CVE-2025-10198 – Sunshine for Windows v2025.122.141614 has a DLL... (How to Fix)

Q: What is the severity of CVE-2025-10198?

CVE-2025-10198 has a CVSS score of 7.8 (HIGH). Sunshine for Windows v2025.122.141614 has a DLL search-order hijacking vulnerability where attackers can place malicious DLLs in user-writable PATH directories. When Sunshine loads DLLs, it may execute attacker-controlled code instead of legitimate libraries. This affects all Windows users running the vulnerable version.

📋 TL;DR

Sunshine for Windows v2025.122.141614 has a DLL search-order hijacking vulnerability where attackers can place malicious DLLs in user-writable PATH directories. When Sunshine loads DLLs, it may execute attacker-controlled code instead of legitimate libraries. This affects all Windows users running the vulnerable version.

💻 Affected Systems

Products:

Sunshine

Versions: v2025.122.141614

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows versions where users have write access to directories in the PATH environment variable.

📦 What is this software?

Sunshine by Lizardbyte

View all CVEs affecting Sunshine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, allowing complete control over the host, data theft, and lateral movement within the network.

🟠

Likely Case

Local privilege escalation to SYSTEM or administrator privileges, enabling persistence, credential theft, and installation of additional malware.

🟢

If Mitigated

Limited impact with proper application whitelisting and restricted user permissions, potentially only allowing code execution at the current user's privilege level.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires local access to place malicious DLLs in PATH directories. No authentication bypass needed beyond local file system access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 9db11a906167bd962e57896223d7b9718058aeb2

Vendor Advisory: https://github.com/LizardByte/Sunshine/commit/9db11a906167bd962e57896223d7b9718058aeb2

Restart Required: Yes

Instructions:

1. Update Sunshine to latest version. 2. Restart Sunshine service. 3. Verify version is newer than v2025.122.141614.

🔧 Temporary Workarounds

Restrict PATH directory permissions

windows

Remove write permissions for standard users from all directories in the PATH environment variable

icacls "C:\Windows\System32" /deny Users:(OI)(CI)W
icacls "C:\Windows" /deny Users:(OI)(CI)W

Use application whitelisting

windows

Configure Windows Defender Application Control or AppLocker to block unauthorized DLL loading

🧯 If You Can't Patch

Remove write permissions from PATH directories for standard users
Monitor for suspicious DLL creation in PATH directories using file integrity monitoring

🔍 How to Verify

Check if Vulnerable:

Check Sunshine version in About section or run 'sunshine --version' in command line

Check Version:

sunshine --version

Verify Fix Applied:

Verify version is newer than v2025.122.141614 and check commit hash includes 9db11a906167bd962e57896223d7b9718058aeb2

📡 Detection & Monitoring

Log Indicators:

Unexpected DLL loads from non-standard locations
Sunshine process loading DLLs from user-writable directories

Network Indicators:

Unusual outbound connections from Sunshine process after DLL load

SIEM Query:

process_name:"sunshine.exe" AND file_path:"*\Users\*\*.dll" OR file_path:"*\AppData\*\*.dll"

📊 Metadata

CVE ID: CVE-2025-10198

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-427

EPSS Score: 0.01% exploit probability (1.2th percentile)

Published: September 9, 2025

Last Updated: January 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10198, you might also want to check these: