7
CVE-2025-54081
- EPSS 0.21%
- Veröffentlicht 23.09.2025 19:15:39
- Zuletzt bearbeitet 08.10.2025 17:48:27
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
SunshineService Has Unquoted Service Path That Allows Local SYSTEM Code Execution
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windows service SunshineService is installed with an unquoted executable path. If Sunshine is installed in a directory whose name includes a space, the Service Control Manager (SCM) interprets the path incrementally and may execute a malicious binary placed earlier in the search string. This issue has been patched in version 2025.923.33222.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Lizardbyte ≫ Sunshine Version >= 0.10.0 < 2025.923.33222
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.21% | 0.115 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7 | 1 | 5.9 |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 6.7 | 0.8 | 5.9 |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
|
CWE-428 Unquoted Search Path or Element
The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
https://github.com/LizardByte/Sunshine/commit/f22b00d6981f756d3531fba0028723d4a5065824
https://github.com/LizardByte/Sunshine/releases/tag/v2025.923.33222
https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6p7j-5v8v-w45h