CVE-2025-54081

low-risk
Published 2025-09-23

Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windows service SunshineService is installed with an unquoted executable path. If Sunshine is installed in a directory whose name includes a space, the Service Control Manager (SCM) interprets the path incrementally and may execute a malicious binary placed earlier in the search string. This issue has been patched in version 2025.923.33222.

Do I need to act?

-
0.01% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.7/10 Medium
LOCAL / HIGH complexity

Affected Products (1)

Sunshine

Affected Vendors

Lizardbyte

References (4)

Patch https://github.com/LizardByte/Sunshine/commit/f22b00d6981f756d3531fba0028723d4a5...
Release Notes https://github.com/LizardByte/Sunshine/releases/tag/v2025.923.33222
Exploit https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6p7j-5v8v-w45h
Exploit https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6p7j-5v8v-w45h
22
/ 100
low-risk
Severity 17/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal