CVE-2025-13665 – CVE-2025-13665 is a DLL planting vulnerability ... (How to Fix)

Q: What is the severity of CVE-2025-13665?

CVE-2025-13665 has a CVSS score of 6.7 (MEDIUM). CVE-2025-13665 is a DLL planting vulnerability in the System Console Utility for Windows that allows attackers to execute arbitrary code by placing malicious DLLs in directories where the application searches for them. This affects Windows systems running vulnerable versions of the utility. Attackers can exploit this to gain the same privileges as the user running the application.

📋 TL;DR

CVE-2025-13665 is a DLL planting vulnerability in the System Console Utility for Windows that allows attackers to execute arbitrary code by placing malicious DLLs in directories where the application searches for them. This affects Windows systems running vulnerable versions of the utility. Attackers can exploit this to gain the same privileges as the user running the application.

💻 Affected Systems

Products:

System Console Utility for Windows

Versions: Specific versions not detailed in reference; likely multiple versions prior to patch

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configurations where the application searches for DLLs in insecure locations.

📦 What is this software?

Quartus Prime by Intel

View all CVEs affecting Quartus Prime →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise if exploited by an attacker with local access who can plant malicious DLLs and trick users into running the utility, potentially leading to privilege escalation or persistence.

🟠

Likely Case

Local privilege escalation or arbitrary code execution by authenticated users who can write to directories in the DLL search path, allowing them to execute malicious code with the privileges of the utility.

🟢

If Mitigated

Limited impact if proper access controls prevent unauthorized users from writing to application directories and users run with minimal privileges.

🌐 Internet-Facing: LOW - This is primarily a local attack vector requiring access to the file system or ability to plant DLLs.

🏢 Internal Only: MEDIUM - Internal attackers with local access could exploit this for privilege escalation or lateral movement within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to plant DLLs and knowledge of DLL search order. No public exploit code is known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in reference; check vendor advisory for patched versions

Vendor Advisory: https://www.altera.com/security/security-advisory/asa-0002

Restart Required: Yes

Instructions:

1. Visit the vendor advisory URL. 2. Download and install the latest patched version of System Console Utility. 3. Restart the system to ensure changes take effect.

🔧 Temporary Workarounds

Restrict DLL search path

windows

Modify application or system settings to restrict DLL search to secure directories only

Set SafeDllSearchMode registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode = 1

Remove write permissions from application directories

windows

Prevent unauthorized users from writing DLLs to directories where the application searches

icacls "C:\Program Files\SystemConsoleUtility" /deny Users:(OI)(CI)W

🧯 If You Can't Patch

Run the utility with minimal user privileges (non-admin accounts)
Implement application whitelisting to prevent execution of unauthorized DLLs

🔍 How to Verify

Check if Vulnerable:

Check if System Console Utility version matches affected versions listed in vendor advisory

Check Version:

Check application properties or run: wmic product where name="System Console Utility" get version

Verify Fix Applied:

Verify installed version is patched per vendor advisory and test DLL loading behavior

📡 Detection & Monitoring

Log Indicators:

Unexpected DLL loads from non-standard directories in application logs
Process creation events for System Console Utility with suspicious parent processes

Network Indicators:

Unusual outbound connections from System Console Utility process

SIEM Query:

Process Creation where Image contains "systemconsole" AND ParentImage NOT IN ("explorer.exe", "cmd.exe")

📊 Metadata

CVE ID: CVE-2025-13665

CVSS v3 Score: 6.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-427

EPSS Score: 0.02% exploit probability (2.8th percentile)

Published: December 12, 2025

Last Updated: January 12, 2026

🔗 References

https://www.altera.com/security/security-advisory/asa-0002 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13665, you might also want to check these: