CVE-2025-65086 Ashlar-Vellum CVE debrief

Who should care

Administrators, engineers, and users running Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, or Cobalt Share—especially on systems that receive or open VC6 files from external sources.

Technical summary

CISA describes an out-of-bounds write in affected Ashlar-Vellum products version 12.6.1204.216 and prior. The issue occurs during VC6 file parsing and may permit arbitrary code execution. The supplied CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a local attack path with user interaction required and potentially severe confidentiality, integrity, and availability impact. CISA’s Update A (2026-05-12) revised the affected versions and mitigation guidance, and the recommended fixed build is 12.6.1204.217 or later.

Defensive priority

High. The vulnerability is rated HIGH, can lead to code execution, and is reachable through common file-opening workflows that may involve untrusted content.

Recommended defensive actions

• Update Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share to build 12.6.1204.217 or later.
• Identify systems that process VC6 files and prioritize them for patching.
• Treat VC6 files from untrusted or external sources as suspicious and restrict handling where possible.
• Limit who can open externally supplied project files on affected workstations.
• Review endpoint protections and user guidance for file-based attack paths, including safe handling of unexpected attachments or project files.

Evidence notes

Source corpus states: affected versions are 12.6.1204.216 and prior; the issue is an out-of-bounds write during parsing of a specially crafted VC6 file; arbitrary code execution is possible; the mitigation is to update to 12.6.1204.217 and later. The published date is 2025-11-25T07:00:00Z and the advisory was revised on 2026-05-12T06:00:00Z in Update A.

Official resources