CVE-2025-10199 in Sunshine
Summary
by MITRE • 09/09/2025
A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely prior versions) due to an unquoted service path.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/09/2025
The vulnerability identified as CVE-2025-10199 represents a critical local privilege escalation flaw within the Sunshine streaming software for Windows platforms. This issue stems from an insecure service path configuration that creates opportunities for malicious actors to execute arbitrary code with elevated privileges. The vulnerability specifically affects version v2025.122.141614 and potentially all prior releases of the Sunshine software, indicating a widespread exposure across multiple versions of this media streaming application.
The technical root cause of this vulnerability lies in the improper handling of service paths within the Windows service configuration. When a service path contains spaces and is not properly quoted, Windows follows a specific resolution mechanism that can be exploited by attackers. The service executable path in Sunshine contains unquoted strings with spaces, allowing an attacker to place a malicious executable in a directory that Windows will search through during service startup. This behavior aligns with the common security weakness categorized under CWE-428, which describes the improper handling of unquoted service paths in Windows environments.
The operational impact of this vulnerability extends beyond simple privilege escalation as it enables attackers to gain SYSTEM-level access on vulnerable systems. Once an attacker successfully exploits this weakness, they can execute code with the highest privileges available to the operating system, potentially leading to complete system compromise. This privilege escalation can be leveraged to install persistent backdoors, exfiltrate sensitive data, modify system configurations, or establish covert communication channels. The attack vector is particularly concerning because it requires no network connectivity or remote exploitation capabilities, making it a local privilege escalation vulnerability that can be exploited from within the target system itself.
Security practitioners should consider this vulnerability in the context of the MITRE ATT&CK framework, specifically under the privilege escalation techniques where adversaries leverage service misconfigurations to gain elevated access. The attack pattern aligns with T1543.003 which covers "Create or Modify System Process: Windows Service" and T1068 which addresses "Exploitation for Privilege Escalation." Organizations running Sunshine software on Windows systems should immediately implement mitigations including proper quoting of service paths, regular security updates, and comprehensive system monitoring to detect unauthorized modifications to service configurations. Additionally, implementing least privilege principles and conducting regular security assessments of installed services can significantly reduce the attack surface and prevent exploitation of this vulnerability. The recommended remediation approach includes updating to the latest version of Sunshine where this issue has been addressed, or manually correcting the service path configuration to ensure all paths containing spaces are properly quoted to prevent the exploitation vector.