CVE-2025-10199
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-11-03
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lizardbyte | sunshine | 2025.122.141614 |
| microsoft | windows | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-428 | The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10199 is a local privilege escalation vulnerability in Sunshine for Windows caused by an unquoted service path. When the Sunshine service is terminated, Windows attempts to execute the service executable using a path that is not enclosed in quotes. Because of this, Windows searches for executables in unintended locations such as the root of the C: drive before the actual service executable. If an attacker can place a malicious executable with a specific name in these locations, they can hijack the execution flow and run their code with elevated privileges. This requires that the attacker has permission to create files in the root directory, which normally requires manual loosening of system permissions. [1]
How can this vulnerability impact me? :
This vulnerability can allow a local attacker to escalate their privileges on the affected system by executing malicious code with higher privileges when the Sunshine service is stopped. This can compromise the confidentiality and integrity of the system by allowing unauthorized code execution. However, the attack complexity is low but requires high privileges to place the malicious file and some user interaction. Availability is not impacted. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking for unquoted service paths related to the Sunshine service executable. On Windows, use the command: sc qc <ServiceName> (replace <ServiceName> with the actual Sunshine service name) to view the binary path. Look for paths with spaces that are not enclosed in quotes. Additionally, verify if there are any suspicious executable files named like 'Program.exe', 'Program.bat', or 'Program.cmd' in the root of the C: drive, as these could be malicious files placed to exploit the unquoted path. You can list such files using: dir C:\Program.* [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating Sunshine to version 0.23.0 or later, which fixes the unquoted service path issue. Additionally, apply application control tools such as Windows Defender Application Control, AppLocker, or Software Restriction Policies to block unauthorized executables. Ensure strict permissions on the root directory (C:) to prevent unauthorized file creation, and avoid loosening Access Control Lists (ACLs) that would allow attackers to place malicious files in the root directory. Place executables only in write-protected directories to avoid exploitation. [1]