CVE-2025-7985 Overview
CVE-2025-7985 is an integer overflow vulnerability in Ashlar-Vellum Cobalt affecting the parsing of VC6 files. The flaw stems from insufficient validation of user-supplied data prior to a buffer allocation, allowing an attacker-controlled size calculation to wrap and produce an undersized allocation. Attackers can leverage the resulting memory corruption to execute arbitrary code in the context of the current process. Exploitation requires user interaction: the target must open a crafted VC6 file or visit a malicious page that delivers one. The issue was reported through the Zero Day Initiative as ZDI-CAN-25704 and disclosed in advisory ZDI-25-637. The vulnerability is classified under [CWE-190] Integer Overflow or Wraparound.
Critical Impact
Successful exploitation grants arbitrary code execution as the user running Ashlar-Vellum Cobalt, enabling malware deployment, credential theft, or lateral movement from engineering workstations.
Affected Products
- Ashlar-Vellum Cobalt 12.2.1204.96
- Ashlar-Vellum Cobalt (VC6 file parser component)
- Windows workstations running vulnerable Cobalt installations
Discovery Timeline
- 2025-09-17 - CVE-2025-7985 published to NVD
- 2026-06-17 - Last updated in NVD database
- Reference - Zero Day Initiative Advisory ZDI-25-637 (ZDI-CAN-25704)
Technical Details for CVE-2025-7985
Vulnerability Analysis
The vulnerability resides in Cobalt's VC6 file parser. When processing size or count fields sourced from the file, the code performs arithmetic used to determine the size of a heap buffer. Because the arithmetic is not validated against integer bounds, a large attacker-supplied value causes the computation to wrap around and produce a small allocation size. The parser then writes data based on the original, unwrapped length into the undersized buffer, producing a heap-based out-of-bounds write. This memory corruption is reachable purely through file parsing, so it does not require any network exposure of the application. Because Cobalt runs in the user's security context, code executed through this path inherits the privileges of the interactive user, which on engineering workstations often includes access to design intellectual property and network shares.
Root Cause
The root cause is a missing bounds check on a length or count value read from an untrusted VC6 file. The multiplication or addition used to compute a buffer size overflows a fixed-width integer, per [CWE-190], and the resulting truncated value is passed to the allocator. Subsequent copy operations use the original untruncated length, so writes extend past the allocation boundary.
Attack Vector
An attacker crafts a malicious VC6 file containing header fields designed to trigger the integer overflow. The file is delivered by email, shared drive, download link, or a malicious web page. When a user opens the file in Ashlar-Vellum Cobalt, the parser processes the malicious size fields, corrupts the heap, and transfers control to attacker-supplied shellcode. Because delivery relies on social engineering of CAD users, phishing campaigns targeting engineering, manufacturing, and product design teams are the most likely delivery method.
No public proof-of-concept code is available. Refer to the Zero Day Initiative Advisory ZDI-25-637 for technical detail on the flaw.
Detection Methods for CVE-2025-7985
Indicators of Compromise
- Unexpected child processes (for example cmd.exe, powershell.exe, rundll32.exe) spawned by the Cobalt executable shortly after a .vc6 file is opened.
- Crash or Windows Error Reporting events referencing the Cobalt process during VC6 file loading, which may indicate exploitation attempts or failed exploits.
- Inbound .vc6 attachments or downloads originating from external senders or unusual URLs, particularly outside normal engineering workflows.
- New executables, DLLs, or scheduled tasks created in the user profile directory immediately after Cobalt activity.
Detection Strategies
- Deploy behavioral endpoint detection rules that flag process lineage where Cobalt spawns command interpreters or script hosts.
- Alert on memory protection violations, access violations, or exploit-mitigation events (CFG, DEP, ASLR) in the Cobalt process.
- Use file-type inspection at the mail gateway and web proxy to surface .vc6 files delivered from untrusted sources.
- Correlate Sysmon Event ID 1 (Process Create) and Event ID 11 (File Create) events with Cobalt as the parent to identify post-exploitation activity.
Monitoring Recommendations
- Ingest endpoint process, file, and image-load telemetry from workstations that have Cobalt installed into a central detection pipeline.
- Baseline normal Cobalt behavior, including expected child processes and file writes, so anomalies stand out.
- Monitor for privilege escalation attempts and lateral movement originating from engineering workstations after any Cobalt crash event.
How to Mitigate CVE-2025-7985
Immediate Actions Required
- Inventory all systems running Ashlar-Vellum Cobalt, particularly version 12.2.1204.96, and prioritize them for patching.
- Instruct users not to open VC6 files received from untrusted or unverified sources until a fixed build is deployed.
- Block or quarantine inbound .vc6 attachments at email and web gateways where feasible.
- Restrict Cobalt users to standard (non-administrative) accounts to limit the impact of code execution.
Patch Information
No vendor advisory URL or patched build was included in the CVE record at the time of publication. Consult Ashlar-Vellum directly and monitor the Zero Day Initiative Advisory ZDI-25-637 for updates on a fixed release. Until a patch is applied, treat all Cobalt installations at version 12.2.1204.96 as vulnerable.
Workarounds
- Isolate CAD workstations from general internet browsing and email to reduce delivery paths for malicious VC6 files.
- Enforce application allowlisting to prevent unauthorized child processes from executing from Cobalt.
- Enable Windows exploit protection (DEP, ASLR, CFG) for the Cobalt executable through Exploit Guard settings.
- Require file-origin verification (digital signatures, trusted repositories) for VC6 files before opening.
# Configuration example: enable Windows Exploit Protection for the Cobalt executable
Set-ProcessMitigation -Name "Cobalt.exe" -Enable DEP,SEHOP,ForceRelocateImages,BottomUp,HighEntropy,TerminateOnError,CFG
# Block inbound .vc6 attachments at the mail gateway (example transport rule pattern)
# Match: attachment extension equals "vc6" AND sender is external
# Action: quarantine and notify security operations
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

