CVE-2025-7996 is a high-severity remote code execution vulnerability affecting Ashlar-Vellum Cobalt version 12 SP1. The vulnerability arises from an out-of-bounds write condition (CWE-787) in the AR file parsing functionality. Specifically, the software fails to properly validate user-supplied data when processing AR files, leading to a write operation beyond the allocated memory buffer. This memory corruption can be exploited by an attacker to execute arbitrary code within the context of the current process. Exploitation requires user interaction, such as opening a maliciously crafted AR file or visiting a malicious webpage that triggers the vulnerable parsing routine. The vulnerability does not require prior authentication, but the attacker must convince the user to perform the triggering action. The CVSS v3.0 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required. Although no known exploits are currently observed in the wild, the vulnerability's characteristics make it a significant risk, especially in environments where Ashlar-Vellum Cobalt is used to handle AR files. The vulnerability was publicly disclosed in September 2025 and was tracked by ZDI as ZDI-CAN-25982. No official patches have been linked yet, indicating that affected organizations should prioritize mitigation and monitoring until a fix is available.

For European organizations using Ashlar-Vellum Cobalt 12 SP1, this vulnerability poses a critical risk to system security and data integrity. Successful exploitation could allow attackers to execute arbitrary code remotely, potentially leading to full system compromise, data theft, or disruption of business operations. Given that the vulnerability affects a specialized CAD software product, organizations in sectors such as engineering, manufacturing, architecture, and design—where Ashlar-Vellum Cobalt is more likely deployed—are at higher risk. The requirement for user interaction means that phishing or social engineering campaigns could be leveraged to deliver malicious AR files or lure users to compromised websites. The impact extends beyond individual workstations to potentially affect networked environments if the compromised system has access to sensitive design data or intellectual property. Additionally, the high confidentiality impact could lead to exposure of proprietary designs or client information, while integrity and availability impacts could disrupt project workflows and cause financial losses. European organizations must consider these risks in the context of GDPR and other data protection regulations, as exploitation could lead to regulatory penalties if personal or sensitive data is compromised.

1. Immediate mitigation should focus on user awareness and training to recognize and avoid opening suspicious AR files or visiting untrusted websites, especially those purporting to deliver design files. 2. Implement strict email filtering and endpoint protection controls to detect and block malicious attachments or links that could trigger the vulnerability. 3. Restrict the use of Ashlar-Vellum Cobalt 12 SP1 to trusted networks and users, and consider isolating systems running this software from critical infrastructure until a patch is available. 4. Employ application whitelisting and sandboxing techniques to limit the execution context of Ashlar-Vellum Cobalt and contain potential exploitation. 5. Monitor system and network logs for unusual behavior indicative of exploitation attempts, such as unexpected process launches or memory access violations related to AR file handling. 6. Engage with Ashlar-Vellum support channels to obtain updates on patch availability and apply security updates promptly once released. 7. Consider deploying intrusion detection/prevention systems with signatures tailored to detect attempts to exploit this specific vulnerability. 8. Review and harden file sharing and collaboration workflows to minimize exposure to untrusted AR files.