CVE-2025-7995 Overview
CVE-2025-7995 is a type confusion vulnerability [CWE-843] in Ashlar-Vellum Cobalt, a 3D modeling and computer-aided design (CAD) application. The flaw exists in the parser that processes CO files and stems from inadequate validation of user-supplied data. An attacker who convinces a user to open a crafted CO file or visit a malicious page hosting one can execute arbitrary code in the context of the current process. The issue was reported through Trend Micro's Zero Day Initiative as ZDI-CAN-25981 and disclosed in advisory ZDI-25-717.
Critical Impact
Successful exploitation grants arbitrary code execution with the privileges of the user running Ashlar-Vellum Cobalt, enabling full compromise of the local user context.
Affected Products
- Ashlar-Vellum Cobalt (all versions covered by CPE cpe:2.3:a:ashlar:cobalt:-:*:*:*:*:*:*:*)
- Workstations used for CAD design and 3D modeling running Cobalt
- Engineering and manufacturing environments processing third-party CO files
Discovery Timeline
- 2025-09-17 - CVE-2025-7995 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7995
Vulnerability Analysis
The vulnerability resides in the routine that parses Ashlar-Vellum Cobalt CO files. The parser interprets fields from the file without verifying that the embedded type identifiers correspond to the underlying object layout. When a crafted CO file supplies a mismatched type, the application operates on the data as if it were a different object type, producing a classic type confusion condition.
Because Cobalt accesses object members and virtual function pointers based on the declared type, the attacker controls how memory is dereferenced and which code path executes. This yields a primitive that an attacker can chain into arbitrary code execution in the user-mode process. Exploitation requires the victim to open the malicious file or browse to a page that triggers the file handler, satisfying the user interaction requirement noted in the CVSS vector.
The EPSS model currently places exploitation probability at 0.189%. No public proof-of-concept or in-the-wild exploitation has been reported, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
Root Cause
The parser fails to validate user-supplied data before using it to determine object types. With no type check between the declared and actual structures, the application reinterprets attacker-controlled bytes as trusted object metadata, including function pointers and size fields.
Attack Vector
The attack vector is local and user-assisted. An attacker delivers a malicious CO file through email, file shares, supply-chain channels, or a web page that invokes Cobalt's file association. When the user opens the file, the type confusion fires inside the parser and the attacker's payload executes with the user's privileges. See the Zero Day Initiative Advisory ZDI-25-717 for additional technical context.
Detection Methods for CVE-2025-7995
Indicators of Compromise
- Unexpected child processes spawned by the Cobalt executable shortly after a CO file is opened
- CO files arriving from untrusted email senders, web downloads, or removable media
- Crash dumps or Windows Error Reporting events referencing access violations inside Cobalt parsing modules
- Outbound network connections initiated by the Cobalt process to unfamiliar destinations
Detection Strategies
- Hunt for process lineage where Cobalt launches cmd.exe, powershell.exe, rundll32.exe, or other living-off-the-land binaries
- Alert on memory protection changes or remote thread creation inside the Cobalt process
- Inspect mail and web gateways for CO file attachments from external senders and quarantine for review
- Correlate file-open telemetry with subsequent script interpreter or LOLBin execution within a short time window
Monitoring Recommendations
- Enable command-line and process-creation logging (Windows Event ID 4688, Sysmon Event ID 1) on engineering workstations
- Forward endpoint telemetry to a centralized analytics platform for cross-host correlation of Cobalt-originated activity
- Track file-write events under user profile paths immediately following CO file access
- Review crash telemetry from Cobalt for repeated parser faults that may indicate exploitation attempts
How to Mitigate CVE-2025-7995
Immediate Actions Required
- Treat all externally sourced CO files as untrusted and route them through a sandbox or isolated review environment
- Restrict the file associations for Cobalt to prevent automatic opening from browsers and mail clients
- Apply least-privilege principles so Cobalt users do not operate with administrative rights
- Communicate to CAD users that opening unsolicited CO files is a phishing risk equivalent to opening macro-enabled documents
Patch Information
No vendor patch reference is listed in the NVD record at this time. Monitor the Zero Day Initiative Advisory ZDI-25-717 and the Ashlar-Vellum vendor channels for an updated Cobalt build that addresses the type confusion in the CO file parser, and deploy it as soon as it becomes available.
Workarounds
- Block delivery of CO file attachments at the email gateway until a fix is deployed
- Use application allowlisting to prevent Cobalt from launching scripting hosts or shells as child processes
- Open untrusted CAD files only inside a virtualized or sandboxed workstation that is isolated from production data
- Enable Windows Defender Exploit Guard or equivalent controls to enforce attack surface reduction rules on engineering endpoints
# Example: block CO attachments at an Exchange transport rule (PowerShell)
New-TransportRule -Name "Block-Cobalt-CO-Attachments" \
-AttachmentExtensionMatchesWords "co" \
-RejectMessageReasonText "CO files blocked pending CVE-2025-7995 mitigation"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

