CVE-2025-10198 is a DLL search-order hijacking vulnerability classified under CWE-427, affecting LizardByte's Sunshine for Windows version v2025.122.141614. The vulnerability stems from the application loading dynamic link libraries (DLLs) from directories included in the system PATH environment variable that are writable by standard users. This uncontrolled search path element allows an attacker with local access to place a malicious DLL in one of these directories. When the vulnerable application loads the DLL, it inadvertently executes the attacker's code with the privileges of the user running Sunshine. The CVSS 3.1 base score is 7.8 (high), reflecting high impact on confidentiality, integrity, and availability, with attack vector local, low attack complexity, no privileges required, but requiring user interaction. The vulnerability does not currently have known exploits in the wild, and no patches have been published. This type of DLL hijacking can be leveraged for privilege escalation, persistence, or lateral movement within a network. The root cause is improper handling of DLL search paths, where user-writable directories are included without validation or restrictions. This vulnerability highlights the importance of secure DLL loading practices and environment hygiene in Windows applications.

For European organizations, the impact of CVE-2025-10198 can be significant, especially in environments where LizardByte Sunshine for Windows is deployed. Successful exploitation can lead to execution of arbitrary code with user-level privileges, potentially escalating to higher privileges if combined with other vulnerabilities or misconfigurations. This can result in data breaches, unauthorized access to sensitive information, disruption of services, and persistence of malware. Organizations with shared or multi-user systems are particularly at risk, as attackers can place malicious DLLs in user-writable PATH directories. The confidentiality, integrity, and availability of critical systems can be compromised, affecting business operations and compliance with data protection regulations such as GDPR. Additionally, the requirement for user interaction means phishing or social engineering could be used to trigger the exploit, increasing the attack surface. The lack of a patch increases the urgency for immediate mitigation measures to prevent exploitation.

1. Immediately audit and restrict write permissions on all directories included in the system PATH environment variable to prevent unauthorized DLL placement. 2. Remove any user-writable directories from the PATH environment variable, especially those that are writable by non-administrative users. 3. Employ application whitelisting and code integrity policies (e.g., Windows Defender Application Control) to restrict execution of unauthorized DLLs. 4. Monitor file system changes in PATH directories and use endpoint detection and response (EDR) tools to detect suspicious DLL loads or modifications. 5. Educate users about the risks of executing or interacting with untrusted applications or files to reduce the likelihood of triggering the vulnerability. 6. Engage with LizardByte to obtain patches or updates and plan for timely deployment once available. 7. Consider isolating or sandboxing the Sunshine application to limit the impact of potential exploitation. 8. Regularly review environment variables and application configurations to ensure secure DLL loading practices are enforced.