CVE-2025-7977 Overview
CVE-2025-7977 is an out-of-bounds read vulnerability [CWE-125] in Ashlar-Vellum Cobalt that enables arbitrary code execution. The flaw resides in the parser responsible for handling LI files. Insufficient validation of user-supplied data causes the parser to read before the start of an allocated buffer. Attackers can leverage this condition to execute code in the context of the current process.
Exploitation requires user interaction. A target must open a crafted LI file or visit a malicious page that delivers one. The issue was reported through the Zero Day Initiative as ZDI-CAN-25354.
Critical Impact
Successful exploitation grants arbitrary code execution under the privileges of the user running Ashlar-Vellum Cobalt, allowing attackers to compromise engineering workstations through malicious CAD files.
Affected Products
- Ashlar-Vellum Cobalt 12.0.1204.91
- Ashlar-Vellum Cobalt installations processing LI files
- Workstations running vulnerable Cobalt CAD software
Discovery Timeline
- 2025-09-17 - CVE-2025-7977 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7977
Vulnerability Analysis
The vulnerability exists in the LI file parsing routine within Ashlar-Vellum Cobalt. The parser reads structured data from the file without verifying that indices or offsets remain within the bounds of an allocated buffer. When the parser dereferences a pointer derived from attacker-controlled fields, it accesses memory before the start of the buffer.
This out-of-bounds read [CWE-125] exposes adjacent process memory and, depending on the data layout, leads to memory corruption that the attacker can shape into code execution. The flaw runs in the security context of the user who opened the file, which on typical engineering workstations includes broad access to project files and network shares.
The vulnerability is tracked as ZDI-CAN-25354 by the Zero Day Initiative, which coordinated disclosure with the vendor.
Root Cause
The root cause is missing validation of size and offset fields read from the LI file. The parser trusts attacker-controlled values when computing buffer addresses, allowing reads outside the allocated region. No bounds check confirms that the computed pointer remains within the allocation.
Attack Vector
The attack vector is local but requires user interaction. An attacker delivers a malicious LI file through email, a shared drive, or a web download. When the user opens the file in Ashlar-Vellum Cobalt, the parser triggers the out-of-bounds read and the attacker's payload achieves code execution in the user's session.
No verified exploitation code is publicly available. Refer to the Zero Day Initiative Advisory ZDI-25-629 for technical details.
Detection Methods for CVE-2025-7977
Indicators of Compromise
- Unexpected LI files arriving via email attachments, shared drives, or web downloads from untrusted sources
- Ashlar-Vellum Cobalt processes (cobalt.exe) crashing or spawning child processes such as cmd.exe or powershell.exe
- Outbound network connections originating from the Cobalt process shortly after a file open event
- Creation of new executable files or scheduled tasks following a CAD file open operation
Detection Strategies
- Monitor process creation events where the Cobalt process is the parent of shells, scripting engines, or LOLBins
- Inspect file system telemetry for LI files written to temporary or download directories before being opened
- Apply YARA signatures targeting malformed LI headers and oversized offset fields documented in the ZDI advisory
- Correlate user-initiated file opens with subsequent anomalous memory access or crash events in Cobalt
Monitoring Recommendations
- Enable application crash logging for cobalt.exe and forward Windows Error Reporting events to a central SIEM
- Track endpoint EDR alerts on memory access violations in CAD application processes
- Audit email gateways and web proxies for LI file transfers from external senders
- Review engineering workstation telemetry for execution of unsigned binaries dropped after CAD file open events
How to Mitigate CVE-2025-7977
Immediate Actions Required
- Inventory all Ashlar-Vellum Cobalt installations and identify hosts running version 12.0.1204.91 or earlier
- Restrict the opening of LI files to known, trusted sources and block delivery of such files from external email senders
- Apply application allowlisting to prevent Cobalt from spawning shells or scripting engines
- Enforce least-privilege user accounts on engineering workstations to limit post-exploitation impact
Patch Information
At the time of publication, no vendor patch is referenced in the NVD record. Consult the Zero Day Initiative Advisory ZDI-25-629 and the Ashlar-Vellum vendor portal for the latest updates. Apply any vendor-issued fix as soon as it becomes available.
Workarounds
- Disable or uninstall Ashlar-Vellum Cobalt on systems that do not require CAD functionality
- Open untrusted LI files only inside isolated virtual machines or sandboxed environments without network access
- Configure email and web filtering to quarantine LI file attachments from unverified senders
- Educate engineering staff on the risk of opening unsolicited CAD files and the use of file provenance checks
# Configuration example: block LI file attachments at the mail gateway
# Example rule for a Postfix header_checks file
/^Content-(Disposition|Type).*name=".*\.li"/ REJECT LI attachments are blocked pending CVE-2025-7977 mitigation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

