All news with #libraesva tag

CISA Adds Five Vulnerabilities to KEV Catalog; Federal Risk

⚠️ CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on Sept. 29, 2025, citing evidence of active exploitation. The newly listed issues are CVE-2021-21311 (Adminer SSRF), CVE-2025-20352 (Cisco IOS/IOS XE stack overflow), CVE-2025-10035 (Fortra GoAnywhere deserialization), CVE-2025-59689 (Libraesva command injection), and CVE-2025-32463 (sudo untrusted-control vulnerability). Federal Civilian Executive Branch agencies must remediate these under BOD 22-01, and CISA urges all organizations to prioritize timely fixes as part of standard vulnerability management.

State-Sponsored Attacks Exploit Libraesva ESG Vulnerability

⚠️ Libraesva has released an urgent update to address a command injection vulnerability in its ESG email security product that is being exploited by state‑sponsored actors. Tracked as CVE-2025-59689 with a CVSS score of 6.1, the flaw is triggered by a malicious compressed attachment and can execute arbitrary commands as a non‑privileged user. Users should upgrade affected versions (4.5–5.5.x before 5.5.7) to the patched releases immediately.

Libraesva ESG issues emergency fix for exploited bug

⚠ Libraesva issued an emergency update for ESG to fix a command injection vulnerability (CVE-2025-59689) triggered by a specially crafted compressed email attachment. The flaw allowed arbitrary shell commands to run as a non-privileged user and was confirmed exploited by actors believed to be state-sponsored. Fixed releases were auto-deployed to cloud and on-premise customers; end-of-life versions require manual upgrades.