CVE-2023-35712 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2023-35712?

CVE-2023-35712 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on Ashlar-Vellum Cobalt installations by tricking users into opening malicious XE files or visiting malicious web pages. The flaw exists in uninitialized memory handling during XE file parsing, enabling code execution in the current process context. Users of Ashlar-Vellum Cobalt software are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Ashlar-Vellum Cobalt installations by tricking users into opening malicious XE files or visiting malicious web pages. The flaw exists in uninitialized memory handling during XE file parsing, enabling code execution in the current process context. Users of Ashlar-Vellum Cobalt software are affected.

💻 Affected Systems

Products:

Ashlar-Vellum Cobalt

Versions: Specific versions not publicly detailed in available references; likely multiple versions prior to patch

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: User interaction required (opening malicious file or visiting malicious page)

📦 What is this software?

Cobalt by Ashlar

View all CVEs affecting Cobalt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Malicious code execution with user privileges, potentially leading to data exfiltration, lateral movement, or additional payload deployment.

🟢

If Mitigated

Limited impact through application sandboxing or restricted user privileges, though still potentially allowing local privilege escalation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction; exploit likely involves crafted XE files

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in available references

Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-23-875/

Restart Required: Yes

Instructions:

1. Contact Ashlar-Vellum for patch availability
2. Apply latest software updates
3. Restart affected systems

🔧 Temporary Workarounds

Restrict XE file handling

all

Block or restrict opening of XE files through application controls or group policy

User awareness training

all

Train users to avoid opening untrusted XE files or visiting suspicious websites

🧯 If You Can't Patch

Implement application whitelisting to block unauthorized executables
Run Cobalt with restricted user privileges (non-admin)

🔍 How to Verify

Check if Vulnerable:

Check Cobalt version against vendor patch information; test with known safe XE file parsing

Check Version:

Check application 'About' menu or installation details

Verify Fix Applied:

Verify patch installation through version check and test XE file parsing functionality

📡 Detection & Monitoring

Log Indicators:

Unexpected process crashes from Cobalt
Suspicious child processes spawned from Cobalt

Network Indicators:

Outbound connections from Cobalt to unknown destinations
Unusual network traffic patterns following XE file access

SIEM Query:

Process creation where parent process contains 'cobalt' AND (command line contains '.xe' OR network connection to suspicious IP)

📊 Metadata

CVE ID: CVE-2023-35712

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-824

Published: May 3, 2024

Last Updated: August 8, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-23-875/ Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-875/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35712, you might also want to check these: