesva said it has observed one confirmed instance of exploitation, attributing the attack to a foreign hostile state entity. The vendor didn’t disclosed further details regarding the exploitation.
Patches are now available in ESG versions 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7. Users running versions below 5.0 are recommended to manually upgrade, as those releases are no longer supported.