VU#974249: Elevated Privileges... Note

VU#974249: Elevated Privileges and Arbitrary Code Execution issues in Sunshine for Windows v2025.122.141614

Two local security vulnerabilities have been discovered in Sunshine for Windows, affecting version v2025.122.141614 and potentially earlier versions. These vulnerabilities could allow attackers to execute arbitrary code and gain elevated privileges on compromised systems. Sunshine is a self-hosted game streaming host for Moonlight. The first vulnerability, CVE-2025-10198, is an unquoted service path issue. This allows a local attacker to place a malicious executable in a directory within the service path. When the service starts, it would execute the malicious code with elevated privileges. The second vulnerability, CVE-2025-10199, is a DLL search-order hijacking flaw. This means an attacker can place a malicious DLL in a user-writable directory within the PATH environment variable. The application might then load this malicious DLL, leading to arbitrary code execution. CVE-2025-10198 allows privilege escalation to SYSTEM, enabling full machine compromise. CVE-2025-10199 allows malicious code execution within the user's context. Users should apply an update from the Sunshine project when it becomes available. Until then, users can mitigate these issues by ensuring no user-writable directories are in the PATH. They should also quote all service paths in Windows service configurations. Finally, restricting permissions on service-related directories can prevent unauthorized file placement.