Skip to main content
CVE Vulnerability Database

CVE-2025-7991: Ashlar Cobalt RCE Vulnerability

CVE-2025-7991 is a remote code execution vulnerability in Ashlar-Vellum Cobalt caused by improper VC6 file parsing. Attackers can exploit this flaw to execute arbitrary code. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-7991 Overview

CVE-2025-7991 is an out-of-bounds read vulnerability [CWE-125] in Ashlar-Vellum Cobalt that allows remote attackers to execute arbitrary code on affected installations. The flaw resides in the parser for VC6 files and stems from missing validation of user-supplied data. Successful exploitation requires user interaction, where the target must open a malicious file or visit a malicious page that delivers one. An attacker can leverage the read past the end of an allocated buffer to execute code in the context of the current process. The issue was reported through the Zero Day Initiative as ZDI-CAN-25945 and disclosed publicly as ZDI-25-643.

Critical Impact

Successful exploitation yields arbitrary code execution in the context of the Cobalt process, enabling full compromise of the affected workstation.

Affected Products

  • Ashlar-Vellum Cobalt (all versions covered by CPE cpe:2.3:a:ashlar:cobalt:-:*:*:*:*:*:*:*)
  • Cobalt installations that process VC6 files
  • Windows endpoints running CAD/modeling workflows using Cobalt

Discovery Timeline

  • 2025-09-17 - CVE-2025-7991 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7991

Vulnerability Analysis

The vulnerability exists within Cobalt's handling of VC6 files. When the application parses a crafted file, it reads beyond the bounds of an allocated data structure because the parser does not validate length or offset fields supplied by the file. The out-of-bounds read can disclose adjacent memory and, more importantly, allows an attacker to influence subsequent control-flow decisions inside the process. By chaining the read primitive with manipulated object state, an attacker can pivot to arbitrary code execution in the user context running Cobalt.

The attack vector is local and requires user interaction, but delivery is trivial through email attachments, shared drives, or web downloads, since VC6 files are a routine exchange format among CAD users.

Root Cause

The root cause is improper input validation [CWE-125] in the VC6 file parser. Length, count, or offset fields embedded in the file are trusted without bounds checks against the allocated buffer. When the parser dereferences these values, it reads memory outside the intended structure, producing undefined behavior that an attacker can shape into a code execution primitive.

Attack Vector

Exploitation proceeds in three steps. First, the attacker crafts a malicious VC6 file with corrupted size or offset metadata. Second, the file is delivered to the victim through phishing, a watering-hole download, or a removable medium. Third, the victim opens the file in Ashlar-Vellum Cobalt, at which point the malformed parsing path is triggered and the attacker-controlled payload executes with the privileges of the current user. No network access to the target is required, and no authentication is needed against Cobalt itself.

No public proof-of-concept exploit code is currently available. For verified technical details, see the Zero Day Initiative Advisory ZDI-25-643.

Detection Methods for CVE-2025-7991

Indicators of Compromise

  • Unexpected child processes (for example cmd.exe, powershell.exe, or script interpreters) spawned by the Cobalt executable shortly after a VC6 file is opened.
  • Crash artifacts or Windows Error Reporting entries referencing the Cobalt process and an access violation on a read operation.
  • Inbound VC6 files arriving from untrusted senders, especially when paired with social-engineering lures asking the recipient to open the design file.

Detection Strategies

  • Hunt for process-creation events where the parent image is the Cobalt binary and the child is a living-off-the-land binary or shell.
  • Inspect file-open telemetry for .vc6 files originating from internet-zone or email-attachment locations and correlate with subsequent process or network activity.
  • Apply YARA or content-inspection rules on email gateways to flag malformed VC6 files with anomalous header lengths or offset fields.

Monitoring Recommendations

  • Enable EDR module-load and process-tree logging on workstations running Cobalt to capture the full execution chain following file open.
  • Forward Cobalt application crash events from Windows Event Log to a central SIEM and alert on repeated faults in the parsing module.
  • Monitor outbound network connections from the Cobalt process, which should not normally initiate external traffic.

How to Mitigate CVE-2025-7991

Immediate Actions Required

  • Restrict opening of VC6 files to those originating from trusted, verified sources, and block the extension at email and web gateways for untrusted senders.
  • Run Cobalt under a least-privileged user account so that exploitation does not yield administrative access to the host.
  • Educate CAD users about the risk of opening unsolicited design files and require out-of-band confirmation for externally received models.

Patch Information

No vendor patch URL is listed in the NVD record at the time of writing. Administrators should monitor Ashlar-Vellum communications and the Zero Day Initiative Advisory ZDI-25-643 for fixed-version availability and apply updates immediately once released.

Workarounds

  • Disable or uninstall Cobalt on endpoints that do not require it until a patched build is deployed.
  • Use application-control policies (for example Windows Defender Application Control or AppLocker) to constrain which child processes Cobalt can spawn.
  • Open untrusted VC6 files only inside an isolated virtual machine or sandbox that has no access to corporate resources or credentials.
bash
# Example AppLocker-style restriction blocking Cobalt from spawning shells
New-AppLockerPolicy -RuleType Path \
  -User "Everyone" \
  -Action Deny \
  -Path "%SYSTEM32%\cmd.exe","%SYSTEM32%\WindowsPowerShell\v1.0\powershell.exe" \
  -Condition "ParentProcess=Cobalt.exe"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.