Skip to main content
CVE Vulnerability Database

CVE-2025-7989: Ashlar Cobalt AR File Parsing RCE Flaw

CVE-2025-7989 is a remote code execution vulnerability in Ashlar-Vellum Cobalt caused by improper AR file parsing. Attackers can exploit this flaw to run arbitrary code. This article covers technical details, impact, and mitigations.

Published:

CVE-2025-7989 Overview

CVE-2025-7989 is an out-of-bounds read vulnerability [CWE-125] in Ashlar-Vellum Cobalt, a 3D modeling and computer-aided design (CAD) application. The flaw exists in the application's parser for AR files and stems from insufficient validation of user-supplied data. An attacker who convinces a user to open a crafted AR file or visit a malicious page hosting one can read memory past the end of an allocated buffer. The condition is reachable from local file processing and enables arbitrary code execution in the context of the Cobalt process. The Zero Day Initiative tracks the issue as ZDI-CAN-25943 and published advisory ZDI-25-640.

Critical Impact

Successful exploitation grants arbitrary code execution under the privileges of the user running Ashlar-Vellum Cobalt, enabling full compromise of the user session.

Affected Products

  • Ashlar-Vellum Cobalt (CPE: cpe:2.3:a:ashlar:cobalt:-:*:*:*:*:*:*:*)
  • Installations processing untrusted AR files
  • Workstations where users open CAD attachments received via email or web download

Discovery Timeline

  • 2025-09-17 - CVE-2025-7989 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7989

Vulnerability Analysis

The defect resides in the AR file parser shipped with Ashlar-Vellum Cobalt. AR is a container format used by the application to store CAD-related structures. When Cobalt processes an AR file, the parser reads structured fields without validating that referenced offsets, lengths, or counts remain within the bounds of the allocated buffer. A crafted file can force the parser to read past the end of that buffer.

Reading out-of-bounds memory can leak sensitive process state, including pointers, heap metadata, and module addresses. Attackers can use the leaked values to bypass Address Space Layout Randomization (ASLR) and pivot to code execution by chaining the read with additional memory corruption primitives in the same parsing path. The flaw is categorized as Out-of-Bounds Read [CWE-125] and is exploited locally with required user interaction.

Root Cause

The root cause is missing length and bounds checks on attacker-controlled fields inside the AR file structure. The parser trusts size and offset values embedded in the file when computing read positions. Because no validation confirms that those positions fall inside the allocated buffer, malformed records cause the parser to dereference memory outside the intended object.

Attack Vector

Exploitation requires the victim to open a malicious AR file or visit a page that delivers one through a registered file handler. After the file is opened, parsing begins automatically and triggers the out-of-bounds read. The attacker gains code execution in the user's session, which can then be used for credential theft, lateral movement, or persistence on the host.

No authenticated network service is involved. The attack surface is the file-handling code path invoked by Cobalt on the local workstation. See the Zero Day Initiative Advisory ZDI-25-640 for additional technical details.

Detection Methods for CVE-2025-7989

Indicators of Compromise

  • Unexpected crashes or hangs in Cobalt.exe when opening AR files from untrusted sources
  • AR files arriving via email, chat, or web downloads from senders outside normal CAD workflows
  • Child processes spawned by Cobalt that are inconsistent with CAD operations, such as cmd.exe, powershell.exe, or scripting hosts
  • Outbound network connections initiated by the Cobalt process shortly after file open events

Detection Strategies

  • Monitor process creation events where Cobalt is the parent and the child is a shell, scripting engine, or LOLBin
  • Alert on Cobalt loading unsigned DLLs or modules from user-writable directories
  • Inspect file write activity by Cobalt to autorun locations, scheduled task paths, or startup folders
  • Correlate AR file open events with subsequent network connections to non-corporate destinations

Monitoring Recommendations

  • Enable detailed endpoint telemetry on workstations with Ashlar-Vellum Cobalt installed
  • Capture file-open audit events for the .ar extension and associated MIME handlers
  • Track crash reports and Windows Error Reporting entries referencing the Cobalt process for early indicators of exploitation attempts

How to Mitigate CVE-2025-7989

Immediate Actions Required

  • Restrict opening of AR files from untrusted email, web, or external storage sources until a vendor fix is applied
  • Communicate the threat to CAD users and instruct them to verify AR file provenance before opening
  • Apply application allowlisting to prevent Cobalt from spawning shells or scripting interpreters
  • Run Cobalt under standard user accounts rather than administrative accounts to limit post-exploitation impact

Patch Information

At the time of publication, no vendor patch URL was listed in the NVD record. Refer to the Zero Day Initiative Advisory ZDI-25-640 for vendor coordination status and check the Ashlar-Vellum website for updated Cobalt releases that address the AR parser flaw.

Workarounds

  • Disassociate the .ar extension from Cobalt on systems that do not require AR file processing
  • Open suspicious AR files only inside isolated virtual machines or sandboxed environments
  • Enforce attachment filtering at the email gateway to block or quarantine AR files from external senders
  • Apply Windows Defender Exploit Guard or equivalent mitigations such as Control Flow Guard and ASLR enforcement on the Cobalt process
bash
# Remove the .ar file association on Windows to prevent automatic handling by Cobalt
reg delete "HKCR\.ar" /f
reg delete "HKCU\Software\Classes\.ar" /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.