PatchSiren cyber security CVE debrief

CVE-2025-65087 Ashlar-Vellum CVE debrief

An out-of-bounds read vulnerability exists in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior. The flaw occurs during parsing of specially crafted VC6 files and may allow an attacker to disclose information or execute arbitrary code. The vulnerability was disclosed by CISA on November 25, 2025, with an update published on May 12, 2026, that revised affected product versions and mitigation guidance. The vendor has released build 12.6.1204.217 to address this issue.

Vendor: Ashlar-Vellum
Product: Cobalt
CVSS: HIGH 7.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-11-25
Original CVE updated: 2026-05-12
Advisory published: 2025-11-25
Advisory updated: 2026-05-12

Who should care

Organizations using Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, or Cobalt Share for CAD and 3D modeling, particularly in industrial or engineering environments where VC6 files may be exchanged externally.

Technical summary

The vulnerability is an out-of-bounds read (CWE-125) triggered when parsing malformed VC6 files in Ashlar-Vellum's CAD and 3D modeling product suite. Local attack vector with user interaction required; successful exploitation yields high impact on confidentiality, integrity, and availability.

Defensive priority

HIGH

Recommended defensive actions

Update Ashlar-Vellum products to build 12.6.1204.217 or later
Restrict access to VC6 files from untrusted sources
Apply defense-in-depth strategies for industrial control systems
Train users to recognize and avoid phishing attempts that may deliver malicious files

Evidence notes

CISA ICS Advisory ICSA-25-329-01 (Update A) documents this vulnerability with CVSS 3.1 score 7.8. The advisory was initially published 2025-11-25 and modified 2026-05-12 to revise mitigation section, affected product versions, and add CVE identifiers. SSVCv2 scoring indicates Exploitation: None, Automatable: No.

Official resources

2025-11-25