CVE-2025-8004 Overview
CVE-2025-8004 is an out-of-bounds read vulnerability [CWE-125] in Ashlar-Vellum Cobalt that enables arbitrary code execution when a user opens a crafted XE file. The flaw resides in the application's XE file parser, which fails to properly validate user-supplied data before reading from an allocated buffer. Attackers can deliver a malicious file via email, web download, or shared storage and trick the user into opening it. Successful exploitation runs code in the context of the current user process. The Zero Day Initiative tracks this issue as ZDI-CAN-26236 and published advisory ZDI-25-723.
Critical Impact
A single malicious XE file opened by an engineer or designer can grant an attacker code execution on the workstation, compromising CAD assets and providing a foothold into design environments.
Affected Products
- Ashlar-Vellum Cobalt (CPE: cpe:2.3:a:ashlar:cobalt:-:*:*:*:*:*:*:*)
- Cobalt XE file format parser component
- Workstations running vulnerable Cobalt installations on local user contexts
Discovery Timeline
- 2025-09-17 - CVE-2025-8004 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-8004
Vulnerability Analysis
The vulnerability exists in the XE file format parsing logic within Ashlar-Vellum Cobalt. When the application processes an attacker-controlled XE file, it reads beyond the bounds of an allocated data structure. This out-of-bounds read [CWE-125] exposes adjacent memory contents and can be chained with additional primitives to achieve arbitrary code execution. The attack requires local access in the sense that the malicious file must be opened by the user, but delivery can occur through any channel that places the file on the target system.
Root Cause
The root cause is missing or insufficient validation of length and offset fields embedded in the XE file structure. The parser trusts attacker-controlled size indicators when iterating across in-memory buffers. Because the read crosses the boundary of an allocated structure, the process may access uninitialized or unrelated memory, which an attacker can shape to influence control flow.
Attack Vector
Exploitation requires user interaction. An attacker crafts a malicious XE file and delivers it through phishing, a watering-hole website, or a shared project repository. When the engineer opens the file in Cobalt, the parser triggers the out-of-bounds read. The attacker can leverage memory disclosure together with predictable layout patterns to execute code in the context of the current user. No special privileges are required from the attacker prior to file delivery.
No public proof-of-concept code has been released. Technical details are described in the Zero Day Initiative Advisory ZDI-25-723.
Detection Methods for CVE-2025-8004
Indicators of Compromise
- Unexpected XE files arriving via email attachments, instant messaging, or unsanctioned file-sharing services targeting CAD users
- Crashes or abnormal terminations of the Cobalt process correlated with the opening of an unfamiliar XE file
- Cobalt spawning child processes such as cmd.exe, powershell.exe, or scripting engines that are not part of normal CAD workflows
- Outbound network connections initiated by the Cobalt process to non-vendor infrastructure shortly after a file open event
Detection Strategies
- Monitor process creation events where Cobalt is the parent of shells, scripting hosts, or living-off-the-land binaries
- Inspect file-write events that place XE files into user download, temp, or shared project directories from untrusted sources
- Correlate Cobalt application crashes with subsequent suspicious process or persistence activity on the same host
- Apply YARA or content rules on email gateways and file shares to flag XE attachments originating outside trusted partners
Monitoring Recommendations
- Enable command-line and parent-child process logging on workstations running Cobalt and forward telemetry to a centralized analytics platform
- Track unusual user-mode memory access violations and watch for repeated faults in the Cobalt parser modules
- Audit shared drives and CAD asset repositories for newly introduced XE files from unknown contributors
- Alert on Cobalt processes initiating outbound HTTPS, DNS over HTTPS, or SMB connections to unexpected destinations
How to Mitigate CVE-2025-8004
Immediate Actions Required
- Inventory all workstations running Ashlar-Vellum Cobalt and identify which users handle externally sourced XE files
- Instruct designers and engineers to refuse XE files received from unverified sources until a patch is applied
- Restrict file associations so XE files do not auto-open from email clients or web browsers
- Apply application allowlisting to prevent Cobalt from launching shells or scripting interpreters as child processes
Patch Information
No vendor advisory or patch URL is referenced in the available CVE data. Administrators should consult Ashlar-Vellum directly and monitor the Zero Day Initiative Advisory ZDI-25-723 for updates on a fixed release.
Workarounds
- Open untrusted XE files only inside a sandboxed virtual machine that is isolated from production networks
- Block inbound XE attachments at the mail gateway and quarantine files for analyst review before delivery
- Run Cobalt under a standard user account with no administrative rights to limit post-exploitation impact
- Enable operating system exploit mitigations such as Data Execution Prevention and Address Space Layout Randomization for the Cobalt process
# Configuration example: block XE attachments at the gateway and audit local files
# Example Exchange transport rule (PowerShell)
New-TransportRule -Name "Block-XE-Attachments" \
-AttachmentExtensionMatchesWords "xe" \
-RejectMessageReasonText "XE attachments are blocked pending Cobalt patch (CVE-2025-8004)."
# Audit local XE files on Windows workstations
Get-ChildItem -Path C:\Users -Recurse -Include *.xe -ErrorAction SilentlyContinue |
Select-Object FullName, LastWriteTime, Length
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

