Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share

Plan Patch7.8ICS-CERT ICSA-25-224-01Aug 12, 2025

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share contain buffer overflow and out-of-bounds access vulnerabilities (CWE-787, CWE-125, CWE-122) that could allow an attacker to disclose information and execute arbitrary code. Successful exploitation requires user interaction to open or import a malicious CO/XE/AR/LI file or supported file format.

What this means

What could happen

An attacker could execute arbitrary code on a workstation running these design/CAD applications if a user opens a malicious file, potentially compromising engineering data, control system configurations, or enabling lateral movement to connected ICS networks.

Who's at risk

Engineering teams and design departments using Ashlar-Vellum CAD/design software (Cobalt, Xenon, Argon, Lithium, Cobalt Share) on workstations connected to or near control system networks. This affects industries such as architecture, engineering, utilities, and manufacturing where these tools are used to design or modify control system layouts and configurations.

How it could be exploited

An attacker crafts a malicious CO, XE, AR, or LI file (or supported import format) containing specially crafted data that triggers a buffer overflow in the parsing logic. If a user opens this file in the vulnerable application, the overflow allows the attacker to execute arbitrary code with the privileges of the logged-in user.

Prerequisites

User must open a malicious file in one of the affected applications
File must be in a format the application recognizes (native or supported import format)
User must have the application installed (typically on engineering workstations)

requires user interaction (file open)high CVSS (7.8)affects engineering workstations with potential access to ICS networksbuffer overflow vulnerability (code execution possible)

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

Cobalt: <12.6.1204.204<12.6.1204.20412.6.1204.204 or later

Xenon: <12.6.1204.204<12.6.1204.20412.6.1204.204 or later

Argon: <12.6.1204.204<12.6.1204.20412.6.1204.204 or later

Lithium: <12.6.1204.204<12.6.1204.20412.6.1204.204 or later

Cobalt Share: <12.6.1204.204<12.6.1204.20412.6.1204.204 or later

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict file opening to trusted sources only; do not open CO/XE/AR/LI files or supported imports from untrusted or unsolicited sources

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cobalt, Xenon, Argon, Lithium, and Cobalt Share to version 12.6.1204.204 or later using Help > Check Web for Updates

HARDENINGUse VPN for any required remote access to engineering workstations, and maintain VPN software at the latest patch level

Long-term hardening

0/1

HARDENINGIsolate engineering workstations running these applications from the business network and internet; use network segmentation to limit lateral movement if a workstation is compromised

CVEs (4)

CVE-2025-53705 CVE-2025-41392 CVE-2025-52584 CVE-2025-46269

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5942de2b-005b-451f-9c02-394c9054bfa7