The CERT Coordination Center (CERT/CC) has issued a vulnerability note warning of two critical local security flaws affecting Sunshine for Windows v2025.122.141614 and likely earlier versions. Sunshine, a popular self-hosted game streaming host for Moonlight, is vulnerable to both unquoted service path execution and DLL search-order hijacking, leaving systems open to privilege escalation and arbitrary code execution.
CERT/CC explains: “Two local security vulnerabilities have been identified in Sunshine for Windows, version v2025.122.141614 (and likely prior versions). These issues could allow attackers to execute arbitrary code and escalate privileges on affected systems.”
The flaws are tracked as:
- CVE-2025-10198 (CVSS 7.5): Unquoted Service Path (CWE-428)
Sunshine installs a Windows service without properly quoting the path to its executable. As CERT/CC notes, “This allows an attacker with local access to place a malicious executable in a directory within the service path… which could then be executed with elevated privileges during system startup or service restart.” - CVE-2025-10199 (CVSS 7.8): DLL Search-Order Hijacking (CWE-427)
Sunshine does not properly control the search path for required DLLs. According to the advisory, “This allows an attacker to place a malicious DLL in a user-writable directory that is included in the PATH environment variable. When the application loads, it may inadvertently load the malicious DLL, resulting in arbitrary code execution.”
Both vulnerabilities present serious risks for Windows users of Sunshine:
- Privilege Escalation (CVE-2025-10198): Attackers with local access can escalate to SYSTEM privileges, effectively taking complete control of the machine.
- Arbitrary Code Execution (CVE-2025-10199): Malicious DLLs could be executed in the context of the user running the application, enabling stealthy persistence or lateral movement.
CERT/CC advises users to apply patches from the Sunshine project once available. In the meantime, administrators should adopt several mitigations to reduce exposure:
- Ensure user-writable directories are not included in the PATH environment variable.
- Quote all service paths in Windows service configurations.
- Restrict permissions on service-related directories to prevent unauthorized file placement.
Related Posts:
- Critical Sunshine Flaw: Remote Command Execution via App-Wide CSRF
- Critical Flaw (CVE-2025-8070) in ASUSTOR Backup & EZSync Allows Local SYSTEM Privilege Escalation
- Critical Flaws Found in Partner Software: Default Admin Passwords & XSS Allow RCE on Government Systems
- PDQ Deploy Vulnerability Exposes Admin Credentials: CERT/CC Issues Advisory
- MadeYouReset: New HTTP/2 Flaw Threatens to Cripple Servers with DDoS Attacks
