CVE-2025-10199 is a local privilege escalation vulnerability identified in LizardByte's Sunshine for Windows, specifically affecting version v2025.122.141614 and likely prior versions. The root cause of this vulnerability is an unquoted service path, classified under CWE-428 (Unquoted Search Path or Element). In Windows environments, when a service path contains spaces and is not enclosed in quotes, the system may incorrectly resolve the executable path by searching directories in a specific order. This can allow an attacker with local access to place a malicious executable in a higher-priority directory, which the system might execute instead of the intended service binary. Exploiting this vulnerability enables an attacker with limited privileges (local user with low privileges) to escalate their rights to those of the service, potentially SYSTEM or administrative level, without requiring user interaction. The CVSS v3.1 base score of 7.8 reflects a high severity, with attack vector local (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits are currently reported in the wild, the vulnerability presents a significant risk due to the ease of exploitation once local access is obtained. Sunshine for Windows is a remote desktop and streaming software, often used for remote access and gaming purposes, which may be installed on various Windows endpoints. The vulnerability's exploitation could allow attackers to gain elevated privileges on affected systems, potentially leading to full system compromise, lateral movement, or persistence within a network environment.

For European organizations, the impact of CVE-2025-10199 can be substantial, especially in sectors where Sunshine for Windows is deployed on workstations or servers. Elevated privileges can lead to unauthorized access to sensitive data, disruption of services, and the ability to install persistent malware or ransomware. Organizations in finance, healthcare, government, and critical infrastructure sectors are particularly at risk due to the potential for data breaches and operational disruptions. The local nature of the attack means that initial access is required, which could be achieved through phishing, physical access, or other initial footholds. Once exploited, attackers can bypass security controls, escalate privileges, and move laterally within networks. This vulnerability also poses risks in hybrid work environments where remote desktop tools are more prevalent, increasing the attack surface. The high confidentiality, integrity, and availability impacts mean that exploitation could result in data theft, unauthorized modifications, and service outages, all of which have regulatory and reputational consequences under European data protection laws such as GDPR.

To mitigate CVE-2025-10199, European organizations should: 1) Immediately verify if Sunshine for Windows is installed on any endpoints and identify the version in use. 2) Apply any available patches or updates from LizardByte as soon as they are released; if no patch is currently available, consider temporary workarounds such as manually correcting the service path by enclosing it in quotes to prevent path hijacking. 3) Restrict local user permissions to the minimum necessary, limiting the ability to write to directories that are part of the service path. 4) Implement application whitelisting and endpoint detection and response (EDR) solutions to monitor for suspicious executable launches and privilege escalation attempts. 5) Conduct regular audits of service configurations and paths to detect unquoted service paths or other misconfigurations. 6) Educate users and administrators about the risks of local privilege escalation and enforce strong physical and logical access controls to prevent unauthorized local access. 7) Monitor logs for unusual activity related to service execution and privilege escalations. These targeted actions go beyond generic advice by focusing on the specific nature of the unquoted service path vulnerability and the operational context of Sunshine for Windows.