{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/974249#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nTwo local security vulnerabilities have been identified in Sunshine for Windows, version v2025.122.141614 (and likely prior versions). These issues could allow attackers to execute arbitrary code and escalate privileges on affected systems.\r\n\r\n\r\n### Description\r\nSunshine is a self-hosted game stream host for Moonlight.\r\n\r\n*  **CVE-2025-10198** Unquoted Service Path (CWE-428)\r\nSunshine for Windows installs a service with an unquoted service path. This allows an attacker with local access to place a malicious executable in a directory within the service path (before the legitimate binary), which could then be executed with elevated privileges during system startup or service restart.\r\n\r\n* **CVE-2025-10199** DLL Search-Order Hijacking (CWE-427)\r\nSunshine for Windows does not properly control the search path for required DLLs. This allows an attacker to place a malicious DLL in a user-writable directory that is included in the PATH environment variable. When the application loads, it may inadvertently load the malicious DLL, resulting in arbitrary code execution.\r\n\r\n### Impact\r\n* **CVE-2025-10198** Attackers with local access can escalate privileges to SYSTEM, resulting in full compromise of the affected machine.\r\n* **CVE-2025-10199** Attackers can execute malicious code in the context of the user running the application.\r\n\r\n### Solution\r\nApply an update from the Sunshine project once available.\r\n\r\nAs mitigation, until a patch is released:\r\n\r\n* Ensure user-writable directories are not included in the PATH environment variable.  \r\n\r\n* Quote all service paths in Windows service configurations. \r\n\r\n* Restrict permissions on service-related directories to prevent unauthorized file placement.\r\n\r\n### Acknowledgements\r\nThanks to the reporter, Pundhapat Sichamnong. This document was written by Timur Snoke.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/974249"},{"url":"https://github.com/LizardByte/Sunshine","summary":"https://github.com/LizardByte/Sunshine"},{"url":"https://github.com/LizardByte/Sunshine/pull/3971","summary":"https://github.com/LizardByte/Sunshine/pull/3971"},{"url":"https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp","summary":"https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp"}],"title":"Elevated Privileges and Arbitrary Code Execution issues in Sunshine for Windows v2025.122.141614","tracking":{"current_release_date":"2025-09-10T18:20:17+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#974249","initial_release_date":"2025-09-10 18:20:17.268951+00:00","revision_history":[{"date":"2025-09-10T18:20:17+00:00","number":"1.20250910182017.1","summary":"Released on 2025-09-10T18:20:17+00:00"}],"status":"final","version":"1.20250910182017.1"}},"vulnerabilities":[{"title":"Sunshine for Windows, version v2025.","notes":[{"category":"summary","text":"Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability, allowing attackers to insert a malicious DLL in user-writeable PATH directories."}],"cve":"CVE-2025-10198","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#974249"}]},{"title":"A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.","notes":[{"category":"summary","text":"A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely prior versions) due to an unquoted service path."}],"cve":"CVE-2025-10199","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#974249"}]}],"product_tree":{"branches":[]}}