CVE-2025-41392
📋 TL;DR
This vulnerability allows attackers to execute arbitrary code by exploiting an out-of-bounds read when parsing AR files in Ashlar-Vellum CAD software. Users of Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions before 12.6.1204.204 are affected. The attack occurs when processing malicious AR files within the application context.
💻 Affected Systems
- Ashlar-Vellum Cobalt
- Ashlar-Vellum Xenon
- Ashlar-Vellum Argon
- Ashlar-Vellum Lithium
- Ashlar-Vellum Cobalt Share
📦 What is this software?
Argon by Ashlar
Cobalt by Ashlar
Lithium by Ashlar
Xenon by Ashlar
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via arbitrary code execution leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Application crash or limited data leakage from memory, potentially escalating to full code execution if combined with other vulnerabilities.
If Mitigated
Application crash with no data compromise if proper memory protections and network segmentation are implemented.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious AR file. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.6.1204.204
Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-01
Restart Required: Yes
Instructions:
1. Download version 12.6.1204.204 or later from Ashlar-Vellum's official website. 2. Close all Ashlar-Vellum applications. 3. Run the installer and follow on-screen instructions. 4. Restart the system after installation completes.
🔧 Temporary Workarounds
Restrict AR file processing
allBlock or quarantine AR files from untrusted sources to prevent malicious files from reaching vulnerable applications.
Application sandboxing
allRun Ashlar-Vellum applications in restricted environments or virtual machines to limit potential damage from exploitation.
🧯 If You Can't Patch
- Implement strict file validation policies to block AR files from untrusted sources
- Network segmentation to isolate CAD workstations from critical systems
🔍 How to Verify
Check if Vulnerable:
Check Help > About in any Ashlar-Vellum application and verify version is earlier than 12.6.1204.204Check Version:
Not applicable - use GUI Help > About menu optionVerify Fix Applied:
Confirm version is 12.6.1204.204 or later in Help > About dialog📡 Detection & Monitoring
Log Indicators:
- Application crashes when opening AR files
- Unexpected memory access errors in application logs
Network Indicators:
- Unusual outbound connections from CAD workstations
- AR file downloads from suspicious sources
SIEM Query:
EventID=1000 OR EventID=1001 Source='Ashlar-Vellum*' AND Keywords='Crash'