PatchSiren cyber security CVE debrief
CVE-2025-65088 Ashlar-Vellum CVE debrief
An Out-of-Bounds Read vulnerability exists in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior. The vulnerability is triggered when parsing a specially crafted VC6 file, potentially allowing an attacker to disclose information or execute arbitrary code. This vulnerability was disclosed by CISA on November 25, 2025, and subsequently updated on May 12, 2026 (Update A) to revise mitigation guidance, affected product versions, and add CVE identifiers. The CVSS 3.1 score of 7.8 (HIGH) reflects local attack vector, low attack complexity, no privileges required, and user interaction required, with high impacts to confidentiality, integrity, and availability. The vendor has released build 12.6.1204.217 to address this issue.
- Vendor
- Ashlar-Vellum
- Product
- Cobalt
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-11-25
- Original CVE updated
- 2026-05-12
- Advisory published
- 2025-11-25
- Advisory updated
- 2026-05-12
Who should care
Organizations using Ashlar-Vellum CAD software in engineering, manufacturing, or industrial design workflows; ICS/OT security teams managing CAD workstations; asset owners in critical infrastructure sectors relying on these tools for design and modeling operations.
Technical summary
The vulnerability is an Out-of-Bounds Read (CWE-125) occurring during parsing of VC6 files in Ashlar-Vellum's CAD product suite. The affected products include Cobalt, Xenon, Argon, Lithium, and Cobalt Share, all versions 12.6.1204.216 and earlier. Successful exploitation could lead to information disclosure or arbitrary code execution. The attack requires local access and user interaction (opening a malicious VC6 file), with no privileges required. The vendor has addressed this in build 12.6.1204.217.
Defensive priority
HIGH
Recommended defensive actions
- Update Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, or Cobalt Share to build 12.6.1204.217 or later.
- Restrict access to VC6 file imports to trusted sources only until patching is complete.
- Implement application whitelisting and least-privilege execution for CAD workstations.
- Monitor for anomalous crashes or unexpected behavior when opening VC6 files.
- Review CISA ICS recommended practices for defense-in-depth strategies.
Evidence notes
CISA ICS Advisory ICSA-25-329-01 (Update A) published 2025-11-25, modified 2026-05-12. CWE-125 Out-of-bounds Read. Affected versions: 12.6.1204.216 and prior across five product lines. Fixed in build 12.6.1204.217.
Official resources
-
CVE-2025-65088 CVE record
CVE.org
-
CVE-2025-65088 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-11-25