CVE-2025-65085 Ashlar-Vellum CVE debrief

Who should care

Organizations using Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, or Cobalt Share in design, engineering, or manufacturing workflows. Industrial control system operators where these applications interface with OT environments. Security teams responsible for CAD/CAM software asset management.

Technical summary

The vulnerability is a heap-based buffer overflow (CWE-122) affecting multiple Ashlar-Vellum CAD and 3D modeling products. Successful exploitation could result in information disclosure or arbitrary code execution. The attack vector is local, requiring user interaction. The CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating high impacts to confidentiality, integrity, and availability. The vendor has provided a patched build (12.6.1204.217) as remediation.

Defensive priority

HIGH

Recommended defensive actions

• Update Ashlar-Vellum products to build 12.6.1204.217 or later as recommended by the vendor.
• Apply defense-in-depth strategies for industrial control systems environments where these products are deployed.
• Follow CISA recommended practices for ICS security and implement network segmentation to limit exposure.
• Educate users on phishing and social engineering risks to reduce initial access vectors.

Evidence notes

Source: CISA CSAF advisory ICSA-25-329-01. Vendor confirmed affected products and remediation. CVSS 3.1 score 7.8 (HIGH). CWE-122 (Heap-based Buffer Overflow).

Official resources