CVE-2025-59689

moderate-risk

Published 2025-09-19

Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. For ESG 5.0 a fix has been released in 5.0.31. For ESG 5.1 a fix has been released in 5.1.20. For ESG 5.2 a fix has been released in 5.2.31. For ESG 5.4 a fix has been released in 5.4.8. For ESG 5.5. a fix has been released in 5.5.7.

Do I need to act?

6.9% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

CISA KEV: actively exploited in the wild

On the Known Exploited Vulnerabilities catalog — federal agencies must patch

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Email Security Gateway

Affected Vendors

Libraesva

References (3)

Vendor Advisory https://docs.libraesva.com/knowledgebase/security-advisory-command-injection-vul...

Vendor Advisory https://www.libraesva.com/security-blog/

US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-...

/ 100

moderate-risk

Severity 23/34 · High

Exploitability 16/34 · Moderate

Exposure 5/34 · Minimal