CVE-2025-10199
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-11-03

Assigner: CERT/CC

Description
A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely prior versions) due to an unquoted service path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-11-03
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-14
NVD
CVE-2025-10199
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
lizardbyte sunshine 2025.122.141614
microsoft windows *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-428 The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-10199 is a local privilege escalation vulnerability in Sunshine for Windows caused by an unquoted service path. When the Sunshine service is terminated, Windows attempts to execute the service executable using a path that is not enclosed in quotes. Because of this, Windows searches for executables in unintended locations such as the root of the C: drive before the actual service executable. If an attacker can place a malicious executable with a specific name in these locations, they can hijack the execution flow and run their code with elevated privileges. This requires that the attacker has permission to create files in the root directory, which normally requires manual loosening of system permissions. [1]

Impact Analysis

This vulnerability can allow a local attacker to escalate their privileges on the affected system by executing malicious code with higher privileges when the Sunshine service is stopped. This can compromise the confidentiality and integrity of the system by allowing unauthorized code execution. However, the attack complexity is low but requires high privileges to place the malicious file and some user interaction. Availability is not impacted. [1]

Detection Guidance

You can detect this vulnerability by checking for unquoted service paths related to the Sunshine service executable. On Windows, use the command: sc qc <ServiceName> (replace <ServiceName> with the actual Sunshine service name) to view the binary path. Look for paths with spaces that are not enclosed in quotes. Additionally, verify if there are any suspicious executable files named like 'Program.exe', 'Program.bat', or 'Program.cmd' in the root of the C: drive, as these could be malicious files placed to exploit the unquoted path. You can list such files using: dir C:\Program.* [1]

Mitigation Strategies

Immediate mitigation steps include updating Sunshine to version 0.23.0 or later, which fixes the unquoted service path issue. Additionally, apply application control tools such as Windows Defender Application Control, AppLocker, or Software Restriction Policies to block unauthorized executables. Ensure strict permissions on the root directory (C:) to prevent unauthorized file creation, and avoid loosening Access Control Lists (ACLs) that would allow attackers to place malicious files in the root directory. Place executables only in write-protected directories to avoid exploitation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10199. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart