CVE-2025-13669
Unknown Unknown - Not Provided
Search Order Hijacking in Altera HLS Compiler on Windows

Publication date: 2025-12-12

Last updated on: 2025-12-12

Assigner: Altera

Description
Uncontrolled Search Path Element vulnerability in Altera High Level Synthesis Compiler on Windows allows Search Order Hijacking.This issue affects High Level Synthesis Compiler: from 19.1 through 24.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-12-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13669
EUVD
EUVD-2025-202940
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
altera high_level_synthesis_compiler 19.1
altera high_level_synthesis_compiler 24.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Uncontrolled Search Path Element issue in the Altera High Level Synthesis Compiler on Windows. It allows Search Order Hijacking, meaning an attacker could manipulate the order in which the system searches for executable files or libraries, potentially causing the system to load malicious code instead of the intended files. This affects versions from 19.1 through 24.3 of the compiler.

Impact Analysis

The vulnerability can allow an attacker with limited privileges to hijack the search order for executable files or libraries, potentially leading to execution of malicious code with the privileges of the affected application. This can result in confidentiality, integrity, and availability impacts on the system running the Altera High Level Synthesis Compiler.

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

Detection involves checking for the presence of the vulnerable build.bat file in design examples and verifying if the directory "C:\quartus\bin64" has improper write permissions that allow non-administrators to modify it. Since the vulnerability is related to DLL planting via uncontrolled search path elements on Windows, you can look for suspicious DLL files in the working directories used by the High Level Synthesis Compiler. Specific commands are not provided in the advisory, but you can use Windows commands such as "icacls C:\quartus\bin64" to check directory permissions and "dir /a" in relevant directories to look for unexpected DLL files. [1]

Mitigation Strategies

Immediate mitigation steps include replacing the vulnerable build.bat file with the secure version provided by Altera and restricting write permissions on the directory "C:\quartus\bin64" so that only system administrators have write access. These steps help prevent DLL planting attacks by controlling the search path and limiting who can place malicious DLLs in critical directories. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13669. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart