{"vuid":"VU#974249","idnumber":"974249","name":"Elevated Privileges and Arbitrary Code Execution issues in Sunshine for Windows v2025.122.141614","keywords":null,"overview":"### Overview\r\nTwo local security vulnerabilities have been identified in Sunshine for Windows, version v2025.122.141614 (and likely prior versions). These issues could allow attackers to execute arbitrary code and escalate privileges on affected systems.\r\n\r\n\r\n### Description\r\nSunshine is a self-hosted game stream host for Moonlight.\r\n\r\n*  **CVE-2025-10198** Unquoted Service Path (CWE-428)\r\nSunshine for Windows installs a service with an unquoted service path. This allows an attacker with local access to place a malicious executable in a directory within the service path (before the legitimate binary), which could then be executed with elevated privileges during system startup or service restart.\r\n\r\n* **CVE-2025-10199** DLL Search-Order Hijacking (CWE-427)\r\nSunshine for Windows does not properly control the search path for required DLLs. This allows an attacker to place a malicious DLL in a user-writable directory that is included in the PATH environment variable. When the application loads, it may inadvertently load the malicious DLL, resulting in arbitrary code execution.\r\n\r\n### Impact\r\n* **CVE-2025-10198** Attackers with local access can escalate privileges to SYSTEM, resulting in full compromise of the affected machine.\r\n* **CVE-2025-10199** Attackers can execute malicious code in the context of the user running the application.\r\n\r\n### Solution\r\nApply an update from the Sunshine project once available.\r\n\r\nAs mitigation, until a patch is released:\r\n\r\n* Ensure user-writable directories are not included in the PATH environment variable.  \r\n\r\n* Quote all service paths in Windows service configurations. \r\n\r\n* Restrict permissions on service-related directories to prevent unauthorized file placement.\r\n\r\n### Acknowledgements\r\nThanks to the reporter, Pundhapat Sichamnong. This document was written by Timur Snoke.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://github.com/LizardByte/Sunshine","https://github.com/LizardByte/Sunshine/pull/3971","https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp"],"cveids":["CVE-2025-10199","CVE-2025-10198"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2025-09-10T18:20:17.590259Z","publicdate":"2025-09-10T18:20:17.268951Z","datefirstpublished":"2025-09-10T18:20:17.604275Z","dateupdated":"2025-09-10T18:20:17.268946Z","revision":1,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":138}