PSIRT Advisory ASA-0002 - Quartus® Prime Standard Security Advisory ASA-0002 A potential security vulnerability in Quartus® Prime Standard Edition Design Software may allow escalation of privilege. CVE ID: CVE-2025-13665 Vulnerability Details: The System Console Utility for Windows is vulnerable to a DLL planting vulnerability. This issue occurs when the Quartus Prime Programmer and Tools package is installed in a standalone manner, outside of a full Quartus Prime Standard Edition installation location. The System Console program is not vulnerable if the user has the full Quartus Prime Standard edition installation. The Linux version is not affected. Mitigations and Recommendations: Install Quartus Prime Standard edition 24.1 or newer or install the full Quartus standard version to use the System console Utility. Description/CWE: CWE-427: Uncontrolled Search Path Element CVSS Base Score 6.7 Severity Medium CVSS Vector 3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Base Score 4.0: 5.4 Medium CVSS Vector 4.0: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE ID: CVE-2025-13664 Vulnerability Details: A Current Working Directory (CWD) DLL planting vulnerability exists in a .BAT file used in the Original Design Space Explorer for Windows. Design Space Explorer II is not affected. The Linux version is not affected. Mitigations and Recommendations: Install Quartus Prime Standard Edition 24.1 or later or delete the file quartus\bin64\qcmd.bat. The qcmd.bat file is obsolete, used by the original Design Space Explorer. Since the introduction of Design Space Explorer II in Quartus 15.0, that file is no longer used and can safely be deleted. Description/CWE: Uncontrolled Search Path Element CVSS Base Score 6.7 Severity Medium CVSS Vector 3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Base Score 4.0: 5.4 Medium CVSS Vector 4.0: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE Affected Products Affected Versions Fixed Version CVE-2025-13665 Quartus Prime Standard Up to 23.1.1 24.1 CVE-2025-13664 Quartus Prime Standard Up to 23.1.1 24.1 Acknowledgements: Altera would like to thank sim0nleehkhk (CVE-2025-13664) for reporting this issue. Revision History: Revision Date Affected Versions 1.0 05/13/2025 Initial Release 1.1 12/20/2025 Add CVE Numbers Stay informed with Altera’s Product Security Incident Response Team (PSIRT) advisories, including disclosures, mitigations, and security updates.