CVE-2025-65086 Overview
CVE-2025-65086 is an out-of-bounds write vulnerability [CWE-787] affecting Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior. The flaw occurs when the affected applications parse a specially crafted VC6 file. An attacker who convinces a user to open a malicious VC6 file can execute arbitrary code in the context of the current user. The vulnerability was published in coordination with CISA ICS Advisory ICSA-25-329-01, reflecting the use of these computer-aided design (CAD) products in industrial and engineering environments.
Critical Impact
Arbitrary code execution through a crafted VC6 file, with user interaction required to open the file in an affected Ashlar-Vellum product.
Affected Products
- Ashlar-Vellum Cobalt versions 12.6.1204.216 and prior
- Ashlar-Vellum Xenon, Argon, and Lithium versions 12.6.1204.216 and prior
- Ashlar-Vellum Cobalt Share versions 12.6.1204.216 and prior
Discovery Timeline
- 2026-05-12 - CVE-2025-65086 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2025-65086
Vulnerability Analysis
The vulnerability is classified as an out-of-bounds write [CWE-787] in the VC6 file parser shared across the Ashlar-Vellum product line. When the parser processes a crafted VC6 file, it writes data past the bounds of an allocated buffer. This memory corruption can be leveraged to overwrite adjacent structures, function pointers, or return addresses, leading to arbitrary code execution under the privileges of the user running the CAD application.
Because the affected products are used by engineers, designers, and manufacturing teams, malicious VC6 files distributed through email, shared project folders, or supplier collaboration channels present a realistic delivery path. Exploitation requires user interaction, since a victim must open the crafted file in a vulnerable Ashlar-Vellum application.
Root Cause
The root cause is missing or insufficient bounds checking during deserialization of fields within the proprietary VC6 file format. Attacker-controlled values inside the file influence the size or offset used in a write operation, allowing memory outside the intended destination buffer to be modified. This pattern is consistent with prior file-parsing flaws in CAD and document-processing software.
Attack Vector
The attack vector is local. An attacker delivers a malicious VC6 file to a target and induces them to open it with Cobalt, Xenon, Argon, Lithium, or Cobalt Share. No prior authentication to the host is required, but user interaction is mandatory. Successful exploitation grants code execution with the privileges of the logged-in user, which on engineering workstations often includes access to sensitive design files and network shares.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the CISA ICS Advisory ICSA-25-329-01 for vendor-coordinated technical details.
Detection Methods for CVE-2025-65086
Indicators of Compromise
- Unexpected child processes spawned by Cobalt.exe, Xenon.exe, Argon.exe, Lithium.exe, or CobaltShare.exe, particularly command interpreters such as cmd.exe, powershell.exe, or wscript.exe.
- VC6 files arriving from untrusted email senders, external file shares, or supplier portals and opened on engineering workstations.
- Application crashes or Windows Error Reporting events implicating the Ashlar-Vellum executables shortly after a VC6 file is opened.
Detection Strategies
- Monitor process lineage on workstations running Ashlar-Vellum software and alert on anomalous descendants of the CAD processes.
- Inspect file write and network connection events originating from the affected applications, which normally have predictable behavior limited to project directories.
- Hunt for newly created executables, scheduled tasks, or registry run keys created within minutes of opening a VC6 file.
Monitoring Recommendations
- Centralize endpoint telemetry from engineering workstations and retain process, file, and module-load events for at least 30 days.
- Track inbound VC6 attachments at the email gateway and correlate with subsequent endpoint activity.
- Review crash telemetry from CAD applications to identify potential exploitation attempts that fail before achieving code execution.
How to Mitigate CVE-2025-65086
Immediate Actions Required
- Inventory all systems running Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, or Cobalt Share and confirm installed versions.
- Upgrade affected installations to a version later than 12.6.1204.216 as released by Ashlar-Vellum.
- Instruct users to open VC6 files only from trusted internal sources until patching is complete.
Patch Information
Ashlar-Vellum has released fixed versions addressing the out-of-bounds write. Administrators should consult the CISA ICS Advisory ICSA-25-329-01 for the current fixed version and vendor download instructions. Apply the update across all engineering workstations and any shared installation images.
Workarounds
- Block VC6 file attachments at the email gateway when no business justification exists for accepting them externally.
- Run Ashlar-Vellum applications under standard user accounts to limit the impact of successful exploitation.
- Apply application allowlisting and disable Microsoft Office or scripting child processes from being launched by the CAD executables.
# Configuration example: block VC6 attachments at a Postfix gateway
# /etc/postfix/mime_header_checks
/name=[^>]*\.vc6/ REJECT VC6 attachments are blocked per security policy (CVE-2025-65086)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
