Skip to main content
CVE Vulnerability Database

CVE-2025-7994: Ashlar Cobalt AR File Parsing RCE Flaw

CVE-2025-7994 is a remote code execution vulnerability in Ashlar-Vellum Cobalt caused by improper AR file parsing. Attackers can exploit this flaw to execute arbitrary code. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-7994 Overview

CVE-2025-7994 is an out-of-bounds read vulnerability [CWE-125] in Ashlar-Vellum Cobalt, a computer-aided design (CAD) application. The flaw resides in the parser responsible for handling AR files. Attackers can leverage the issue to execute arbitrary code in the context of the current process. Exploitation requires user interaction: the target must open a malicious AR file or visit a malicious page that delivers one. The vulnerability was reported through the Trend Micro Zero Day Initiative as ZDI-CAN-25976 and tracked publicly as advisory ZDI-25-714.

Critical Impact

Successful exploitation allows arbitrary code execution with the privileges of the user running Ashlar-Vellum Cobalt, enabling attacker control of the workstation through a crafted CAD file.

Affected Products

  • Ashlar-Vellum Cobalt (all versions per vendor advisory scope)
  • CPE: cpe:2.3:a:ashlar:cobalt:-:*:*:*:*:*:*:*
  • Component: ashlar:cobalt

Discovery Timeline

  • 2025-09-17 - CVE-2025-7994 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7994

Vulnerability Analysis

The vulnerability is an out-of-bounds read [CWE-125] triggered during the parsing of AR files inside Ashlar-Vellum Cobalt. The parser reads past the end of an allocated data structure because user-supplied values inside the file are not validated against the actual size of the underlying buffer. When the parser dereferences memory outside the intended bounds, an attacker who controls the file contents can influence subsequent program state and ultimately divert execution flow. The result is arbitrary code execution within the process running Cobalt.

Root Cause

The root cause is missing validation of length, offset, or count fields embedded in AR file structures. The parser trusts file-supplied metadata when computing read positions inside an allocated buffer. With no bounds check, the read can extend beyond the structure into adjacent memory, leaking sensitive heap content or corrupting program state that an attacker can use to gain control of execution.

Attack Vector

Exploitation is local and user-assisted. An attacker delivers a crafted AR file through email, a download link, or a website that the victim opens with Ashlar-Vellum Cobalt. No authentication is required. Code execution occurs in the context of the user account that opened the file. CAD workstations commonly run with elevated privileges and access to sensitive design assets, making this a viable initial access or lateral movement vector against engineering environments.

No public proof-of-concept exploit code is available. Technical details are documented in the Zero Day Initiative Advisory ZDI-25-714.

Detection Methods for CVE-2025-7994

Indicators of Compromise

  • Unexpected AR files received via email, chat, or download outside of approved CAD project workflows.
  • Crashes or abnormal termination of Cobalt.exe shortly after opening a file from an external source.
  • Child processes spawned by Cobalt.exe such as cmd.exe, powershell.exe, or scripting hosts.
  • Outbound network connections originating from the Cobalt process to non-vendor infrastructure.

Detection Strategies

  • Hunt for process lineage where the Cobalt CAD executable spawns command interpreters, scripting engines, or LOLBins.
  • Alert on file write events placing executables, DLLs, or scheduled task artifacts under user-writable directories immediately after a CAD file open.
  • Monitor Windows Error Reporting and crash dumps for repeated faults in the Cobalt AR parser, which may indicate exploitation attempts or fuzzing.

Monitoring Recommendations

  • Forward endpoint telemetry from engineering workstations into a centralized SIEM or data lake for correlation with email and web proxy events that delivered the source file.
  • Track creation and execution of .ar files across user download directories, mail attachment caches, and removable media.
  • Maintain integrity baselines for Ashlar-Vellum Cobalt installation directories and alert on unauthorized modification.

How to Mitigate CVE-2025-7994

Immediate Actions Required

  • Restrict opening AR files to those received through trusted, verified CAD project channels.
  • Apply the latest update from Ashlar-Vellum once available and inventory all Cobalt installations across engineering systems.
  • Enforce least privilege on CAD workstations so that user accounts running Cobalt do not hold local administrator rights.
  • Educate engineering staff on the risk of opening unsolicited CAD files, mirroring controls used for Office macro phishing.

Patch Information

Ashlar-Vellum has not published a dedicated vendor advisory link in the NVD record at the time of disclosure. Refer to the Zero Day Initiative Advisory ZDI-25-714 for coordinated disclosure status and contact Ashlar-Vellum support to confirm fixed builds for your licensed version of Cobalt.

Workarounds

  • Block inbound AR file attachments at the email gateway until a patched Cobalt build is deployed.
  • Open untrusted CAD files only inside isolated virtual machines or sandboxed environments without access to production resources.
  • Apply application allowlisting to prevent the Cobalt process from spawning command interpreters or scripting hosts.
  • Enable exploit mitigations such as Windows Defender Exploit Guard with attack surface reduction rules targeting Office-style child process abuse, adapted for CAD applications.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.