CVE-2025-8005 Overview
CVE-2025-8005 is a type confusion vulnerability in Ashlar-Vellum Cobalt, a 3D modeling and computer-aided design application. The flaw exists in the parser that handles XE files. Attackers can exploit this issue to execute arbitrary code in the context of the current user. Exploitation requires the target to open a malicious XE file or visit a malicious page that delivers one. The vulnerability is tracked as ZDI-CAN-26237 and was disclosed through the Zero Day Initiative under advisory ZDI-25-722. The weakness is categorized as [CWE-843] Access of Resource Using Incompatible Type (Type Confusion).
Critical Impact
Successful exploitation grants arbitrary code execution in the context of the current process, with high impact to confidentiality, integrity, and availability.
Affected Products
- Ashlar-Vellum Cobalt (all versions matching cpe:2.3:a:ashlar:cobalt)
- Workstations running Ashlar-Vellum Cobalt that process untrusted XE files
- Engineering and design environments that exchange CAD files with external parties
Discovery Timeline
- 2025-09-17 - CVE-2025-8005 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-8005
Vulnerability Analysis
The vulnerability resides in the XE file parsing logic within Ashlar-Vellum Cobalt. The parser fails to properly validate user-supplied data before interpreting it as a specific object type. When the parser operates on a crafted XE file, it treats a memory region as a type incompatible with the actual data layout. This mismatch leads to corrupted object state and ultimately arbitrary code execution within the process. The attacker gains the privileges of the user running Cobalt, which on engineering workstations frequently includes access to sensitive design intellectual property and connected network shares.
Root Cause
The root cause is the absence of strict type validation during XE file deserialization, classified under [CWE-843] Type Confusion. The application accepts attacker-controlled fields that determine how subsequent bytes are interpreted. When mismatched types collide, function pointers, virtual table references, or size fields can be manipulated to redirect execution flow.
Attack Vector
The attack requires local file access combined with user interaction. An attacker delivers a crafted .xe file through email, file-sharing services, or a malicious web page. When a victim opens the file in Cobalt, the parsing routine triggers the type confusion. No authentication is required, and the attack complexity is low. The vulnerability does not require network exposure, which limits worm-like propagation but suits targeted intrusion scenarios against design and manufacturing firms.
No public proof-of-concept code is available. See the Zero Day Initiative Advisory ZDI-25-722 for additional technical context.
Detection Methods for CVE-2025-8005
Indicators of Compromise
- Unexpected child processes spawned by Cobalt.exe, particularly command interpreters such as cmd.exe, powershell.exe, or script hosts
- Outbound network connections initiated by the Cobalt process to untrusted destinations shortly after an XE file is opened
- Crash or exception events in Windows Application logs referencing the Cobalt binary and access violations during file load
- Newly created executable files or scheduled tasks following a CAD file open event
Detection Strategies
- Monitor process lineage for the Cobalt application and flag any execution of interpreters, LOLBins, or unsigned binaries as child processes
- Inspect file system telemetry for .xe files originating from email attachments, browser downloads, or removable media
- Correlate user-opened CAD files with subsequent process injection, memory allocation anomalies, or DLL load events
Monitoring Recommendations
- Centralize endpoint telemetry from engineering workstations in a SIEM or data lake and retain process, file, and network events for at least 90 days
- Alert on Cobalt process crashes paired with subsequent suspicious activity within a short time window
- Track distribution of XE files across file shares to identify potential staging of malicious payloads
How to Mitigate CVE-2025-8005
Immediate Actions Required
- Restrict opening of XE files to those received from trusted internal sources and verified partners
- Apply application allowlisting to prevent Cobalt from spawning interpreters or unauthorized child processes
- Run Ashlar-Vellum Cobalt under standard user accounts to limit the impact of code execution
- Educate engineering staff on the risk of opening CAD files from unsolicited sources
Patch Information
No vendor patch information is referenced in the NVD entry or in ZDI-25-722 at the time of publication. Organizations should monitor Ashlar-Vellum vendor channels for an updated build and apply it once available.
Workarounds
- Block inbound .xe attachments at the email gateway and web proxy until a patch is deployed
- Isolate workstations that must process untrusted CAD files in a segmented VLAN with no access to source design repositories
- Disable file association handlers that automatically open .xe files on double-click where feasible
- Maintain offline backups of design files and validate integrity regularly
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

