Skip to main content
CVE Vulnerability Database

CVE-2025-7993: Ashlar Cobalt LI File Parsing RCE Flaw

CVE-2025-7993 is a use-after-free remote code execution vulnerability in Ashlar Cobalt's LI file parser that enables attackers to run arbitrary code. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7993 Overview

CVE-2025-7993 is a use-after-free vulnerability in Ashlar-Vellum Cobalt, a computer-aided design (CAD) application. The flaw resides in the parser responsible for handling LI files. Attackers can leverage the issue to execute arbitrary code in the context of the current process. Exploitation requires user interaction, meaning a target must open a crafted LI file or visit a page that delivers one. The vulnerability was reported through the Trend Micro Zero Day Initiative and tracked as ZDI-CAN-25355. It is classified under [CWE-416] Use After Free.

Critical Impact

Successful exploitation allows arbitrary code execution with the privileges of the user running Ashlar-Vellum Cobalt, enabling full compromise of the affected workstation.

Affected Products

  • Ashlar-Vellum Cobalt
  • Ashlar-Vellum Cobalt version 12.0.1204.91
  • CAD workstations processing untrusted LI files

Discovery Timeline

  • 2025-09-17 - CVE-2025-7993 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in the NVD database

Technical Details for CVE-2025-7993

Vulnerability Analysis

The vulnerability exists in the LI file parsing routines within Ashlar-Vellum Cobalt. Parsing logic performs operations on an object without first validating that the object still exists. When the parser dereferences the freed or missing object, memory corruption occurs. An attacker who controls the layout of the freed memory region can steer execution flow to attacker-supplied data. This produces arbitrary code execution in the context of the process opening the file.

The issue is categorized as [CWE-416] Use After Free. Exploitation requires the victim to open a malicious LI file or navigate to a page that supplies one. The attack executes locally against the user running Cobalt and does not require prior authentication.

Root Cause

The parser fails to validate object lifetime before performing operations on that object. Once the referenced object has been freed or was never properly instantiated, subsequent method calls or member accesses operate on stale or attacker-controlled memory. This lifecycle gap between object release and object use is the primary defect.

Attack Vector

An attacker crafts a malicious LI file and delivers it through email, a download link, or a compromised website. When the victim opens the file in Cobalt, the parser triggers the use-after-free condition. Code executes with the privileges of the current user. See the Zero Day Initiative Advisory ZDI-25-726 for additional technical context.

// No verified public proof-of-concept code is available for CVE-2025-7993.
// Refer to ZDI-25-726 for coordinated disclosure details.

Detection Methods for CVE-2025-7993

Indicators of Compromise

  • Unexpected LI files arriving through email attachments, chat platforms, or drive-by downloads targeting engineering users.
  • Ashlar-Vellum Cobalt process (Cobalt.exe) spawning child processes such as cmd.exe, powershell.exe, or script interpreters.
  • Crashes or abnormal termination of Cobalt shortly after opening an LI file, indicating failed exploitation attempts.

Detection Strategies

  • Monitor endpoint telemetry for Cobalt process anomalies, including memory access violations and unexpected module loads.
  • Alert on Cobalt writing executable content to disk or modifying autorun locations in the registry or startup folders.
  • Inspect LI files at the email and web gateway to identify malformed or oversized structures inconsistent with legitimate CAD content.

Monitoring Recommendations

  • Enable command-line and process-lineage logging on CAD workstations to capture child process activity from Cobalt.
  • Forward endpoint and file-open telemetry to a centralized data lake for correlation with known LI file hashes and delivery infrastructure.
  • Track outbound network connections originating from Cobalt.exe, which should rarely initiate external traffic during normal use.

How to Mitigate CVE-2025-7993

Immediate Actions Required

  • Restrict opening of LI files to trusted sources only and block untrusted LI attachments at the mail gateway.
  • Apply the principle of least privilege on CAD workstations so that Cobalt does not run with administrative rights.
  • Educate design and engineering staff about the risk of opening unsolicited CAD files.

Patch Information

As of the last NVD update, no vendor patch reference is listed in the enriched data for CVE-2025-7993. Consult the Zero Day Initiative Advisory ZDI-25-726 and Ashlar-Vellum vendor communications for the latest fixed version of Cobalt beyond 12.0.1204.91.

Workarounds

  • Disable file associations that automatically open LI files with Cobalt until a patched build is deployed.
  • Open untrusted LI files only inside an isolated virtual machine or sandbox that lacks access to sensitive network resources.
  • Enforce application allowlisting to prevent Cobalt from launching unauthorized child processes or scripting hosts.
bash
# Example: block LI file attachments at a Postfix mail gateway
# /etc/postfix/mime_header_checks
/name=[^"]*\.li"?/  REJECT LI attachments are blocked pending CVE-2025-7993 remediation

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.