Skip to main content
CVE Vulnerability Database

CVE-2025-7999: Ashlar Cobalt AR File Parsing RCE Flaw

CVE-2025-7999 is a type confusion remote code execution vulnerability in Ashlar-Vellum Cobalt's AR file parser that enables attackers to execute arbitrary code. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7999 Overview

CVE-2025-7999 is a type confusion vulnerability [CWE-843] in Ashlar-Vellum Cobalt that allows attackers to execute arbitrary code on affected installations. The flaw resides in the parser for AR files and stems from insufficient validation of user-supplied data. Exploitation requires user interaction, meaning a target must open a crafted file or visit a malicious page that delivers one. Successful exploitation grants code execution in the context of the current Cobalt process. The issue was reported through the Zero Day Initiative as ZDI-CAN-26049 and published as ZDI-25-713.

Critical Impact

Attackers who convince a user to open a malicious AR file can execute arbitrary code with the privileges of the Cobalt process, leading to full compromise of the user account on the workstation.

Affected Products

  • Ashlar-Vellum Cobalt (CPE cpe:2.3:a:ashlar:cobalt:-:*:*:*:*:*:*:*)
  • Cobalt installations processing AR file format input
  • Engineering workstations running vulnerable Cobalt versions

Discovery Timeline

  • 2025-09-17 - CVE-2025-7999 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7999

Vulnerability Analysis

The vulnerability is a type confusion condition in the AR file parsing logic of Ashlar-Vellum Cobalt. Type confusion occurs when code allocates or accesses an object using one type but operates on it as if it were another, incompatible type. The Cobalt parser interprets attacker-controlled fields within an AR file without validating that the underlying object matches the expected type. As a result, function pointers, vtables, or memory offsets derived from the mistyped object can be controlled by the attacker. This allows arbitrary code execution within the Cobalt process.

The attack requires local user interaction, with the victim opening a malicious file or being redirected to content that triggers Cobalt to parse one. Authentication is not required.

Root Cause

The root cause is the lack of proper validation of user-supplied data during AR file parsing. Cobalt trusts type information embedded in the file rather than verifying it against the in-memory object representation. This trust boundary failure produces the type confusion condition described in CWE-843.

Attack Vector

An attacker crafts a malicious AR file containing manipulated type fields. The attacker delivers the file through phishing, a watering-hole page, or a file-sharing channel. When the victim opens the file in Cobalt, the parser instantiates the mistyped object and dereferences attacker-controlled memory, transferring execution to attacker-supplied code.

No verified proof-of-concept code is publicly available. Refer to the Zero Day Initiative Advisory ZDI-25-713 for additional technical context.

Detection Methods for CVE-2025-7999

Indicators of Compromise

  • Cobalt process (cobalt.exe) spawning unexpected child processes such as cmd.exe, powershell.exe, or scripting hosts shortly after opening an AR file.
  • Unexpected outbound network connections originating from the Cobalt process following file open events.
  • Crash dumps or Windows Error Reporting events referencing access violations within Cobalt AR parsing modules.

Detection Strategies

  • Monitor process lineage where Cobalt is the parent of interactive shells, LOLBins, or persistence-related binaries.
  • Alert on AR file writes to user directories from email clients, browsers, or messaging applications followed by Cobalt execution.
  • Use behavioral identification for memory protection changes (VirtualProtect, VirtualAlloc with RWX) inside the Cobalt process.

Monitoring Recommendations

  • Enable EDR telemetry on engineering and CAD workstations where Cobalt is installed.
  • Log file open events and command-line arguments for the Cobalt executable to support post-incident reconstruction.
  • Correlate user-driven file opens with subsequent process creation and network egress to surface exploitation attempts.

How to Mitigate CVE-2025-7999

Immediate Actions Required

  • Identify all hosts with Ashlar-Vellum Cobalt installed and inventory affected versions.
  • Instruct users not to open AR files received from untrusted sources or unsolicited messages.
  • Restrict execution of Cobalt to a least-privilege user context to limit the blast radius of code execution.

Patch Information

No vendor patch URL is listed in the NVD record at the time of writing. Consult the Zero Day Initiative Advisory ZDI-25-713 and Ashlar-Vellum vendor channels for updated builds addressing this issue.

Workarounds

  • Block inbound AR files at the email gateway and web proxy until a fixed version is deployed.
  • Apply application allowlisting to prevent Cobalt from launching child processes such as shells and script interpreters.
  • Isolate engineering workstations on dedicated network segments to limit lateral movement following a successful exploit.
bash
# Example: block AR file extension at a Windows file server using File Server Resource Manager
New-FsrmFileGroup -Name "BlockedCADContainers" -IncludePattern @("*.ar")
New-FsrmFileScreen -Path "D:\Shares\Engineering" -IncludeGroup "BlockedCADContainers" -Active $true

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.