A high-severity vulnerability has been identified in multiple Ashlar-Vellum computer-aided design (CAD) software products. If exploited, an attacker could trick a user into opening a malicious file, allowing the attacker to execute arbitrary code and gain control of the user's workstation. This could lead to the theft of sensitive intellectual property, installation of ransomware, or further compromise of the corporate network.

The vulnerability exists due to improper input validation when parsing specific design file formats. An attacker can craft a malicious design file containing embedded code. When an unsuspecting user opens this malicious file with an affected version of the software, a buffer overflow condition is triggered, allowing the attacker's code to be executed on the victim's system with the same privileges as the logged-in user. Successful exploitation requires user interaction (i.e., the user must be convinced to open the malicious file).

This vulnerability is rated as High severity with a CVSS score of 7.8. Exploitation could have a significant business impact, including the compromise of confidential data and intellectual property, such as proprietary designs and schematics. A successful attack could lead to the deployment of ransomware, causing operational disruption and financial loss. Furthermore, a compromised workstation could be used as a staging point for an attacker to move laterally across the network, escalating the incident and potentially leading to a widespread data breach and reputational damage.

Immediate Action: The primary remediation is to apply the security patches provided by the vendor to all affected systems immediately. Upgrade all instances of Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share to version 12 or later. After patching, monitor systems for any signs of exploitation attempts and review system and application access logs for unusual activity preceding the patch deployment.

Proactive Monitoring: Implement enhanced monitoring on endpoints running the affected software. Security teams should look for indicators of compromise such as:

• The affected software processes (e.g., Cobalt.exe, Xenon.exe) spawning unexpected child processes like cmd.exe or powershell.exe.
• Unusual outbound network connections from the application to unknown IP addresses or domains.
• File modifications or creations in directories outside of the user's typical project folders.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce risk:

• Enforce a strict policy against opening design files from untrusted or unverified sources.
• Use application control solutions (e.g., AppLocker) to prevent the affected software from executing unknown processes.
• Ensure Endpoint Detection and Response (EDR) solutions are deployed and properly configured to detect and block anomalous process behavior on workstations running this software.

Public Exploit Available: false

Given the high-severity rating (CVSS 7.8) and the potential for remote code execution leading to data theft or ransomware, we strongly recommend that organizations prioritize the immediate deployment of vendor-supplied security updates. While this vulnerability is not currently listed on the CISA KEV, its potential impact on data confidentiality and system integrity warrants urgent attention. If patching is delayed, the compensating controls outlined above should be implemented without delay to mitigate the immediate risk.