Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share

Plan PatchCVSS 7.8ICS-CERT ICSA-25-329-01Nov 25, 2025

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A buffer overflow vulnerability (CWE-787, CWE-122) in Ashlar-Vellum design software (Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.207 and earlier) could allow an attacker to disclose information or execute arbitrary code. Exploitation requires local access and user interaction—the attacker cannot exploit this remotely.

What this means

What could happen

An attacker with local access to a machine running vulnerable Ashlar-Vellum software could execute arbitrary code or steal sensitive information (such as design files or credentials) by tricking a user into opening a malicious file.

Who's at risk

Organizations using Ashlar-Vellum design software (Cobalt, Xenon, Argon, Lithium, Cobalt Share) for CAD, engineering, or schematic design should be aware of this vulnerability. This affects engineering workstations and design computers, not directly OT control systems, but may impact OT environments where design files are created or modified on-site. The risk is primarily to engineers and design staff.

How it could be exploited

An attacker crafts a malicious file (likely a project or design file format that Ashlar-Vellum reads) and tricks a user into opening it. When the application processes the file, the buffer overflow is triggered, allowing the attacker to run code with the privileges of the user who opened the file.

Prerequisites

Local access to a machine running the vulnerable application
User interaction required—target must open a malicious file
No authentication or special configuration needed

Local exploitation only (reduces immediate threat)User interaction requiredBuffer overflow vulnerabilities can be high-impactLow EPSS score (0.2%) suggests exploitation is difficult in practice

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

Cobalt: <=12.6.1204.207≤ 12.6.1204.20712.6.1204.208

Cobalt Share: <=12.6.1204.207≤ 12.6.1204.20712.6.1204.208

Xenon: <=12.6.1204.207≤ 12.6.1204.20712.6.1204.208

Argon: <=12.6.1204.207≤ 12.6.1204.20712.6.1204.208

Lithium: <=12.6.1204.207≤ 12.6.1204.20712.6.1204.208

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDTrain users not to open design files or project files from untrusted sources

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cobalt to version 12.6.1204.208 or later

HOTFIXUpdate Cobalt Share to version 12.6.1204.208 or later

HOTFIXUpdate Xenon to version 12.6.1204.208 or later

HOTFIXUpdate Argon to version 12.6.1204.208 or later

HOTFIXUpdate Lithium to version 12.6.1204.208 or later

Long-term hardening

0/1

HARDENINGRestrict local access to machines running Ashlar-Vellum software to trusted users only

CVEs (2)

CVE-2025-65084 CVE-2025-65085

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9ca9e8f8-e047-4c76-a368-d53a4dc12734

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.