CVE-2025-10198 is a DLL search-order hijacking vulnerability classified under CWE-427, affecting LizardByte's Sunshine for Windows version v2025.122.141614. The vulnerability stems from the software's reliance on the Windows DLL search path, which includes directories that are writable by standard users. Attackers with local access can exploit this by placing a malicious DLL in one of these writable PATH directories. When Sunshine for Windows loads DLLs, it may inadvertently load the malicious DLL instead of the legitimate one, leading to arbitrary code execution with the privileges of the user running the application. The CVSS 3.1 base score of 7.8 reflects a high severity, with attack vector local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), and requiring user interaction (UI:R). The impact is severe, affecting confidentiality, integrity, and availability (all rated high). Although no public exploits are known at this time, the vulnerability presents a significant risk due to the ease of exploitation once local access is obtained. The vulnerability is particularly dangerous in environments where users have write access to PATH directories and where Sunshine for Windows is used, potentially enabling privilege escalation or persistent malware installation. The lack of available patches at the time of publication necessitates immediate mitigation through configuration and operational controls.

For European organizations, this vulnerability poses a significant risk, especially in sectors where Sunshine for Windows is deployed for remote desktop or streaming services. Successful exploitation can lead to unauthorized code execution, data breaches, and system compromise, impacting confidentiality, integrity, and availability of critical systems. Organizations with multi-user environments or shared workstations are particularly vulnerable due to the writable PATH directories. The threat could facilitate lateral movement within networks or persistent footholds for attackers. Given the high CVSS score and the nature of the vulnerability, the potential impact includes disruption of business operations, data theft, and damage to organizational reputation. The absence of known exploits reduces immediate risk but does not diminish the urgency for mitigation. European entities in finance, government, and critical infrastructure sectors using this software are at heightened risk due to the sensitive nature of their data and systems.

1. Immediately audit and remove any user-writable directories from the system PATH environment variable to prevent malicious DLL placement. 2. Restrict write permissions on directories included in the PATH to trusted administrators only. 3. Implement application whitelisting and DLL integrity verification to detect and block unauthorized DLLs. 4. Monitor file system changes in PATH directories for suspicious activity using endpoint detection and response (EDR) tools. 5. Educate users about the risks of executing untrusted applications and the importance of avoiding unnecessary user interaction that could trigger exploitation. 6. Isolate systems running Sunshine for Windows in segmented network zones to limit lateral movement if compromised. 7. Engage with LizardByte for patches or updates addressing this vulnerability and plan prompt deployment once available. 8. Employ least privilege principles to minimize the impact of potential exploitation. 9. Regularly review and update security policies regarding environment variable management and software installation practices.