VYPR
Unrated severityNVD Advisory· Published Sep 23, 2025· Updated Sep 23, 2025

SunshineService Has Unquoted Service Path That Allows Local SYSTEM Code Execution

CVE-2025-54081

Description

Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windows service SunshineService is installed with an unquoted executable path. If Sunshine is installed in a directory whose name includes a space, the Service Control Manager (SCM) interprets the path incrementally and may execute a malicious binary placed earlier in the search string. This issue has been patched in version 2025.923.33222.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Lizardbyte/Sunshinellm-fuzzy2 versions
    <2025.923.33222+ 1 more
    • (no CPE)range: <2025.923.33222
    • (no CPE)range: < 2025.923.33222

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.