CVE-2025-8002 Overview
CVE-2025-8002 is a type confusion vulnerability [CWE-843] in Ashlar-Vellum Cobalt, a 3D modeling and computer-aided design (CAD) application. The flaw exists in the parser that handles CO files and stems from missing validation of user-supplied data. Attackers who convince a user to open a crafted CO file or visit a malicious page can trigger code execution in the context of the running Cobalt process. The issue was reported through the Zero Day Initiative as ZDI-CAN-26233 and disclosed in advisory ZDI-25-724.
Critical Impact
Successful exploitation yields arbitrary code execution with the privileges of the user running Cobalt, enabling full compromise of the local user context.
Affected Products
- Ashlar-Vellum Cobalt (all versions covered by CPE cpe:2.3:a:ashlar:cobalt:-:*:*:*:*:*:*:*)
- Cobalt installations on Windows desktops used for CAD workflows
- Engineering workstations that process third-party CO files
Discovery Timeline
- 2025-09-17 - CVE-2025-8002 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-8002
Vulnerability Analysis
The vulnerability resides in the code path that parses CO files within Ashlar-Vellum Cobalt. Cobalt reads object metadata from the file and interprets fields without confirming that the type recorded on disk matches the type expected by the consuming routine. When a crafted CO file declares one structure but supplies bytes shaped for another, Cobalt operates on the data using the wrong type. This type confusion lets an attacker control object pointers, virtual function tables, or sizing fields used in later operations.
Because the confused object is dereferenced and acted upon during normal file load, the attacker steers execution flow without needing memory corruption primitives outside of the parser. The result is arbitrary code execution inside the Cobalt process. The bug requires user interaction, which limits drive-by exploitation but aligns with realistic phishing scenarios where engineering staff routinely open vendor or customer drawings.
Root Cause
The root cause is missing type validation on attacker-controlled fields inside the CO file format. The parser trusts the declared object type and casts memory accordingly. Mismatched types produce a confused interpretation that the attacker shapes through file contents.
Attack Vector
Exploitation is local and requires user interaction. The attacker delivers a malicious CO file by email, shared drive, supplier portal, or a web page that instructs the user to open the file in Cobalt. Once opened, the parser processes the embedded objects and execution transfers to attacker-controlled logic running with the privileges of the user account.
No public proof-of-concept code is available. Technical details are described in the Zero Day Initiative advisory referenced below; this article does not reproduce exploitation code. See the Zero Day Initiative Advisory ZDI-25-724 for additional context.
Detection Methods for CVE-2025-8002
Indicators of Compromise
- Unexpected child processes spawned by the Cobalt executable shortly after opening a CO file
- CO files arriving from external senders or untrusted file shares, especially with abnormal sizes or non-standard internal structures
- Crash reports or Windows Error Reporting entries referencing the Cobalt parser modules
- Outbound network connections from the Cobalt process to unfamiliar hosts after document open
Detection Strategies
- Monitor process lineage for Cobalt spawning interpreters such as cmd.exe, powershell.exe, wscript.exe, or rundll32.exe
- Apply EDR rules that flag memory protection changes or shellcode-style allocations within the Cobalt process
- Inspect file open telemetry for .co files originating outside the organization or executed from temporary directories
Monitoring Recommendations
- Forward Cobalt process, file, and network telemetry to a centralized analytics platform for correlation
- Alert on Cobalt loading unsigned DLLs or accessing credential stores and LSASS
- Track user accounts that repeatedly open externally sourced CAD files and prioritize them for awareness training
How to Mitigate CVE-2025-8002
Immediate Actions Required
- Restrict opening of CO files to those originating from trusted internal sources until a vendor patch is applied
- Apply application allowlisting so that Cobalt cannot launch shells, scripting hosts, or unsigned binaries
- Run Cobalt under standard user accounts rather than local administrator accounts to limit blast radius
- Educate CAD and engineering teams on the risk of opening unsolicited drawing files
Patch Information
No vendor advisory URL is listed in the NVD entry at the time of writing. Consult Ashlar-Vellum directly and the Zero Day Initiative Advisory ZDI-25-724 for fix availability and recommended upgrade versions. Deploy any released patch across all engineering workstations through standard software distribution channels.
Workarounds
- Block inbound CO file attachments at the email gateway and quarantine them for manual review
- Use file reputation and sandbox detonation for CAD file types before delivery to end users
- Segment engineering workstations from sensitive infrastructure so a compromised user context cannot reach domain controllers or source code systems
# Example: block .co attachments at an Exchange transport rule (PowerShell)
New-TransportRule -Name "Block-Ashlar-CO-Files" \
-AttachmentExtensionMatchesWords "co" \
-RejectMessageReasonText "CO files blocked pending CVE-2025-8002 remediation" \
-Mode Enforce
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

