CVE-2025-7990 is a high-severity vulnerability classified under CWE-787 (Out-of-bounds Write) affecting Ashlar-Vellum Cobalt version 12 SP1. The vulnerability arises from improper validation of user-supplied data during the parsing of VC6 files, which are presumably project or design files used by the Cobalt software. Specifically, the flaw allows an attacker to write data beyond the allocated bounds of a data structure, leading to memory corruption. This memory corruption can be exploited to execute arbitrary code within the context of the current process. Exploitation requires user interaction, such as opening a maliciously crafted VC6 file or visiting a malicious webpage that triggers the file parsing. The vulnerability does not require prior authentication but does require user action (UI:R). The CVSS v3.0 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required. Although no public exploits are currently known, the nature of the vulnerability and its potential for remote code execution make it a significant threat to users of Ashlar-Vellum Cobalt 12 SP1. The vulnerability was reserved in July 2025 and published in September 2025, indicating recent discovery and disclosure. No patches or mitigations have been linked yet, so affected users must be vigilant. The vulnerability was identified by the Zero Day Initiative (ZDI) under ZDI-CAN-25944, which suggests it was responsibly disclosed.

For European organizations using Ashlar-Vellum Cobalt 12 SP1, this vulnerability poses a serious risk. Successful exploitation could lead to full compromise of affected systems, allowing attackers to execute arbitrary code, potentially leading to data theft, sabotage, or lateral movement within networks. Given that Ashlar-Vellum Cobalt is specialized CAD/design software, organizations in engineering, manufacturing, architecture, and product design sectors are particularly at risk. Compromise of design files or intellectual property could result in significant financial loss and competitive disadvantage. Additionally, if exploited in a targeted attack, it could serve as an entry point for broader network intrusion. The requirement for user interaction means that social engineering or phishing campaigns could be used to deliver malicious files or links. The high confidentiality, integrity, and availability impacts mean that data breaches, data manipulation, or denial of service conditions could occur. European organizations with strict data protection regulations (e.g., GDPR) may face compliance and reputational consequences if this vulnerability is exploited.

1. Immediate mitigation should include educating users about the risks of opening VC6 files from untrusted sources and avoiding visiting suspicious websites that could host malicious files. 2. Implement network-level protections such as email filtering and web content filtering to block malicious attachments or URLs related to VC6 files. 3. Employ endpoint detection and response (EDR) solutions to monitor for anomalous behavior indicative of exploitation attempts. 4. Restrict the use of Ashlar-Vellum Cobalt to trusted users and environments, and consider sandboxing or running the software with least privilege to limit the impact of potential exploitation. 5. Monitor vendor communications closely for patches or updates addressing CVE-2025-7990 and apply them promptly once available. 6. Conduct regular backups of critical design files and verify their integrity to enable recovery in case of compromise. 7. Use application whitelisting to prevent unauthorized execution of code spawned by exploitation attempts. 8. Review and tighten user interaction policies, such as disabling automatic file previews or downloads in email clients, to reduce the risk of inadvertent exploitation.