CVE-2025-65087 Overview
CVE-2025-65087 is an out-of-bounds read vulnerability [CWE-125] affecting Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior. The flaw is triggered when the application parses a specially crafted VC6 file. An attacker who convinces a user to open a malicious file can disclose memory contents or execute arbitrary code in the context of the affected process. The vulnerability requires local access and user interaction, making spear-phishing and supply-chain delivery of weaponized CAD files the most likely attack paths. CISA published advisory ICSA-25-329-01 covering this issue in the Critical Manufacturing sector.
Critical Impact
Successful exploitation allows information disclosure or arbitrary code execution within the affected Ashlar-Vellum application when a crafted VC6 file is parsed.
Affected Products
- Ashlar-Vellum Cobalt (versions 12.6.1204.216 and prior)
- Ashlar-Vellum Xenon, Argon, and Lithium (versions 12.6.1204.216 and prior)
- Ashlar-Vellum Cobalt Share (versions 12.6.1204.216 and prior)
Discovery Timeline
- 2026-05-12 - CVE-2025-65087 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2025-65087
Vulnerability Analysis
The vulnerability is an out-of-bounds read [CWE-125] in the VC6 file parser used by multiple Ashlar-Vellum products. When the parser processes a malformed VC6 file, it reads memory beyond the bounds of an allocated buffer. Depending on the memory layout at the time of parsing, this read can leak sensitive process memory or corrupt control-flow data that the parser later trusts. Ashlar-Vellum products are widely used in mechanical CAD workflows, placing engineering workstations in the Critical Manufacturing sector at risk.
Root Cause
The root cause is missing or insufficient bounds checking when the VC6 parser interprets size or offset fields embedded in the file. An attacker who controls these fields can force the parser to dereference memory outside the intended buffer. CISA advisory ICSA-25-329-01 attributes the issue to improper validation in the file handler shared across the affected product line.
Attack Vector
Exploitation requires local access combined with user interaction. The attacker delivers a crafted .vc6 file through email, a shared drive, or a compromised project repository. When the victim opens the file in Cobalt, Xenon, Argon, Lithium, or Cobalt Share, the malformed structure triggers the out-of-bounds read. The attack does not require authentication on the target system and runs with the privileges of the user who opened the file.
No public proof-of-concept exploit is available at the time of publication. See the CISA ICS Advisory ICSA-25-329-01 for additional technical context.
Detection Methods for CVE-2025-65087
Indicators of Compromise
- Unexpected crashes or memory access violations in Cobalt.exe, Xenon.exe, Argon.exe, or Lithium.exe shortly after opening a VC6 file
- VC6 files arriving from untrusted email senders, external file-sharing services, or unverified project repositories
- Child processes spawned by an Ashlar-Vellum application that are inconsistent with normal CAD workflows
Detection Strategies
- Inspect VC6 files at the email and web gateway for malformed headers or anomalous size fields prior to delivery to engineering workstations
- Hunt for process crashes of Ashlar-Vellum binaries in endpoint telemetry and correlate with recent file-open events
- Apply YARA or file-format validation against incoming VC6 attachments to flag structures that deviate from the documented format
Monitoring Recommendations
- Monitor engineering workstations for outbound network connections initiated by Ashlar-Vellum processes immediately after file parsing
- Log and alert on any process-injection or shellcode-style behavior originating from Ashlar-Vellum applications
- Track software inventory to identify hosts still running Ashlar-Vellum versions at or below 12.6.1204.216
How to Mitigate CVE-2025-65087
Immediate Actions Required
- Identify all systems running Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, or Cobalt Share and inventory their versions
- Restrict opening of VC6 files to trusted internal sources until a fixed version is deployed
- Brief CAD operators and engineering staff on the risk of opening unsolicited VC6 attachments
Patch Information
Refer to the CISA ICS Advisory ICSA-25-329-01 for vendor remediation guidance. Upgrade affected Ashlar-Vellum products to a version released after 12.6.1204.216 once the vendor publishes a fixed build.
Workarounds
- Block inbound VC6 files at email gateways and content-disarm controls where the file type is not required for business
- Run Ashlar-Vellum applications under standard user accounts without local administrator privileges to limit post-exploitation impact
- Segment engineering workstations from broader enterprise networks to reduce lateral movement opportunities if a host is compromised
# Example: locate vulnerable Ashlar-Vellum installations on Windows hosts
Get-ChildItem -Path 'C:\Program Files','C:\Program Files (x86)' -Recurse -Include Cobalt.exe,Xenon.exe,Argon.exe,Lithium.exe -ErrorAction SilentlyContinue |
ForEach-Object { [PSCustomObject]@{ Path = $_.FullName; Version = $_.VersionInfo.FileVersion } }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
