430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

APT

Nation-State hackers exploit Libraesva Email Gateway flaw

State-sponsored hackers exploited a vulnerability, tracked as CVE-2025-59689, in Libraesva Email Gateway via malicious attachments. Nation-state actors exploited a command injection flaw, tracked as CVE-2025-59689, in Libraesva Email Security Gateway. Libraesva Email Security Gateway is an advanced secure email gateway (SEG) solution developed by the Italian cybersecurity company Libraesva. It’s designed to protect organizations against […]

Libraesva Email Gateway

State-sponsored hackers exploited a vulnerability, tracked as CVE-2025-59689, in Libraesva Email Gateway via malicious attachments.

Nation-state actors exploited a command injection flaw, tracked as CVE-2025-59689, in Libraesva Email Security Gateway.

Libraesva Email Security Gateway is an advanced secure email gateway (SEG) solution developed by the Italian cybersecurity company Libraesva. It’s designed to protect organizations against email-borne threats, including Spam and phishing emails, Business email compromise (BEC) attempts, Malware and ransomware delivered via attachments or links, Advanced persistent threats (APTs) leveraging email as an entry point.

An attacker could trigger the vulnerability by sending malicious emails containing specially crafted compressed attachments. The flaw lets attackers run arbitrary commands as a non-privileged user due to improper sanitization of code in certain compressed archives.

“Libraesva ESG is affected by a command injection flaw that can be triggered by a malicious e-mail containing a specially crafted compressed attachment, allowing potential execution of arbitrary commands as a non-privileged user.” reads the company’s advisory. “This occurs due to an improper sanitization during the removal of active code from files contained in some compressed archive formats.”

The company identified at least one incident involving the vulnerability and attributes the attack to a nation-state actor.

“One confirmed incident of abuse has been identified. The threat actor is believed to be a foreign hostile state entity.” the company states. “The single‑appliance focus underscores the precision of the threat actor (believed to be a foreign hostile state) and highlights the importance of rapid, comprehensive patch deployment.”

The archive manipulates the app’s sanitization logic, allowing a bypass that lets the attacker execute arbitrary shell commands as a non-privileged user.

The vulnerability impacts versions of Libraesva ESG starting from version 4.5 up to 5.5. However, the company only addressed the issue for ESG 5.x versions because versions 4.x are no longer supported.

“An attacker can exploit this flaw by sending an e‑mail that contains a specially crafted compressed archive. The vulnerability is only triggered with specific archive formats. Within the archive, the payload files are constructed to manipulate the application’s sanitization logic, exploiting an improper sanitization of input parameters.” continues the advisory.

“Once the sanitization bypass is achieved, the attacker can execute arbitrary shell commands under a non‑privileged user account.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, nation-state hackers)