CVE-2025-46269
📋 TL;DR
A heap-based buffer overflow vulnerability in Ashlar-Vellum CAD software allows attackers to execute arbitrary code by crafting malicious VC6 files. This affects users of Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions before 12.6.1204.204. Successful exploitation could lead to complete system compromise.
💻 Affected Systems
- Ashlar-Vellum Cobalt
- Ashlar-Vellum Xenon
- Ashlar-Vellum Argon
- Ashlar-Vellum Lithium
- Ashlar-Vellum Cobalt Share
📦 What is this software?
Argon by Ashlar
Cobalt by Ashlar
Lithium by Ashlar
Xenon by Ashlar
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with SYSTEM/root privileges leading to complete system takeover, data theft, ransomware deployment, or lateral movement across networks.
Likely Case
Local privilege escalation or arbitrary code execution in user context when opening malicious VC6 files, potentially leading to credential theft or malware installation.
If Mitigated
Application crash or denial of service if exploit attempts are blocked by security controls, with no code execution.
🎯 Exploit Status
Exploitation requires user interaction to open malicious VC6 files. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.6.1204.204
Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-01
Restart Required: Yes
Instructions:
1. Download version 12.6.1204.204 or later from Ashlar-Vellum official website. 2. Close all Ashlar-Vellum applications. 3. Run the installer with administrative privileges. 4. Restart the system after installation completes.
🔧 Temporary Workarounds
Block VC6 file extensions
allPrevent processing of VC6 files at the system or network level
Windows: Use Group Policy to block .vc6 file execution
macOS: Use mdfind 'kMDItemFSName == *.vc6' to identify and quarantine files
Application control restrictions
allRestrict Ashlar-Vellum applications from accessing untrusted directories
Windows: Configure AppLocker rules
macOS: Use TCC or sandboxing policies
🧯 If You Can't Patch
- Implement strict file type filtering to block VC6 files at email gateways and web proxies
- Educate users to never open VC6 files from untrusted sources and disable automatic file opening
🔍 How to Verify
Check if Vulnerable:
Check Help > About in any Ashlar-Vellum application and verify version is earlier than 12.6.1204.204Check Version:
Windows: wmic product where "name like 'Ashlar-Vellum%'" get version
macOS: /Applications/Ashlar-Vellum\ *.app/Contents/Info.plist | grep -A1 CFBundleShortVersionStringVerify Fix Applied:
Confirm version shows 12.6.1204.204 or later in Help > About menu📡 Detection & Monitoring
Log Indicators:
- Application crashes with memory access violations
- Unexpected child processes spawned from Ashlar-Vellum executables
- Failed attempts to open corrupted VC6 files
Network Indicators:
- Outbound connections from Ashlar-Vellum processes to suspicious IPs
- Unusual file downloads preceding application crashes
SIEM Query:
source="*ashlar*" AND (event_type="crash" OR process_name="*cobalt*" OR file_extension=".vc6")