Executive Summary
Two critical flaws have been identified in Sunshine for Windows, a popular open-source game streaming host used with Moonlight. These vulnerabilities, CVE-2025-10198 (Unquoted Service Path) and CVE-2025-10199 (DLL Search-Order Hijacking), expose users to local privilege escalation risks.
CyberDudeBivash confirms:
-
Attackers with local access can escalate privileges to SYSTEM.
-
Malicious DLLs or executables can hijack Sunshine’s service loading.
-
Impacted version: v2025.122.141614 and earlier.
-
CVSS scores: ~7.5–7.8 (“High”).
Background
-
Sunshine is a self-hosted game streaming platform that runs as a Windows service.
-
Misconfigurations in service paths and DLL loading create exploitation opportunities.
-
Attackers can plant malicious binaries in Sunshine’s path to hijack execution.
Technical Breakdown
CVE-2025-10198 – Unquoted Service Path
-
Issue: Sunshine service path is not enclosed in quotes.
-
Impact: If the path contains spaces, Windows may execute a malicious binary placed earlier in the path.
-
Result: Local attacker gains SYSTEM privileges.
CVE-2025-10199 – DLL Search-Order Hijacking
-
Issue: Sunshine does not properly validate DLL loading paths.
-
Impact: Malicious DLL in user-writable directory can be loaded instead of legitimate one.
-
Result: Arbitrary code execution with elevated privileges.
Risk & Impact Analysis
| Threat Vector | Severity | Consequence |
|---|---|---|
| Local Privilege Escalation | High | Full SYSTEM compromise |
| Malware Injection | High | Persistence & stealth |
| Gaming PCs | Medium | Unauthorized code execution |
| Enterprise Environments | Critical | Attackers pivot to corporate networks |
Mitigation Strategies
For Users
-
Update Sunshine immediately when a patched release is available.
-
Avoid running Sunshine in environments where untrusted users have local access.
For Enterprises
-
Review service paths → ensure executables are quoted.
-
Lock down directory permissions to prevent DLL planting.
-
Monitor for suspicious DLL loads in Sunshine directories.
Temporary Workarounds
-
Quote service paths manually via
sc configin Windows. -
Restrict write permissions on
C:\Program Files\Sunshine\and PATH folders.
CyberDudeBivash Recommendations
-
Conduct regular service security audits for unquoted paths.
-
Use EDR tools to monitor for DLL hijacking attempts.
-
Treat even gaming/utility services as part of enterprise attack surface.
-
Isolate Sunshine to non-critical environments until fully patched.
Security Solutions
-
Service Path Auditing – Qualys Vulnerability Scanner
-
EDR & Threat Hunting – CrowdStrike Falcon
-
Privilege Escalation Prevention – Zscaler Zero Trust
-
Threat Intelligence – Recorded Future
CyberDudeBivash Services
We deliver:
-
Exploit Testing for Windows service misconfigs.
-
Custom Scripts to audit DLL hijacking risks.
-
Consulting – privilege escalation defense.
-
Training – secure Windows service deployment.
cyberdudebivash.com | cyberbivash.blogspot.com | cryptobivash.code.blog
Conclusion
The Sunshine vulnerabilities highlight a recurring Windows risk: unquoted service paths and DLL hijacking. These are simple yet devastating flaws that attackers exploit routinely.
CyberDudeBivash urges:
-
Patch Sunshine now.
-
Audit all Windows services.
-
Monitor DLL loads in critical apps.
#SunshineExploit #WindowsPrivilegeEscalation #CVE202510198 #CVE202510199 #ThreatIntel #Cybersecurity #CyberDudeBivash