CVE-2025-65088 Overview
CVE-2025-65088 is an Out-of-Bounds Read vulnerability [CWE-125] affecting Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share computer-aided design (CAD) products in versions 12.6.1204.216 and prior. The flaw occurs when the application parses a specially crafted VC6 file. An attacker who convinces a user to open a malicious VC6 file can disclose memory contents or execute arbitrary code in the context of the user. Exploitation requires local file interaction and user action, but no authentication. The vulnerability was published to the National Vulnerability Database (NVD) on May 12, 2026, and is referenced in CISA ICS Advisory ICSA-25-329-01.
Critical Impact
Successful exploitation enables arbitrary code execution and information disclosure within the user context of the targeted CAD operator.
Affected Products
- Ashlar-Vellum Cobalt (versions 12.6.1204.216 and prior)
- Ashlar-Vellum Xenon, Argon, and Lithium (versions 12.6.1204.216 and prior)
- Ashlar-Vellum Cobalt Share (versions 12.6.1204.216 and prior)
Discovery Timeline
- 2026-05-12 - CVE-2025-65088 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2025-65088
Vulnerability Analysis
The vulnerability is classified as an Out-of-Bounds Read [CWE-125]. It is triggered while the affected Ashlar-Vellum applications parse a VC6 file, the native vector file format used across the Cobalt, Xenon, Argon, Lithium, and Cobalt Share product line. A crafted file causes the parser to read memory outside the bounds of an allocated buffer.
The read primitive can leak adjacent process memory, which an attacker can use to defeat mitigations such as Address Space Layout Randomization (ASLR). According to the vendor advisory, the same condition can also be leveraged to achieve arbitrary code execution. Exploitation runs in the security context of the user opening the file.
The attack vector is local and requires user interaction. A typical delivery path is social engineering — sending a malicious .vc6 file via email or shared drive — and convincing a CAD operator to open it. No network exposure of the application is required.
Root Cause
The root cause is insufficient bounds checking during deserialization of structured fields in the VC6 file format. When a length, offset, or index field references data beyond the allocated buffer, the parser dereferences memory outside the intended region instead of rejecting the input.
Attack Vector
The attacker authors a malicious VC6 file with manipulated parser fields and delivers it to a target. When the user opens the file in any of the affected Ashlar-Vellum products, the parser performs the out-of-bounds read. This can corrupt control data or return attacker-influenced memory, leading to information disclosure or code execution.
No verified proof-of-concept code is publicly available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, and there are no confirmed reports of in-the-wild exploitation.
Detection Methods for CVE-2025-65088
Indicators of Compromise
- Unexpected crashes of Cobalt.exe, Xenon.exe, Argon.exe, or Lithium.exe shortly after opening a .vc6 file.
- Inbound .vc6 files received from untrusted external senders, especially via email attachments or cloud file shares.
- Child processes (command interpreters, scripting hosts) spawned from an Ashlar-Vellum application process.
Detection Strategies
- Monitor process creation events where an Ashlar-Vellum binary is the parent of cmd.exe, powershell.exe, or rundll32.exe.
- Track file open events of .vc6 files correlated with subsequent crash or exception events in the Windows Application event log.
- Inspect email and web gateways for .vc6 attachments originating outside the organization.
Monitoring Recommendations
- Enable endpoint detection and response (EDR) telemetry for the workstations of CAD operators using Ashlar-Vellum products.
- Forward Windows Error Reporting (WER) and application crash dumps to a centralized SIEM for analysis.
- Audit file shares for newly introduced .vc6 files from unverified sources.
How to Mitigate CVE-2025-65088
Immediate Actions Required
- Upgrade all installations of Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share to a version later than 12.6.1204.216 as released by the vendor.
- Restrict opening of .vc6 files to those received from trusted internal sources only.
- Brief CAD users on the risk of opening unsolicited design files received by email or chat.
Patch Information
Refer to the CISA ICS Advisory ICSA-25-329-01 for vendor-supplied fixed versions and update instructions. Apply the vendor update across every endpoint running an affected Ashlar-Vellum product.
Workarounds
- Block .vc6 attachments at the email gateway when senders are outside the organization.
- Run the Ashlar-Vellum applications under a standard user account with no administrative privileges to limit code execution impact.
- Use application allowlisting to prevent child processes from being launched by the CAD application.
# Example: Block .vc6 attachments at Exchange transport rule (PowerShell)
New-TransportRule -Name "Block VC6 Attachments" \
-AttachmentExtensionMatchesWords "vc6" \
-FromScope NotInOrganization \
-RejectMessageReasonText "VC6 attachments are blocked due to CVE-2025-65088."
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
