Quartus® Prime Standard Security Advisory
ASA-0002
A potential security vulnerability in Quartus® Prime Standard Edition Design Software may allow escalation of privilege.
CVE ID: NA
Vulnerability Details:
The System Console Utility for Windows is vulnerable to a DLL planting vulnerability. This issue occurs when the Quartus Prime Programmer and Tools package is installed in a standalone manner, outside of a full Quartus Prime Standard Edition installation location. The System Console program is not vulnerable if the user has the full Quartus Prime Standard edition installation. The Linux version is not affected.
Mitigations and Recommendations:
Install Quartus Prime Standard edition 24.1 or newer, or install the full Quartus standard version to use the System console Utility.
Description/CWE: CWE-427: Uncontrolled Search Path Element
CVSS Base Score 6.7 Severity Medium
CVSS Vector 3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS Base Score 4.0: 5.4 Medium CVSS
Vector 4.0: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVE ID: NA
Vulnerability Details:
A Current Working Directory (CWD) DLL planting vulnerability exists in a .BAT file used in the Original Design Space Explorer for Windows. Design Space Explorer II is not affected. The Linux version is not affected.
Mitigations and Recommendations:
Install Quartus Prime Standard Edition 24.1 or later, or delete the file quartus\bin64\qcmd.bat. The qcmd.bat file is obsolete, used by the original Design Space Explorer. Since the introduction of Design Space Explorer II in Quartus 15.0, that file is no longer used and can safely be deleted.
Description/CWE: Uncontrolled Search Path Element
CVSS Base Score 6.7 Severity Medium
CVSS Vector 3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS Base Score 4.0: 5.4 Medium CVSS
Vector 4.0: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
| CVE | Affected Products | Affected Versions | Fixed Version |
|---|---|---|---|
| NA | Quartus Prime Standard | Up to 23.1.1 | 24.1 |
| NA | Quartus Prime Standard | Up to 23.1.1 | 24.1 |
Acknowledgements:
Altera would like to thank sim0nleehkhk (CVE-2025-xxxx) for reporting this issue.
Revision History:
| Revision | Date | Affected Versions |
|---|---|---|
| 1.0 | 05/13/2025 | Initial Release |
Legal Notices and Disclaimers:
Altera provides these materials as-is, with no express or implied warranties. All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.
Altera products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request. Altera products that have met their End of Servicing Updates may no longer receive functional and security updates.
Altera technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://www.altera.com.
Some results may have been estimated or simulated using internal Altera analysis or architecture simulation or modeling and are provided to you solely for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance. © Altera Corporation.
Altera, the Altera logo, and other Altera marks are trademarks of Altera Corporation in the United States and other countries. Other names and brands may be claimed as the property of others.