CVE-2025-53095
📋 TL;DR
Sunshine's web UI lacks CSRF protection, allowing attackers to trick authenticated users into executing arbitrary OS commands with Administrator privileges via the 'Command Preparations' feature. This affects all Sunshine instances with web UI enabled prior to version 2025.628.4510. Attackers can achieve remote code execution through crafted malicious web pages.
💻 Affected Systems
- Sunshine (LizardByte)
📦 What is this software?
Sunshine by Lizardbyte
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary command execution with Administrator privileges, leading to complete control of the host system, data theft, ransomware deployment, or lateral movement.
Likely Case
Remote code execution on the Sunshine host system, allowing attackers to install malware, create backdoors, or disrupt streaming services.
If Mitigated
Limited impact with proper network segmentation and restricted web UI access, though CSRF could still enable unauthorized configuration changes.
🎯 Exploit Status
Exploitation requires user interaction (visiting malicious page) but is straightforward once the page is crafted. No authentication bypass needed as it leverages existing sessions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.628.4510
Vendor Advisory: https://github.com/LizardByte/Sunshine/security/advisories/GHSA-39hj-fxvw-758m
Restart Required: Yes
Instructions:
1. Download latest version from GitHub releases. 2. Stop Sunshine service. 3. Install/upgrade to version 2025.628.4510 or later. 4. Restart Sunshine service.
🔧 Temporary Workarounds
Disable Web UI
allTemporarily disable Sunshine's web interface to prevent CSRF attacks
Edit sunshine.conf: set 'webui' to false
Restart Sunshine service
Network Isolation
allRestrict web UI access to trusted networks only
Configure firewall to block external access to Sunshine web port (default 47990)
Use VPN for remote administration
🧯 If You Can't Patch
- Implement strict network segmentation - isolate Sunshine host from critical systems
- Use browser extensions that block CSRF attempts and educate users about phishing risks
🔍 How to Verify
Check if Vulnerable:
Check Sunshine version via web UI or configuration file. If version < 2025.628.4510 and web UI enabled, system is vulnerable.Check Version:
sunshine --version (Linux/macOS) or check web UI About pageVerify Fix Applied:
Confirm version is 2025.628.4510 or later via web UI or sunshine --version command.📡 Detection & Monitoring
Log Indicators:
- Unexpected command execution via Command Preparations
- Multiple failed authentication attempts followed by successful CSRF
Network Indicators:
- Unusual outbound connections from Sunshine host
- Requests to Sunshine web UI from unexpected sources
SIEM Query:
source="sunshine" AND (event="command_execution" OR event="config_change") AND user_agent CONTAINS "malicious"