Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share

Plan PatchCVSS 7.8ICS-CERT ICSA-25-224-01Aug 12, 2025

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Buffer overflow and buffer over-read vulnerabilities in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions before 12.6.1204.204. These CAD/design software products are vulnerable when processing .CO/.XE/.AR/.LI files or importing supported file formats. Successful exploitation could allow information disclosure and arbitrary code execution on the local system.

What this means

What could happen

An attacker could execute arbitrary code on a workstation running affected CAD software by sending a malicious design file. This could compromise engineering workstations, potentially allowing theft of design data or lateral movement into corporate or operational networks.

Who's at risk

Engineering and design teams using Ashlar-Vellum CAD software (Cobalt, Xenon, Argon, Lithium, Cobalt Share). This affects architectural, mechanical, and design firms, as well as any organization using these tools for facility planning or industrial design. Risk is highest when these workstations are connected to corporate or operational networks, as a compromised design workstation could enable lateral movement.

How it could be exploited

An attacker sends a specially crafted design file (.CO/.XE/.AR/.LI or supported import format) to a user. When the user opens the file in vulnerable Ashlar-Vellum software, the buffer overflow is triggered, allowing the attacker to run arbitrary code with the privileges of the user running the application.

Prerequisites

User interaction required (victim must open a malicious file)
User running vulnerable software must have local or removable media access to the malicious file
File must be in a format the vulnerable application processes

local code executionrequires user interactionaffects design/engineering workstationsbuffer overflow vulnerability (CWE-787, CWE-125, CWE-122)

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

Cobalt: <12.6.1204.204<12.6.1204.20412.6.1204.204+

Xenon: <12.6.1204.204<12.6.1204.20412.6.1204.204+

Argon: <12.6.1204.204<12.6.1204.20412.6.1204.204+

Lithium: <12.6.1204.204<12.6.1204.20412.6.1204.204+

Cobalt Share: <12.6.1204.204<12.6.1204.20412.6.1204.204+

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDInstruct users to open only .CO/.XE/.AR/.LI files and imported file formats from trusted sources

HARDENINGImplement email filtering to block unsolicited attachments with design file extensions or macros

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cobalt, Xenon, Argon, Lithium, and Cobalt Share to version 12.6.1204.204 or later

Long-term hardening

0/1

HARDENINGRestrict network access to engineering workstations where possible, and segment them from operational networks

CVEs (4)

CVE-2025-53705 CVE-2025-41392 CVE-2025-52584 CVE-2025-46269

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5942de2b-005b-451f-9c02-394c9054bfa7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.