cbcvebase.
CVE-2025-54081
published 2025-09-23

CVE-2025-54081: Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windows service SunshineService is installed with an unquoted…

PriorityP434high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
EPSS
0.21%
11.6th percentile
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windows service SunshineService is installed with an unquoted executable path. If Sunshine is installed in a directory whose name includes a space, the Service Control Manager (SCM) interprets the path incrementally and may execute a malicious binary placed earlier in the search string. This issue has been patched in version 2025.923.33222.

Affected

2 ranges
VendorProductVersion rangeFixed in
lizardbytesunshine< 2025.923.332222025.923.33222
lizardbytesunshine>= 0.10.0 < 2025.923.332222025.923.33222
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.