CVE-2025-53705 Overview
CVE-2025-53705 is an out-of-bounds write vulnerability [CWE-787] affecting Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions prior to 12.6.1204.204. The flaw stems from missing validation of user-supplied data during parsing of CO files. An attacker who convinces a user to open a crafted CO file can trigger memory corruption and execute arbitrary code in the context of the current process. CISA published advisory ICSA-25-224-01 covering the issue, which carries a CVSS v4.0 base score of 8.4.
Critical Impact
Successful exploitation allows arbitrary code execution in the context of the running Ashlar-Vellum application, enabling full compromise of the user session on engineering workstations.
Affected Products
- Ashlar-Vellum Cobalt versions prior to 12.6.1204.204
- Ashlar-Vellum Xenon, Argon, and Lithium versions prior to 12.6.1204.204
- Ashlar-Vellum Cobalt Share versions prior to 12.6.1204.204
Discovery Timeline
- 2025-08-18 - CVE-2025-53705 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-53705
Vulnerability Analysis
The vulnerability resides in the CO file parser shared across the Ashlar-Vellum CAD product line. When the application loads a CO file, it processes user-controlled fields without enforcing proper bounds on length or offset values. A crafted file forces the parser to write data beyond the allocated buffer, corrupting adjacent memory structures. Attackers can shape the overwrite to redirect control flow, plant shellcode, or hijack object pointers, achieving arbitrary code execution within the application process.
Because the affected products run on engineering workstations that typically hold intellectual property such as CAD designs and proprietary part libraries, exploitation gives attackers a foothold on high-value endpoints. The attack vector is local and requires user interaction, since the victim must open the malicious CO file. The CWE-787 classification reflects the out-of-bounds write primitive at the core of the flaw.
Root Cause
The root cause is improper input validation during CO file deserialization. The parser trusts size, count, or index fields embedded in the file format and uses them to compute write destinations without verifying that the resulting addresses remain inside allocated buffers. This pattern is common in legacy binary parsers written in C or C++ where bounds checks were assumed safe based on producer-side constraints.
Attack Vector
Exploitation typically begins with social engineering. An attacker delivers a malicious CO file by email, shared drive, or supplier exchange portal. When an engineer opens the file in Cobalt, Xenon, Argon, Lithium, or Cobalt Share, the parser triggers the out-of-bounds write and runs attacker-supplied code at the privilege level of the logged-in user.
No verified proof-of-concept code has been published. The vulnerability mechanism is described in CISA ICS Advisory ICSA-25-224-01.
Detection Methods for CVE-2025-53705
Indicators of Compromise
- CO files received from untrusted external sources, particularly those delivered via email attachments or supplier file exchanges
- Unexpected child processes spawned by Cobalt.exe, Xenon.exe, Argon.exe, or Lithium.exe, such as command shells, PowerShell, or scripting interpreters
- Application crashes or access-violation events in Ashlar-Vellum products immediately after opening a CO file
Detection Strategies
- Monitor process lineage for Ashlar-Vellum executables and alert when they launch interpreters, network utilities, or LOLBins
- Inspect endpoint EDR telemetry for memory write violations and exception events originating in the Ashlar-Vellum process address space
- Hunt for newly created files in user profile directories written by Ashlar-Vellum processes outside of normal save operations
Monitoring Recommendations
- Log file open events for .co extensions on engineering workstations and correlate with subsequent process activity
- Capture and review crash dumps from Ashlar-Vellum products to identify potential exploitation attempts
- Alert on outbound network connections initiated by Ashlar-Vellum executables, which should generally not contact the internet
How to Mitigate CVE-2025-53705
Immediate Actions Required
- Upgrade all installations of Cobalt, Xenon, Argon, Lithium, and Cobalt Share to version 12.6.1204.204 or later
- Inventory engineering workstations to confirm no vulnerable versions remain in production or on contractor systems
- Instruct users not to open CO files received from external or unverified sources until patching is complete
Patch Information
Ashlar-Vellum has released version 12.6.1204.204, which addresses CVE-2025-53705 by adding proper validation of user-supplied data during CO file parsing. Refer to CISA ICS Advisory ICSA-25-224-01 for vendor remediation guidance and download links.
Workarounds
- Restrict CO file handling to a sandboxed virtual machine or dedicated review host until patches are deployed
- Apply application allowlisting to prevent Ashlar-Vellum processes from spawning interpreters or shells
- Enforce least-privilege user accounts on CAD workstations to limit the blast radius of code execution in user context
# Example: Verify installed Ashlar-Vellum Cobalt version on Windows
reg query "HKLM\SOFTWARE\Ashlar\Cobalt" /v Version
# Confirm value is 12.6.1204.204 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

