CISA issues alert on Ashlar-Vellum vulnerabilities in multiple products

Ashlar-Vellum has identified vulnerabilities involving out-of-bounds write and heap-based buffer overflow in its Cobalt, Xenon, Argon, Lithium, and Cobalt Share products, posing risks of information disclosure and arbitrary code execution.

The issues correspond to CVEs CVE-2025-65084 and CVE-2025-65085, impacting versions 12.6.1204.207 and earlier of the stated software. The vulnerabilities affect core components in each product, with exploitation triggered by user interactions involving these versions. Both vulnerabilities have a Common Vulnerability Scoring System (CVSS) v3.1 base score of 7.8 and a CVSS v4 base score of 8.4, reflecting the detailed assessment vectors provided in the advisory.

Exploiting these vulnerabilities could enable unauthorized disclosure of information or the execution of arbitrary code within the affected environments.

Ashlar-Vellum recommends upgrading to version 12.6.1204.208 or newer across all affected products to address the vulnerabilities. Defensive measures include configuring control system networks to limit exposure, employing firewall protections, and using secure remote access methods such as VPNs, acknowledging the importance of updated Virtual Private Network (VPN) solutions.

Organizations are advised to conduct thorough impact and risk assessments before deploying mitigation strategies. Additional resources on industrial control system security and defense-in-depth approaches are available for reference. Observed suspicious activities should be reported through established channels for further analysis and correlation.