CVE-2025-10198 is a security vulnerability identified in the LizardByte Sunshine for Windows software, specifically version v2025.122.141614. The vulnerability is classified under CWE-427, which pertains to Uncontrolled Search Path Element issues. This type of vulnerability arises when an application loads dynamic link libraries (DLLs) from directories that are user-writable or otherwise untrusted, allowing an attacker to place a malicious DLL in these directories. When the application subsequently loads the DLL, it inadvertently executes the attacker's code. In this case, the DLL search-order hijacking vulnerability allows an attacker with write access to certain PATH directories to insert a malicious DLL. Because Windows resolves DLLs by searching directories in a specific order, if a malicious DLL is found earlier in the search path than the legitimate one, the malicious code will be loaded and executed with the privileges of the Sunshine application. This can lead to arbitrary code execution, privilege escalation, or persistence on the affected system. The vulnerability does not currently have a CVSS score assigned, and no known exploits in the wild have been reported as of the publication date (September 9, 2025). However, the nature of DLL hijacking vulnerabilities makes them attractive targets for attackers, especially in environments where the affected software is widely deployed and runs with elevated privileges. The absence of a patch link suggests that a fix may not yet be publicly available, increasing the urgency for mitigation through configuration or operational controls.

For European organizations, the impact of this vulnerability can be significant depending on the deployment scope of LizardByte Sunshine for Windows. If the software is used in critical infrastructure, enterprise environments, or by organizations handling sensitive data, exploitation could lead to unauthorized code execution, data breaches, or disruption of services. Attackers could leverage this vulnerability to gain persistent footholds or escalate privileges within corporate networks. Given the vulnerability involves user-writeable PATH directories, insider threats or attackers who have gained limited access could exploit this to move laterally or maintain persistence. The lack of an official patch increases risk, especially in environments with slower update cycles. Additionally, regulatory frameworks such as GDPR impose strict data protection requirements; a breach resulting from this vulnerability could lead to compliance violations and financial penalties. The vulnerability's exploitation could also undermine trust in software supply chains, particularly if LizardByte Sunshine is used in software development or deployment pipelines.

1. Restrict write permissions on directories included in the system PATH environment variable to trusted administrators only, preventing unauthorized users from placing malicious DLLs. 2. Use application whitelisting or code integrity policies (such as Windows Defender Application Control or AppLocker) to restrict execution of unauthorized DLLs or binaries. 3. Employ process monitoring tools to detect anomalous DLL loading behavior by Sunshine for Windows, enabling early detection of exploitation attempts. 4. Isolate systems running Sunshine for Windows in segmented network zones with strict access controls to limit potential lateral movement. 5. Regularly audit and clean PATH environment variables to remove unnecessary or user-writable directories. 6. Engage with LizardByte for updates or patches and prioritize applying them once available. 7. Consider using Windows security features like DLL Safe Search Mode or enabling the SetDllDirectory function to control DLL search paths explicitly if supported by the application. 8. Educate users and administrators about the risks of DLL hijacking and enforce least privilege principles to reduce attack surface.