Critical Buffer Overflow Flaws in Ashlar-Vellum Software Threaten Industrial Security
Executive Summary
In November 2025, Ashlar-Vellum disclosed two critical software vulnerabilities—an Out-of-Bounds Write (CVE-2025-65084) and a Heap-based Buffer Overflow (CVE-2025-65085)—impacting its Cobalt, Xenon, Argon, Lithium, and Cobalt Share products (version 12.6.1204.207 and prior). Identified by security researcher Michael Heinzl and published via CISA, these flaws could allow local attackers to gain information disclosure or execute arbitrary code on affected engineering systems, primarily used in the Critical Manufacturing sector worldwide. The vulnerabilities are rated high (CVSS v4 score 8.4), but no exploitation has been reported to date.
This incident reinforces the urgent need for robust vulnerability management and regular software patching within industrial control environments. Manufacturers and operators face increasing regulatory and operational pressure to proactively address new threats in their digital supply chains and critical OT infrastructure.
Why This Matters Now
High-severity vulnerabilities in widely deployed engineering software expose critical manufacturing and industrial environments to potential compromise. With growing sophistication in supply-chain attacks and stringent compliance mandates, timely patching and layered defenses are essential for safeguarding operational technology systems.
Attack Path Analysis
An attacker exploited a local buffer overflow vulnerability in vulnerable Ashlar-Vellum software on a host, resulting in the execution of arbitrary code. Post-compromise, the attacker escalated privileges within the compromised host, likely gaining administrative access. Using the foothold, lateral movement within the hybrid or cloud environment was attempted via east-west connections or internal service pivots. The attacker established command and control by deploying tools or scripts, potentially communicating with external servers or managing compromised assets stealthily. Exfiltration followed, with attempts to export sensitive files or data from the environment using outbound channels. The attack could culminate in data theft, destruction, ransomware, or disruption of critical business functions.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited a local out-of-bounds write or heap overflow (CVE-2025-65084/65085) in Ashlar-Vellum software on a host, leading to arbitrary code execution.
Related CVEs
CVE-2025-65084
CVSS 9.8An Out-of-Bounds Write vulnerability in Ashlar-Vellum products could allow an attacker to disclose information or execute arbitrary code.
Affected Products:
Ashlar-Vellum Cobalt – 12.6.1204.207 and prior
Ashlar-Vellum Xenon – 12.6.1204.207 and prior
Ashlar-Vellum Argon – 12.6.1204.207 and prior
Ashlar-Vellum Lithium – 12.6.1204.207 and prior
Ashlar-Vellum Cobalt Share – 12.6.1204.207 and prior
Exploit Status:
no public exploitCVE-2025-65085
CVSS 9.8A Heap-based Buffer Overflow vulnerability in Ashlar-Vellum products could allow an attacker to disclose information or execute arbitrary code.
Affected Products:
Ashlar-Vellum Cobalt – 12.6.1204.207 and prior
Ashlar-Vellum Xenon – 12.6.1204.207 and prior
Ashlar-Vellum Argon – 12.6.1204.207 and prior
Ashlar-Vellum Lithium – 12.6.1204.207 and prior
Ashlar-Vellum Cobalt Share – 12.6.1204.207 and prior
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
User Execution
Exploitation for Privilege Escalation
Exploit Public-Facing Application
Process Injection
Windows Management Instrumentation
System Information Discovery
Impair Defenses
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Address Common and Emerging Vulnerabilities
Control ID: 6.2.2
NIS2 Directive – Vulnerability Handling and Disclosure
Control ID: Article 21(2)(d)
NYDFS 23 NYCRR 500 – Application Security
Control ID: 500.07(b)
CISA ZTMM 2.0 – Vulnerability Management and Patch Compliance
Control ID: Application Workload – Control 2
DORA – ICT Risk Management – Protection and Prevention
Control ID: Article 8(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Critical Manufacturing
Ashlar-Vellum CAD software vulnerabilities enable arbitrary code execution in design systems, compromising manufacturing processes and intellectual property through heap-based buffer overflows.
Architecture/Planning
Out-of-bounds write vulnerabilities in design software could allow attackers to execute malicious code, potentially compromising architectural designs and sensitive project data.
Automotive
CAD software buffer overflow vulnerabilities threaten vehicle design integrity and manufacturing processes, requiring immediate patching to prevent information disclosure and code execution.
Aviation/Aerospace
Design software vulnerabilities pose critical risks to aircraft engineering systems, potentially enabling attackers to compromise safety-critical aerospace designs through code execution exploits.
Sources
- Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Sharehttps://www.cisa.gov/news-events/ics-advisories/icsa-25-329-01Verified
- NVD - CVE-2025-65084https://nvd.nist.gov/vuln/detail/CVE-2025-65084Verified
- NVD - CVE-2025-65085https://nvd.nist.gov/vuln/detail/CVE-2025-65085Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust and Cloud Network Security controls such as segmentation, east-west security, egress enforcement, inline threat detection, and encrypted traffic inspection would have contained the attack, limited lateral spread, and prevented data exfiltration or business disruption. Proactive enforcement based on identity and behavior could break the attacker's chain at multiple points, protecting workloads and sensitive data even after initial compromise.
Control: Threat Detection & Anomaly Response
Mitigation: Behavioral and signature-based controls would rapidly detect exploitation attempts.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Runtime enforcement and real-time inspection reduce the attacker's ability to escalate without detection.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation contains compromise to the initial workload.
Control: Cloud Firewall (ACF) & Egress Security & Policy Enforcement
Mitigation: Enforced outbound filtering blocks C2 channels.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts are detected and interdicted at the egress point.
High-fidelity observability enables rapid detection and response to destructive actions.
Impact at a Glance
Affected Business Functions
- Product Design
- Engineering
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of proprietary design files and intellectual property.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately apply Ashlar-Vellum software patches to eliminate known vulnerabilities exploited for initial compromise.
- • Enforce Zero Trust Segmentation to restrict east-west movement and limit blast radius of compromised hosts.
- • Deploy inline threat detection and behavioral analytics to rapidly identify and respond to exploit attempts and suspicious activity.
- • Implement rigorous egress filtering and policy enforcement to prevent unauthorized data exfiltration and block command and control.
- • Centralize visibility and automate response workflows to ensure rapid detection, containment, and recovery across hybrid and multicloud environments.
