CVE-2025-7992 Overview
CVE-2025-7992 is an out-of-bounds read vulnerability in Ashlar-Vellum Cobalt, a computer-aided design (CAD) application. The flaw resides in the parsing logic for AR files and stems from insufficient validation of user-supplied data. Attackers can exploit this issue to execute arbitrary code in the context of the current process.
Exploitation requires user interaction. A target must open a malicious AR file or visit a malicious page that delivers one. The vulnerability is tracked as ZDI-CAN-25972 by the Zero Day Initiative and maps to [CWE-125] (Out-of-Bounds Read).
Critical Impact
Successful exploitation allows arbitrary code execution under the privileges of the Cobalt user, enabling full compromise of the affected workstation.
Affected Products
- Ashlar-Vellum Cobalt (all versions per CPE cpe:2.3:a:ashlar:cobalt:-:*:*:*:*:*:*:*)
- Workstations processing untrusted AR files
- CAD environments where Cobalt is the default AR file handler
Discovery Timeline
- 2025-09-17 - CVE-2025-7992 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7992
Vulnerability Analysis
The vulnerability exists in the AR file parser within Ashlar-Vellum Cobalt. When Cobalt processes a crafted AR file, the parser fails to validate length or boundary fields supplied in the file. The result is a read past the end of an allocated buffer.
Out-of-bounds reads in file format parsers frequently leak adjacent memory contents. In this case, the issue can be chained with controlled memory layout to influence program flow and achieve code execution. The attacker operates within the security context of the user running Cobalt.
The issue is local in attack vector because the malicious AR file must be opened on the target system. Delivery typically occurs through phishing, drive-by download, or shared CAD project files. No authentication is required by the attacker, but user interaction is mandatory.
Root Cause
The root cause is missing bounds checking on attacker-controlled offsets or size fields within the AR file structure. The parser trusts values embedded in the file when computing read positions. Without sanity checks against the allocated buffer size, the parser dereferences memory outside the intended object.
Attack Vector
An attacker crafts a malicious AR file containing manipulated header or chunk fields. The file is delivered to a victim through email attachments, malicious websites, or compromised CAD asset repositories. When the victim opens the file in Cobalt, the parser triggers the out-of-bounds read and the embedded exploit payload executes code in the Cobalt process.
The vulnerability manifests during AR file parsing before any user-visible rendering completes. See the Zero Day Initiative Advisory ZDI-25-642 for additional technical context.
Detection Methods for CVE-2025-7992
Indicators of Compromise
- Unexpected Cobalt.exe child processes such as command shells, PowerShell, or scripting hosts
- AR files arriving from untrusted email senders or external file shares
- Cobalt process crashes followed by anomalous network connections
- Creation of executable files or scheduled tasks immediately after a Cobalt session
Detection Strategies
- Monitor for process lineage anomalies where Cobalt.exe spawns interpreters or LOLBins
- Flag AR files originating from email, browsers, or removable media using file provenance metadata
- Alert on memory access violations or crash dumps generated by the Cobalt process
- Correlate Cobalt execution with subsequent persistence or credential access activity
Monitoring Recommendations
- Enable command-line and process creation logging on workstations with Cobalt installed
- Capture endpoint telemetry for file writes to startup, Run keys, and scheduled task paths after CAD application use
- Review web and email gateway logs for AR file deliveries to engineering and design users
How to Mitigate CVE-2025-7992
Immediate Actions Required
- Restrict opening of AR files received from external or untrusted sources until a vendor patch is applied
- Apply application allowlisting to constrain processes that Cobalt.exe may spawn
- Educate CAD users about the risk of opening AR files from email, chat, and unverified repositories
- Run Cobalt under standard user accounts rather than privileged accounts to limit blast radius
Patch Information
At the time of NVD publication, no vendor patch URL is listed in the NVD advisory. Review the Zero Day Initiative Advisory ZDI-25-642 and the Ashlar-Vellum support channels for updated build availability. Apply the fixed version of Cobalt as soon as the vendor publishes it.
Workarounds
- Block inbound AR file attachments at email and web gateways for users who do not require them
- Use file integrity and provenance checks to quarantine AR files from external sources
- Open suspect AR files only within isolated sandbox virtual machines disconnected from production networks
# Configuration example: block AR file extension at the mail gateway
# (Postfix header_checks example)
/^Content-(Disposition|Type).*name\s*=\s*"?[^"]+\.ar"?/ REJECT AR attachments are not permitted
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

