CVE-2025-8003 Overview
CVE-2025-8003 is an out-of-bounds read vulnerability [CWE-125] in Ashlar-Vellum Cobalt, a 3D modeling and CAD application. The flaw exists in the parsing logic for CO files and allows remote attackers to execute arbitrary code on affected installations. Exploitation requires user interaction: the target must open a crafted CO file or visit a page that delivers one. The issue was reported through the Trend Micro Zero Day Initiative as ZDI-CAN-26235 and disclosed as advisory ZDI-25-720.
Critical Impact
Successful exploitation grants arbitrary code execution in the context of the current user process, enabling attackers to install programs, modify data, or pivot within the environment.
Affected Products
- Ashlar-Vellum Cobalt (all versions per CPE cpe:2.3:a:ashlar:cobalt:-:*:*:*:*:*:*:*)
- CAD workflows that open untrusted CO files
- Windows workstations running vulnerable Cobalt installations
Discovery Timeline
- 2025-09-17 - CVE-2025-8003 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-8003
Vulnerability Analysis
The vulnerability resides in the CO file parser within Ashlar-Vellum Cobalt. When the application processes a malformed CO file, it fails to properly validate user-supplied length or offset values before performing a read operation. The parser then reads past the end of an allocated buffer, exposing adjacent memory contents to attacker-controlled logic.
Because the out-of-bounds read influences subsequent control flow within the parser, an attacker can shape the file structure so that leaked pointers, virtual table entries, or object metadata are consumed as valid data. This creates a path from information disclosure to arbitrary code execution in the process context. The advisory from the Zero Day Initiative confirms remote code execution as the outcome; see the ZDI-25-720 advisory for additional detail.
Root Cause
The root cause is missing bounds validation on fields read from the CO file format. The parser trusts attacker-controlled size or index values and dereferences memory outside the intended allocation, matching the CWE-125 pattern.
Attack Vector
The attack vector is local and requires user interaction. An attacker delivers a weaponized CO file through email, a download link, a shared design repository, or a drive-by page. When a Cobalt user opens the file, the parser triggers the out-of-bounds read and the crafted payload executes code with the privileges of the running user.
No verified public proof-of-concept exploit is available. The vulnerability mechanism is described in prose because no sanitized exploit code has been released by the reporting party.
Detection Methods for CVE-2025-8003
Indicators of Compromise
- Unexpected Cobalt.exe child processes such as cmd.exe, powershell.exe, or rundll32.exe following a CO file open event
- CO files arriving from external email senders or untrusted file-sharing services
- Cobalt process crashes accompanied by access violation events referencing the file parser
Detection Strategies
- Hunt for endpoint telemetry that shows Cobalt spawning shell, scripting, or LOLBin processes shortly after a document open.
- Alert on writes to CO files in user download directories followed by process execution from the same user context.
- Correlate application crash reports for Cobalt with subsequent outbound network connections from the same host.
Monitoring Recommendations
- Enable command-line and process-tree logging on workstations that run CAD software.
- Monitor for Ashlar-Vellum Cobalt application error events in the Windows Application log.
- Track file provenance for CO files entering the environment through mail gateways and web proxies.
How to Mitigate CVE-2025-8003
Immediate Actions Required
- Restrict opening of CO files to those originating from trusted, verified sources.
- Isolate hosts running Ashlar-Vellum Cobalt from unnecessary internet exposure and untrusted file shares.
- Instruct CAD users to validate the sender and provenance of any received CO file before opening.
Patch Information
No vendor patch reference is listed in the NVD entry at the time of publication. Review the Zero Day Initiative advisory ZDI-25-720 and the Ashlar-Vellum support channels for the latest fixed build information before deploying updates.
Workarounds
- Block inbound CO file attachments at mail gateways until a fixed version is deployed.
- Apply application allowlisting to prevent Cobalt from launching interpreters or shell binaries.
- Run Cobalt under a standard user account to limit the impact of code execution within the process context.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

