CVE-2025-41392 Overview
CVE-2025-41392 affects Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions prior to 12.6.1204.204. The flaw stems from missing validation of user-supplied data when the applications parse AR files. An attacker who convinces a user to open a crafted AR file can trigger an out-of-bounds read [CWE-125]. Successful exploitation allows arbitrary code execution in the context of the current process. The vulnerability is tracked in CISA ICS Advisory ICSA-25-224-01 and impacts computer-aided design (CAD) software used in engineering workflows.
Critical Impact
Crafted AR files can drive arbitrary code execution in the user's process on systems running affected Ashlar-Vellum CAD applications.
Affected Products
- Ashlar-Vellum Cobalt prior to 12.6.1204.204
- Ashlar-Vellum Xenon, Argon, and Lithium prior to 12.6.1204.204
- Ashlar-Vellum Cobalt Share prior to 12.6.1204.204
Discovery Timeline
- 2025-08-18 - CVE-2025-41392 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-41392
Vulnerability Analysis
The vulnerability resides in the AR file parsing logic of Ashlar-Vellum CAD products. The parser reads structured data from an AR file without sufficiently validating field sizes or offsets against the bounds of allocated buffers. A malformed AR file can therefore cause the parser to read memory outside the intended buffer.
Reading past the buffer boundary leaks adjacent memory contents and can corrupt control data used later in execution. When attacker-influenced values reach function pointers, virtual table dispatch, or exception handling structures, the process can be redirected to attacker-controlled code. This places the vulnerability in the out-of-bounds read class [CWE-125] with downstream code execution impact. The flaw requires user interaction, since the victim must open the malicious file.
Root Cause
The affected applications lack proper validation of user-supplied data when parsing AR files. Length and offset fields embedded inside the AR file are trusted without bounds checking against the size of the in-memory buffer. As a result, the parser dereferences memory beyond the allocated region.
Attack Vector
Exploitation is local and requires user interaction. An attacker delivers a crafted AR file through email, shared drives, collaboration platforms, or supply-chain channels common in engineering teams. When a user opens the file in Cobalt, Xenon, Argon, Lithium, or Cobalt Share, the parser processes the malicious structure and the out-of-bounds read occurs. The attacker gains code execution with the privileges of the CAD application user.
No verified public proof-of-concept code is available for CVE-2025-41392. Refer to the CISA ICS Advisory ICSA-25-224-01 for vendor-provided technical context.
Detection Methods for CVE-2025-41392
Indicators of Compromise
- Unexpected child processes spawned by Cobalt.exe, Xenon.exe, Argon.exe, or Lithium.exe, particularly shells, scripting engines, or rundll32.exe.
- Crashes or unusual exception events logged for Ashlar-Vellum processes shortly after opening AR files received from external sources.
- Outbound network connections initiated by Ashlar-Vellum processes to unfamiliar hosts.
Detection Strategies
- Monitor process lineage for Ashlar-Vellum CAD applications and flag deviations from baseline behavior.
- Inspect AR files arriving through email gateways and file-sharing services for structural anomalies and oversized length fields.
- Correlate Windows Error Reporting and application crash telemetry on engineering workstations with recent file open events.
Monitoring Recommendations
- Enable command-line and module-load logging on engineering endpoints to capture post-exploitation activity.
- Track installed versions of Ashlar-Vellum products across the asset inventory and alert on hosts running versions below 12.6.1204.204.
- Forward endpoint, file gateway, and CAD application logs to a central analytics platform for correlation across the engineering environment.
How to Mitigate CVE-2025-41392
Immediate Actions Required
- Upgrade Cobalt, Xenon, Argon, Lithium, and Cobalt Share to version 12.6.1204.204 or later on all engineering workstations.
- Restrict opening of AR files to trusted sources and verify the origin of any externally received CAD files before opening.
- Communicate the threat to engineering and CAD user groups, since exploitation depends on user interaction with a malicious file.
Patch Information
Ashlar-Vellum has released version 12.6.1204.204 addressing CVE-2025-41392. Patch and version details are referenced in the CISA ICS Advisory ICSA-25-224-01. Apply the update to every system running an affected product.
Workarounds
- Block delivery of AR files from untrusted senders at the email and web gateway layer until patches are deployed.
- Run Ashlar-Vellum applications under standard user accounts to limit the scope of code execution following successful exploitation.
- Apply application allowlisting to prevent CAD processes from launching shells, scripting interpreters, or unsigned binaries.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

