Skip to main content
CVE Vulnerability Database

CVE-2025-7990: Ashlar Cobalt RCE Vulnerability

CVE-2025-7990 is a remote code execution flaw in Ashlar-Vellum Cobalt that allows attackers to execute arbitrary code through malicious VC6 files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7990 Overview

CVE-2025-7990 is an out-of-bounds write vulnerability [CWE-787] in Ashlar-Vellum Cobalt that allows arbitrary code execution through malicious VC6 file parsing. The flaw stems from missing validation of user-supplied data during VC6 file processing. Attackers can write data past the end of an allocated buffer and execute code in the context of the current process.

Exploitation requires user interaction. A target must open a crafted VC6 file or visit a malicious page that delivers one. The issue was reported through Trend Micro's Zero Day Initiative as ZDI-CAN-25944 and published in advisory ZDI-25-638.

Critical Impact

Successful exploitation grants arbitrary code execution with the privileges of the Cobalt user, enabling full compromise of engineering workstations handling CAD assets.

Affected Products

  • Ashlar-Vellum Cobalt (all versions per CPE cpe:2.3:a:ashlar:cobalt:-:*:*:*:*:*:*:*)
  • Workstations processing VC6 (Cobalt) design files
  • Engineering and CAD environments using Ashlar-Vellum desktop tooling

Discovery Timeline

  • 2025-09-17 - CVE-2025-7990 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7990

Vulnerability Analysis

The vulnerability resides in the VC6 file parser inside Ashlar-Vellum Cobalt. Cobalt is a 3D modeling application that consumes proprietary .vc6 files containing geometric and metadata records. When the parser processes attacker-controlled fields from a malformed VC6 file, it fails to validate length values used to copy data into a fixed-size structure.

The parser writes beyond the bounds of the allocated buffer, corrupting adjacent memory. Attackers can craft input that overwrites control data such as function pointers, virtual table entries, or saved return addresses. Pivoting from memory corruption to arbitrary code execution then becomes feasible within the Cobalt process context.

The weakness is classified as CWE-787: Out-of-bounds Write. Because the affected component is desktop CAD software, exploitation depends on social engineering. Attackers typically deliver weaponized VC6 files through email attachments, shared project folders, or supplier-provided design packages.

Root Cause

The root cause is missing or insufficient bounds checking on length and offset fields parsed from the VC6 file structure. The application trusts attacker-supplied size values when computing write offsets into heap or stack buffers, producing a deterministic out-of-bounds write primitive.

Attack Vector

Exploitation is local and requires user interaction. The attacker delivers a malicious VC6 file by phishing email, malicious website download, or a compromised file share. When the victim opens the file in Cobalt, the parser triggers the out-of-bounds write and the attacker's payload executes under the user account running Cobalt.

No public proof-of-concept code or in-the-wild exploitation has been reported. Refer to the Zero Day Initiative Advisory ZDI-25-638 for additional technical context.

Detection Methods for CVE-2025-7990

Indicators of Compromise

  • Unexpected child processes spawned by the Cobalt executable, such as cmd.exe, powershell.exe, or rundll32.exe.
  • Crashes or abnormal termination of the Cobalt process correlated with opening .vc6 files received from untrusted sources.
  • VC6 files arriving from external email senders, instant messengers, or unverified supplier portals.
  • Outbound network connections from the Cobalt process to unfamiliar hosts shortly after file open events.

Detection Strategies

  • Monitor process lineage for Cobalt spawning shells, script interpreters, or LOLBins immediately after a file-open event.
  • Inspect VC6 files at the email gateway and file share for anomalous size headers or malformed record structures.
  • Hunt for memory access violations and exception events generated by the Cobalt process in Windows Application logs.
  • Apply behavioral identification of post-exploitation activity such as credential access, persistence creation, or lateral movement originating from CAD workstations.

Monitoring Recommendations

  • Centralize endpoint telemetry from engineering workstations into the SIEM and alert on Cobalt process anomalies.
  • Track file write and execution events in user profile directories triggered by Cobalt sessions.
  • Baseline normal Cobalt behavior to surface deviations indicative of exploitation attempts.

How to Mitigate CVE-2025-7990

Immediate Actions Required

  • Restrict opening of VC6 files to those originating from trusted internal sources and verified suppliers.
  • Block inbound .vc6 attachments at email security gateways pending vendor patch deployment.
  • Educate CAD users about the risk of opening unsolicited Cobalt project files.
  • Run Cobalt under standard user accounts and remove local administrator rights where feasible.

Patch Information

No vendor advisory URL was published in NVD at the time of disclosure. Refer to the Zero Day Initiative Advisory ZDI-25-638 and the Ashlar-Vellum support portal for the latest Cobalt build that addresses CVE-2025-7990. Apply the fixed version across all engineering workstations once available.

Workarounds

  • Isolate workstations that must process untrusted VC6 files into a segmented VLAN with restricted egress.
  • Open suspicious VC6 files only inside disposable virtual machines or sandboxed sessions.
  • Enable exploit mitigation features such as Control Flow Guard, ASLR, and DEP on systems running Cobalt.
  • Maintain offline backups of CAD project repositories to support recovery after a successful intrusion.
bash
# Example: block inbound VC6 attachments via Exchange transport rule (PowerShell)
New-TransportRule -Name "Quarantine VC6 attachments" `
  -AttachmentExtensionMatchesWords "vc6" `
  -SetSCL 9 `
  -Quarantine $true

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.