Skip to main content
CVE Vulnerability Database

CVE-2025-7996: Ashlar Cobalt AR File RCE Vulnerability

CVE-2025-7996 is a remote code execution flaw in Ashlar Cobalt affecting AR file parsing. Attackers exploit an out-of-bounds write to run arbitrary code. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7996 Overview

CVE-2025-7996 is an out-of-bounds write vulnerability [CWE-787] in Ashlar-Vellum Cobalt, a 3D modeling and computer-aided design (CAD) application. The flaw resides in the parser that processes AR files. Attackers can exploit it to achieve arbitrary code execution in the context of the current user. Exploitation requires user interaction: the victim must open a crafted AR file or visit a page that delivers one. The Zero Day Initiative tracked the issue as ZDI-CAN-25982 and published advisory ZDI-25-716.

Critical Impact

Successful exploitation enables arbitrary code execution on the targeted workstation, allowing attackers to install malware, steal CAD intellectual property, or pivot into engineering networks.

Affected Products

  • Ashlar-Vellum Cobalt (all versions per vendor advisory scope)
  • CPE: cpe:2.3:a:ashlar:cobalt:-:*:*:*:*:*:*:*
  • Component: ashlar:cobalt

Discovery Timeline

  • 2025-09-17 - CVE-2025-7996 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7996

Vulnerability Analysis

The vulnerability exists in Cobalt's handler for AR file format records. The parser fails to validate the size of user-supplied data before copying it into a fixed-size allocation. This permits a write past the end of the destination buffer, corrupting adjacent heap or stack data structures. An attacker who controls the contents of an AR file controls the data written out of bounds.

Because Cobalt typically runs as an interactive desktop application, code execution occurs at the privilege level of the logged-in engineer or designer. Targeted CAD workstations frequently hold proprietary design data, making the host a high-value initial access point for industrial espionage.

Root Cause

The root cause is missing length and bounds validation on attacker-controlled fields parsed from an AR file. The application trusts size and offset values embedded in the file and uses them directly when populating an internal data structure. This pattern matches the classic out-of-bounds write weakness described by CWE-787.

Attack Vector

Exploitation is local and requires user interaction. An attacker delivers a malicious AR file through phishing email, a watering-hole download, a shared CAD project archive, or removable media. When the victim opens the file in Ashlar-Vellum Cobalt, the parser processes the malformed records and the out-of-bounds write executes attacker-supplied logic. Refer to the Zero Day Initiative Advisory ZDI-25-716 for additional technical context.

// No verified proof-of-concept code is publicly available.
// The vulnerability is triggered by a malformed AR file whose
// embedded size fields cause the Cobalt parser to write attacker-
// controlled bytes past the end of an allocated structure during
// record deserialization.

Detection Methods for CVE-2025-7996

Indicators of Compromise

  • Unexpected Cobalt.exe child processes such as cmd.exe, powershell.exe, or rundll32.exe spawned shortly after opening an AR file.
  • AR files arriving from external email, chat, or web downloads to engineering workstations outside normal project workflows.
  • Crash or Windows Error Reporting (WER) events for Cobalt referencing access violations during file open.

Detection Strategies

  • Hunt for Cobalt process trees where the parent is an Office application, browser, or archive utility, indicating an opened attachment.
  • Inspect endpoint telemetry for memory write violations or DEP/ASLR-related faults in the Cobalt process.
  • Flag AR file extensions delivered via email gateways and require sandbox detonation before delivery to CAD users.

Monitoring Recommendations

  • Enable command-line and process-creation auditing on engineering endpoints to capture children of Cobalt.exe.
  • Forward Windows Application and WER logs to a SIEM and alert on repeated Cobalt crashes within short time windows.
  • Monitor outbound network connections from CAD workstations to non-corporate destinations after AR file activity.

How to Mitigate CVE-2025-7996

Immediate Actions Required

  • Restrict opening AR files to those originating from trusted internal repositories and verified project partners.
  • Train CAD users to verify the source of any AR file before opening, especially attachments from external senders.
  • Apply application allowlisting so Cobalt cannot spawn shells, script interpreters, or download utilities.

Patch Information

No vendor patch URL is published in the NVD record at the time of writing. Consult the Zero Day Initiative Advisory ZDI-25-716 and the Ashlar-Vellum support channel for fixed-version availability. Apply the vendor update to all Cobalt installations as soon as it is released.

Workarounds

  • Disassociate the .ar file extension from Cobalt on systems where the format is not required, forcing manual review before opening.
  • Run Cobalt under a standard user account and enforce Windows exploit protections such as Control Flow Guard and ASLR for the process.
  • Open untrusted AR files only inside an isolated virtual machine without network access or sensitive data.
bash
# Example: block .ar email attachments at an Exchange transport rule
New-TransportRule -Name "Block-AR-Attachments" \
  -AttachmentExtensionMatchesWords "ar" \
  -RejectMessageReasonText "AR attachments are blocked pending CVE-2025-7996 remediation."

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.