CVE-2025-11465
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Ashlar-Vellum Cobalt installations by tricking users into opening malicious CO files or visiting malicious web pages. The use-after-free flaw in CO file parsing enables code execution in the context of the current process, affecting all users of vulnerable Ashlar-Vellum Cobalt software.
💻 Affected Systems
- Ashlar-Vellum Cobalt
📦 What is this software?
Cobalt by Ashlar
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to unauthorized access to sensitive files and system resources, potentially enabling further attacks on the network.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially resulting in only application crash or denial of service.
🎯 Exploit Status
Exploitation requires user interaction (social engineering). The vulnerability is publicly disclosed through ZDI advisory ZDI-25-956.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Ashlar-Vellum vendor advisory for specific patched versions
Vendor Advisory: https://www.ashlar.com/security-advisories/
Restart Required: Yes
Instructions:
1. Check Ashlar-Vellum security advisory for CVE-2025-11465
2. Download and install the latest patched version from official vendor sources
3. Restart the application and any related services
4. Verify the patch is applied correctly
🔧 Temporary Workarounds
Disable CO file association
windowsRemove file type association for .co files to prevent automatic opening in vulnerable application
Windows: assoc .co=
Windows: ftype COFile=
Application sandboxing
allRun Ashlar-Vellum Cobalt in restricted environment with limited privileges
🧯 If You Can't Patch
- Implement strict file type filtering at email gateways and web proxies to block .co files
- Educate users about the risks of opening untrusted CO files and implement application whitelisting
🔍 How to Verify
Check if Vulnerable:
Check Ashlar-Vellum Cobalt version against vendor's patched version list. If running unpatched version, assume vulnerable.Check Version:
Windows: Check Help > About in Ashlar-Vellum Cobalt application interfaceVerify Fix Applied:
Verify installed version matches or exceeds the patched version specified in vendor advisory. Test with known safe CO files to ensure functionality.📡 Detection & Monitoring
Log Indicators:
- Application crashes when processing CO files
- Unexpected child processes spawned from Ashlar-Vellum Cobalt
- Unusual network connections from the application
Network Indicators:
- Downloads of .co files from untrusted sources
- Outbound connections to suspicious IPs following CO file processing
SIEM Query:
Process creation where parent_process contains 'cobalt' AND (process_name contains 'cmd.exe' OR process_name contains 'powershell.exe' OR process_name contains suspicious binaries)