CVE-2025-14625
📋 TL;DR
This CVE describes a Search Order Hijacking vulnerability in Altera Quartus Prime's Nios II Command Shell modules on Windows. Attackers can place malicious DLLs in directories searched before legitimate ones, potentially executing arbitrary code. This affects Quartus Prime Standard and Lite versions 19.1 through 24.1 on Windows systems.
💻 Affected Systems
- Altera Quartus Prime Standard
- Altera Quartus Prime Lite
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary code execution with the privileges of the Quartus Prime process, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Local privilege escalation or execution of malicious payloads when users run vulnerable Quartus Prime tools, particularly in development environments.
If Mitigated
Limited impact if proper application whitelisting, DLL search path restrictions, and least privilege principles are enforced.
🎯 Exploit Status
Exploitation requires local access to place malicious DLLs in search paths before legitimate ones are loaded.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.1.1 or later
Vendor Advisory: https://www.altera.com/security/security-advisory/asa-0005
Restart Required: No
Instructions:
1. Download and install Quartus Prime version 24.1.1 or later from Intel/Altera's official website. 2. Replace all existing installations of affected versions (19.1-24.1). 3. Verify installation by checking version in Quartus Prime interface.
🔧 Temporary Workarounds
Set SafeDllSearchMode
windowsEnable Windows SafeDllSearchMode to prioritize system directories over current directory when loading DLLs.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
Restrict Write Permissions
windowsRemove write permissions from directories where Quartus Prime searches for DLLs to prevent malicious DLL placement.
icacls "C:\Program Files\Intel\Quartus\" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Restrict user permissions to directories where Quartus Prime is installed to prevent DLL planting.
- Use application control solutions to block execution of unauthorized DLLs in Quartus Prime directories.
🔍 How to Verify
Check if Vulnerable:
Check Quartus Prime version in Help > About. If version is between 19.1 and 24.1 inclusive, the system is vulnerable.Check Version:
In Quartus Prime, go to Help > About or check the version.txt file in installation directory.Verify Fix Applied:
Verify Quartus Prime version is 24.1.1 or later. Check that no unauthorized DLLs exist in Quartus Prime installation directories.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from unusual paths
- Process Monitor logs showing Quartus Prime loading DLLs from user-writable directories
Network Indicators:
- Unusual outbound connections from Quartus Prime processes
SIEM Query:
source="Windows Security" EventID=4688 OR EventID=4689 AND ProcessName="*quartus*" AND CommandLine="*dll*"