CVE-2025-59689 is a command injection vulnerability identified in Libraesva Email Security Gateway (ESG) versions 4.5 through 5.5.x prior to 5.5.7. The vulnerability arises from improper neutralization of special elements used in command execution (CWE-77), specifically triggered via a compressed email attachment. An attacker can exploit this flaw by crafting a malicious compressed attachment that, when processed by the vulnerable ESG, allows arbitrary command execution on the underlying system. The vulnerability does not require authentication (PR:N) but does require user interaction (UI:R), meaning the victim must interact with the malicious email attachment for exploitation to succeed. The attack vector is network-based (AV:N), and the vulnerability affects confidentiality and integrity (C:L/I:L) but not availability (A:N). The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the initially vulnerable component. Fixed versions have been released for multiple branches: 5.0.31 for ESG 5.0, 5.1.20 for ESG 5.1, 5.2.31 for ESG 5.2, 5.4.8 for ESG 5.4, and 5.5.7 for ESG 5.5. No known exploits are currently reported in the wild. The CVSS v3.1 base score is 6.1, categorizing it as a medium severity vulnerability. The root cause is the failure to properly sanitize or neutralize special characters or command elements embedded within compressed email attachments, which are processed by the ESG, leading to command injection. This vulnerability is critical in environments where Libraesva ESG is used to filter and secure email traffic, as it could allow attackers to execute arbitrary commands, potentially leading to data leakage or compromise of the email security infrastructure.

For European organizations, this vulnerability poses a significant risk to the security of their email infrastructure. Libraesva ESG is widely used in Europe as a dedicated email security solution, especially by enterprises and government agencies that require robust email filtering and malware protection. Exploitation could lead to unauthorized command execution on the ESG appliance, potentially allowing attackers to access sensitive email data, manipulate email filtering rules, or pivot into the internal network. This could result in confidentiality breaches, integrity violations of email content, and loss of trust in email communications. Given the central role of email in business and government operations, successful exploitation could disrupt communication workflows and expose organizations to further attacks such as phishing or ransomware. The requirement for user interaction (opening or interacting with a malicious compressed attachment) means that targeted spear-phishing campaigns could be an effective attack vector. The medium severity rating suggests moderate urgency; however, the potential for lateral movement and data compromise elevates the risk profile for critical sectors such as finance, healthcare, and public administration in Europe.

European organizations should immediately verify the version of Libraesva ESG deployed and prioritize upgrading to the fixed versions: 5.0.31, 5.1.20, 5.2.31, 5.4.8, or 5.5.7 depending on their installed version. In addition to patching, organizations should implement strict email attachment policies, including blocking or sandboxing compressed attachments from untrusted sources. Deploy advanced email threat protection solutions that perform deep content inspection and behavioral analysis to detect anomalous attachment behavior. User awareness training should emphasize the risks of interacting with unexpected or suspicious compressed attachments, especially from unknown senders. Network segmentation should be employed to isolate ESG appliances from other critical infrastructure to limit lateral movement in case of compromise. Monitoring and logging of ESG appliance activity should be enhanced to detect unusual command execution patterns or system anomalies indicative of exploitation attempts. Finally, organizations should consider implementing application whitelisting on ESG appliances to restrict execution of unauthorized commands or scripts.