Skip to main content
CVE Vulnerability Database

CVE-2025-7982: Ashlar Cobalt RCE Vulnerability

CVE-2025-7982 is a remote code execution vulnerability in Ashlar Cobalt caused by an integer overflow in LI file parsing. Attackers can exploit this to execute arbitrary code. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-7982 Overview

CVE-2025-7982 is an integer overflow vulnerability [CWE-190] in Ashlar-Vellum Cobalt that allows attackers to execute arbitrary code on affected installations. The flaw resides in the parser for LI files and stems from missing validation of user-supplied data before a buffer allocation. Exploitation requires user interaction: the victim must open a malicious file or visit a malicious page that delivers one. Successful exploitation grants code execution in the context of the current process. The Zero Day Initiative tracks the issue as ZDI-CAN-25476 under advisory ZDI-25-630.

Critical Impact

Attackers can achieve arbitrary code execution on workstations running vulnerable Ashlar-Vellum Cobalt versions when a user opens a crafted LI file.

Affected Products

  • Ashlar-Vellum Cobalt 12.2.1204.96
  • Ashlar-Vellum Cobalt CAD modeling software (Windows installations)
  • Workstations processing untrusted LI files with Cobalt

Discovery Timeline

  • 2025-09-17 - CVE-2025-7982 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7982

Vulnerability Analysis

The vulnerability exists in the routine that parses LI files within Ashlar-Vellum Cobalt. The parser reads attacker-controlled size or count fields from the file and uses them in an arithmetic operation that calculates a buffer size. Because the calculation lacks bounds checking, a crafted value triggers an integer overflow. The wrapped result produces an undersized allocation. Subsequent copies into that buffer overflow adjacent memory, corrupting heap structures or function pointers. An attacker who controls the overflowed data can redirect execution and run arbitrary code in the process running Cobalt.

The issue is classified as CWE-190 (Integer Overflow or Wraparound). Cobalt runs in the user's session, so successful exploitation yields code execution with the privileges of the logged-on user, including access to local files, network resources, and any cached credentials in that session.

Root Cause

The root cause is missing validation of length or count values read from LI file structures before they are used in a buffer size calculation. The arithmetic wraps around the integer's maximum value, returning a small allocation size for what the parser then treats as a large data region. No sanity check ensures the allocated size matches the data the parser will write.

Attack Vector

Attack delivery relies on user interaction. An attacker distributes a malicious LI file through email, a download link, a shared drive, or a webpage that triggers Cobalt to open the file. When the user opens the file, the parser processes the malformed length fields, allocates an undersized buffer, writes attacker-controlled bytes past its end, and the corruption is leveraged to gain control of execution. The CVSS vector indicates a local attack vector with required user interaction.

No verified proof-of-concept code is publicly available. See the Zero Day Initiative Advisory ZDI-25-630 for additional technical detail.

Detection Methods for CVE-2025-7982

Indicators of Compromise

  • Unexpected LI files delivered through email attachments, web downloads, or removable media to users running Ashlar-Vellum Cobalt.
  • Cobalt process (Cobalt.exe) crashing or spawning child processes such as cmd.exe, powershell.exe, or rundll32.exe.
  • New persistence artifacts (scheduled tasks, Run keys, services) created shortly after a user opened a LI file.
  • Outbound network connections from Cobalt.exe to previously unseen domains or IP addresses.

Detection Strategies

  • Hunt for LI file writes to user download or temp directories followed by Cobalt.exe launching with that file as an argument.
  • Alert on memory access violations or unhandled exceptions in Cobalt.exe reported by Windows Error Reporting.
  • Flag any process creation chain where Cobalt.exe is the parent of a command interpreter or scripting host.

Monitoring Recommendations

  • Collect endpoint process, file, and network telemetry from workstations running Cobalt and route it to a centralized analytics platform for correlation.
  • Track all LI, CO, VC6, and related Cobalt project file extensions arriving from external sources.
  • Review Windows Defender Exploit Guard and crash dump logs for repeated faults in the Cobalt parser modules.

How to Mitigate CVE-2025-7982

Immediate Actions Required

  • Inventory all hosts running Ashlar-Vellum Cobalt 12.2.1204.96 and prioritize them for patching.
  • Restrict the opening of LI files received from untrusted sources until a fixed build is installed.
  • Train Cobalt users to verify the origin of CAD files before opening, especially those received by email or shared links.
  • Enforce least-privilege so Cobalt users do not operate with administrative rights, limiting the impact of code execution.

Patch Information

At the time of publication, no vendor advisory URL is listed in the NVD record. Refer to the Zero Day Initiative Advisory ZDI-25-630 and the Ashlar-Vellum support channels for the latest fixed version. Apply the patched build to every host running version 12.2.1204.96 or earlier once available.

Workarounds

  • Block inbound LI file attachments at the email gateway and web proxy where business workflows allow.
  • Use Windows Attack Surface Reduction rules to prevent Cobalt.exe from spawning child processes such as command interpreters.
  • Open untrusted CAD files only inside an isolated virtual machine that has no access to sensitive data or credentials.
  • Apply application control (WDAC or AppLocker) to restrict execution of binaries dropped by exploited Cobalt sessions.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.