Vulnerability Description
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windows service SunshineService is installed with an unquoted executable path. If Sunshine is installed in a directory whose name includes a space, the Service Control Manager (SCM) interprets the path incrementally and may execute a malicious binary placed earlier in the search string. This issue has been patched in version 2025.923.33222.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lizardbyte | Sunshine | >= 0.10.0, < 2025.923.33222 |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- https://github.com/LizardByte/Sunshine/commit/f22b00d6981f756d3531fba0028723d4a5Patch
- https://github.com/LizardByte/Sunshine/releases/tag/v2025.923.33222Release Notes
- https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6p7j-5v8v-w45hExploitVendor Advisory
- https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6p7j-5v8v-w45hExploitVendor Advisory
FAQ
What is CVE-2025-54081?
CVE-2025-54081 is a vulnerability with a CVSS score of 6.7 (MEDIUM). Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windows service SunshineService is installed with an unquoted executable path. If Sunshine is installed i...
How severe is CVE-2025-54081?
CVE-2025-54081 has been rated MEDIUM with a CVSS base score of 6.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-54081?
Check the references section above for vendor advisories and patch information. Affected products include: Lizardbyte Sunshine, Microsoft Windows.