CVE-2025-65084 Ashlar-Vellum CVE debrief

Who should care

Organizations using Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, or Cobalt Share for CAD and 3D modeling, particularly in industrial or engineering environments. System administrators managing workstations with these applications installed. Security teams responsible for vulnerability management in OT/ICS environments.

Technical summary

The vulnerability is an Out-of-Bounds Write (CWE-787) present in multiple Ashlar-Vellum CAD and 3D modeling products. The affected versions (12.6.1204.216 and prior) can be exploited to achieve information disclosure or arbitrary code execution. The attack requires local access and user interaction, with no privileges required. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates that successful exploitation results in complete compromise of confidentiality, integrity, and availability on the affected system. The vendor has addressed this in build 12.6.1204.217.

Defensive priority

HIGH

Recommended defensive actions

• Update Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, or Cobalt Share to build 12.6.1204.217 or later
• Apply vendor-provided patches as the primary remediation
• Follow CISA ICS recommended practices for defense-in-depth strategies
• Implement network segmentation for industrial control systems where these applications are deployed
• Restrict user privileges and enforce principle of least privilege
• Train users to recognize and avoid phishing attacks that could deliver malicious files
• Monitor for anomalous process execution or file system activity from affected applications

Evidence notes

Source: CISA CSAF advisory ICSA-25-329-01. Vendor confirmed: Ashlar-Vellum. Affected products: Cobalt, Xenon, Argon, Lithium, Cobalt Share. Affected versions: 12.6.1204.216 and prior. Fix version: 12.6.1204.217. CWE-787 (Out-of-bounds Write). CVSS 3.1: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Official resources