CVE-2025-54081
published 2025-09-23CVE-2025-54081: Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windows service SunshineService is installed with an unquoted…
PriorityP434high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
EPSS
0.21%
11.6th percentile
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windows service SunshineService is installed with an unquoted executable path. If Sunshine is installed in a directory whose name includes a space, the Service Control Manager (SCM) interprets the path incrementally and may execute a malicious binary placed earlier in the search string. This issue has been patched in version 2025.923.33222.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lizardbyte | sunshine | < 2025.923.33222 | 2025.923.33222 |
| lizardbyte | sunshine | >= 0.10.0 < 2025.923.33222 | 2025.923.33222 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/LizardByte/Sunshine/commit/f22b00d6981f756d3531fba0028723d4a5065824https://github.com/LizardByte/Sunshine/releases/tag/v2025.923.33222https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6p7j-5v8v-w45hhttps://github.com/LizardByte/Sunshine/security/advisories/GHSA-6p7j-5v8v-w45h
2025-09-23
Published