Unquoted Executable Path Vulnerability in Sunshine by LizardByte
CVE-2025-54081

6.7MEDIUM

Key Information:

Vendor

Lizardbyte

Status
Sunshine
Vendor
CVE Published:
23 September 2025

What is CVE-2025-54081?

The Sunshine game stream host, developed by LizardByte, has a vulnerability due to an unquoted executable path in the Windows service SunshineService. This issue arises when Sunshine is installed in a directory containing spaces. The Service Control Manager (SCM) may interpret the executable path incrementally, potentially allowing the execution of a malicious binary if placed earlier in the search path. Users are advised to upgrade to version 2025.923.33222 or later to mitigate this risk.

Affected Version(s)

Sunshine < 2025.923.33222

References

https://github.com/LizardByte/Sunshine/security/advisorie...
x_refsource_CONFIRM
https://github.com/LizardByte/Sunshine/commit/f22b00d6981...
x_refsource_MISC
https://github.com/LizardByte/Sunshine/releases/tag/v2025...
x_refsource_MISC

CVSS V3.1

Score:
6.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-54081 : Unquoted Executable Path Vulnerability in Sunshine by LizardByte