CVE-2025-13663 – The Quartus Prime Pro Installer for Windows fai... (How to Fix)

Q: What is the severity of CVE-2025-13663?

CVE-2025-13663 has a CVSS score of 6.7 (MEDIUM). The Quartus Prime Pro Installer for Windows fails to verify directory permissions when installing to an existing directory, allowing attackers to potentially write malicious files to protected locations. This affects users installing Quartus Prime Pro on Windows systems where the target directory already exists. Attackers could escalate privileges or compromise system integrity.

📋 TL;DR

The Quartus Prime Pro Installer for Windows fails to verify directory permissions when installing to an existing directory, allowing attackers to potentially write malicious files to protected locations. This affects users installing Quartus Prime Pro on Windows systems where the target directory already exists. Attackers could escalate privileges or compromise system integrity.

💻 Affected Systems

Products:

Quartus Prime Pro Installer

Versions: All versions prior to patched release

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations where the target directory already exists; fresh installations to new directories are not vulnerable.

📦 What is this software?

Quartus Prime by Intel

View all CVEs affecting Quartus Prime →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privilege escalation leading to full system compromise, installation of persistent malware, or complete system takeover.

🟠

Likely Case

Local privilege escalation allowing attackers to write files to protected directories, potentially leading to code execution with elevated privileges.

🟢

If Mitigated

Limited impact with proper access controls and monitoring, potentially only allowing file writes to specific directories without execution.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to trigger installer with existing target directory; no known public exploits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Latest version from vendor advisory

Vendor Advisory: https://www.altera.com/security/security-advisory/asa-0001

Restart Required: No

Instructions:

1. Download latest Quartus Prime Pro installer from Intel/Altera official site. 2. Uninstall vulnerable version. 3. Install updated version to a new directory or ensure proper permissions on existing directory.

🔧 Temporary Workarounds

Use fresh installation directory

windows

Always install to a new directory that doesn't exist, forcing proper permission checks

Set strict directory permissions

windows

Manually set proper permissions on installation directories before running installer

icacls "C:\quartus_install_path" /inheritance:r /grant:r "Users:(OI)(CI)(RX)" /grant:r "Administrators:(OI)(CI)F"

🧯 If You Can't Patch

Restrict installer execution to trusted administrators only
Monitor file system changes in installation directories for unauthorized writes

🔍 How to Verify

Check if Vulnerable:

Check if installing to existing directory bypasses permission prompts; review installer version against vendor advisory.

Check Version:

Check installer properties or run installer with --version flag if supported

Verify Fix Applied:

Test installation to existing directory - should prompt for elevated permissions or fail if insufficient rights.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing file writes to protected directories without proper permissions
Installer logs showing installation to existing directories

Network Indicators:

None - local vulnerability only

SIEM Query:

EventID=4663 AND ObjectName LIKE '%quartus%' AND Accesses LIKE '%WriteData%' AND SubjectUserName NOT IN ('SYSTEM', 'Administrators')

📊 Metadata

CVE ID: CVE-2025-13663

CVSS v3 Score: 6.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-279

EPSS Score: 0.01% exploit probability (1.4th percentile)

Published: December 11, 2025

Last Updated: January 12, 2026

🔗 References

https://www.altera.com/security/security-advisory/asa-0001 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13663, you might also want to check these: