CVE-2025-14599
Uncontrolled Search Path Vulnerability in Altera Quartus Installers
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Altera
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| altera | quartus_prime_standard | From 23.1 (inc) to 24.1 (inc) |
| altera | quartus_prime_lite | From 23.1 (inc) to 24.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-427 | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14599 is an Uncontrolled Search Path Element vulnerability in the Quartus Prime Standard and Lite Edition Installers (SFX) for Windows. It allows an attacker to perform a binary planting attack by placing a malicious binary in a location that the installer searches. When the installer runs, it may execute this unauthorized code, leading to privilege escalation. This vulnerability affects versions 23.1 through 24.1 and requires local access, user interaction, and has high attack complexity. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to privilege escalation on the affected system, allowing an attacker to execute unauthorized code with elevated privileges. This can compromise the confidentiality, integrity, and availability of the system, potentially leading to unauthorized access, data modification, or disruption of services. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade to Quartus Prime Standard Edition 25.1 or later, or Quartus Prime Lite Edition 25.1 or later. If upgrading is not possible right away, use individual installation files downloaded directly from the official download page instead of the vulnerable SFX installer versions 23.1 through 24.1. These steps prevent the binary planting attack that leads to privilege escalation. [1]