PSIRT Advisory ASA-0001 - Quartus® Prime Pro Security Advisory ASA-0001 A potential security vulnerability in Quartus Prime Pro Edition Design Software may allow escalation of privilege CVE ID: CVE-2025-13663 Vulnerability Details: Under certain circumstances, the Quartus Prime Pro Installer for Windows does not check the permissions of the Quartus target installation directory if the target installation directory already exists. The Linux version is not affected. Mitigations and Recommendations: Altera recommends using Quartus 25.1 or later. Before launching the installer, ensure that the target installation directory does not exist or that any preexisting target installation directory has the proper administrative-level permissions. Description/CWE: CWE-279: Incorrect Execution-Assigned Permissions CVSS Base Score 6.7 Severity Medium CVSS Vector 3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Base Score 4.0: 5.4 Medium CVSS Vector 4.0: 4.0: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE ID: CVE-2025-13668 Vulnerability Details: A Current Working Directory (CWD) DLL planting vulnerability exists in a .BAT file used in the Original Design Space Explorer. Design Space Explorer II is not affected. Only the Windows Version is affected. The Linux version is not affected. Mitigations and Recommendations: Install Quartus Prime Pro Edition 25.1 or later, or delete the file quartus\bin64\qcmd.bat. The qcmd.bat file is obsolete, used by the original Design Space Explorer. Since the introduction of Design Space Explorer II in Quartus 15.0, that file is no longer used and can safely be deleted. Description/CWE: CWE-427: Uncontrolled Search Path Element CVSS Base Score 6.7 Severity Medium CVSS Vector 3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Base Score 4.0: 5.4 Medium CVSS Vector 4.0: 4.0: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE Affected Products Affected Versions Fixed Version CVE-2025-13663 Quartus Prime Pro Up to 24.3.1 25.1 CVE-2025-13668 Quartus Prime Pro Up to 24.3.1 25.1 Acknowledgements: Altera would like to thank sim0nleehkhk (CVE-2025-13663) for reporting this issue. Revision History: Revision Date Affected Versions 1.0 05/13/2025 Initial Release 1.1 12/20/2025 CVE-2025-13663, CVE-2025-13668 Stay informed with Altera’s Product Security Incident Response Team (PSIRT) advisories, including disclosures, mitigations, and security updates.