CVE-2025-10199 is a local privilege escalation vulnerability classified under CWE-428 (Unquoted Search Path or Element) affecting LizardByte's Sunshine for Windows software, specifically version v2025.122.141614 and likely prior versions. The root cause is an unquoted service path in the Windows service configuration. When a service path contains spaces but is not enclosed in quotes, Windows may interpret the path incorrectly and execute malicious executables placed in directories parsed earlier in the path. An attacker with limited local privileges can exploit this by placing a crafted executable in one of these directories, which the system then runs with elevated service privileges, leading to privilege escalation. The CVSS 3.1 score is 7.8 (high), reflecting the vulnerability's impact on confidentiality, integrity, and availability, as well as its relatively low complexity and lack of required user interaction. Although no exploits are currently known in the wild, the vulnerability is straightforward to exploit for local attackers who have some level of access. This flaw can lead to full system compromise, allowing attackers to install persistent malware, steal sensitive data, or disrupt system operations. The vulnerability highlights the importance of secure service path configuration and proper quoting to prevent path hijacking attacks in Windows environments.

For European organizations, this vulnerability poses a significant risk as it enables local attackers to escalate privileges to SYSTEM or equivalent levels, potentially compromising entire systems. This can lead to unauthorized access to sensitive data, disruption of critical services, and the deployment of persistent malware. Organizations in sectors such as finance, healthcare, government, and critical infrastructure are particularly vulnerable due to the sensitive nature of their data and operations. The impact is exacerbated in environments where Sunshine for Windows is deployed on endpoints or servers that handle sensitive workloads. Since exploitation requires local access, the threat is higher in scenarios where attackers can gain initial footholds through phishing, insider threats, or other means. The vulnerability could also be leveraged as a stepping stone for lateral movement within corporate networks. Given the high severity and potential for full system compromise, European organizations must prioritize remediation to maintain security and compliance with data protection regulations like GDPR.

To mitigate CVE-2025-10199, organizations should immediately audit all Windows services for unquoted service paths, focusing on the Sunshine for Windows installation. Correct the service path by enclosing it in double quotes to ensure Windows interprets it correctly. Restrict write permissions on all directories in the service path to prevent unauthorized users from placing malicious executables. Implement application whitelisting to block unauthorized binaries from executing. Monitor local privilege escalation attempts through endpoint detection and response (EDR) tools and Windows event logs. Since no official patch is currently available, coordinate with LizardByte for updates or workarounds. Additionally, enforce the principle of least privilege to limit user permissions and reduce the risk of local exploitation. Regularly train IT staff to recognize and remediate unquoted service path vulnerabilities and maintain an up-to-date asset inventory to quickly identify affected systems. Consider network segmentation to limit lateral movement if an escalation occurs.