Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65084

CVE-2025-65084: Ashlar Argon RCE Vulnerability

CVE-2025-65084 is an out-of-bounds write flaw in Ashlar Argon enabling remote code execution and information disclosure. This article covers the technical details, affected versions, impact, and mitigation.

Updated:

CVE-2025-65084 Overview

CVE-2025-65084 is an Out-of-Bounds Write vulnerability [CWE-787] affecting Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior. An attacker can leverage the flaw to disclose information or execute arbitrary code on a targeted workstation. Exploitation requires local access and user interaction, typically through opening a crafted CAD file in the affected application. The vulnerability was disclosed through CISA ICS Advisory ICSA-25-329-01 and impacts engineering and design environments where Ashlar-Vellum modeling software is deployed.

Critical Impact

Successful exploitation allows arbitrary code execution in the context of the user running the affected Ashlar-Vellum application, leading to information disclosure or full compromise of the host.

Affected Products

  • Ashlar-Vellum Cobalt versions 12.6.1204.216 and prior
  • Ashlar-Vellum Xenon, Argon, and Lithium versions 12.6.1204.216 and prior
  • Ashlar-Vellum Cobalt Share versions 12.6.1204.216 and prior

Discovery Timeline

  • 2025-11-25 - CVE-2025-65084 published to NVD
  • 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2025-65084

Vulnerability Analysis

The flaw is an Out-of-Bounds Write [CWE-787] in the file parsing logic shared across the Ashlar-Vellum product family. When the affected applications process a malformed CAD document, the parser writes data beyond the bounds of an allocated buffer. This corruption can overwrite adjacent heap or stack memory used by the application.

Depending on the memory layout at exploitation time, the attacker can leak process memory or redirect execution flow. Because Cobalt, Xenon, Argon, Lithium, and Cobalt Share share core parsing components, the same defect affects all five products under the same version range. The bug requires local attack vector and active user interaction, consistent with a file-format weaponization pattern.

Root Cause

The vulnerability stems from missing or insufficient bounds validation when parsing attacker-controlled fields inside a CAD file. The parser trusts length or offset values supplied in the document structure and writes data into a fixed-size buffer without verifying the destination range.

Attack Vector

An attacker crafts a malicious model or drawing file and delivers it through email, shared network drives, or supply chain channels targeting engineers and designers. When the victim opens the file in Cobalt, Xenon, Argon, Lithium, or Cobalt Share, the out-of-bounds write occurs during parsing. The resulting memory corruption enables arbitrary code execution under the privileges of the local user. No verified public proof-of-concept is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

For technical details, refer to the CISA ICS Advisory ICSA-25-329-01.

Detection Methods for CVE-2025-65084

Indicators of Compromise

  • Unexpected crashes, exception dialogs, or Windows Error Reporting events generated by Cobalt.exe, Xenon.exe, Argon.exe, Lithium.exe, or Cobalt Share processes.
  • Ashlar-Vellum processes spawning command interpreters such as cmd.exe, powershell.exe, or wscript.exe.
  • Inbound CAD files (.co, .xe, .ar, .li, .vc6) arriving from untrusted senders or external file shares.

Detection Strategies

  • Hunt for process trees where Ashlar-Vellum executables launch scripting hosts, LOLBins, or network-capable utilities.
  • Monitor for module loads of unsigned DLLs or memory regions marked executable inside Ashlar-Vellum processes.
  • Correlate CAD file open events with subsequent persistence activity such as Run key modifications or scheduled task creation.

Monitoring Recommendations

  • Enable application crash logging on engineering workstations and forward dumps to a central analysis platform.
  • Track outbound network connections originating from Ashlar-Vellum processes, which are not expected to initiate web traffic during normal modeling work.
  • Alert on CAD file downloads from external email gateways and web proxies for users in engineering roles.

How to Mitigate CVE-2025-65084

Immediate Actions Required

  • Inventory all workstations running Cobalt, Xenon, Argon, Lithium, or Cobalt Share and identify hosts on version 12.6.1204.216 or earlier.
  • Restrict opening CAD files received from external or untrusted sources until a vendor patch is applied.
  • Apply the principle of least privilege so Ashlar-Vellum applications run under standard user accounts rather than administrators.

Patch Information

Review the CISA ICS Advisory ICSA-25-329-01 for vendor remediation guidance and fixed version details. Upgrade all affected Ashlar-Vellum installations beyond version 12.6.1204.216 once the vendor releases a corrected build.

Workarounds

  • Block inbound Ashlar-Vellum file types at the email gateway when senders are unverified, and quarantine attachments for inspection.
  • Segment engineering workstations from general corporate networks to limit lateral movement following a successful compromise.
  • Enforce application allowlisting and exploit mitigation features such as Data Execution Prevention and Control Flow Guard on hosts running the affected software.
bash
# Example: enumerate installed Ashlar-Vellum versions on Windows hosts
Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' |
  Where-Object { $_.DisplayName -match 'Cobalt|Xenon|Argon|Lithium' } |
  Select-Object DisplayName, DisplayVersion, InstallLocation

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.