CVE-2025-10199 is a local privilege escalation vulnerability identified in the Sunshine for Windows software developed by LizardByte, specifically affecting version v2025.122.141614 and likely earlier versions. The vulnerability arises from an unquoted service path, classified under CWE-428 (Unquoted Search Path or Element). In Windows environments, when a service executable path contains spaces but is not enclosed in quotes, the operating system may incorrectly parse the path and execute unintended binaries located in directories earlier in the search path. This can allow a local attacker with limited privileges to place a malicious executable in a strategically named folder or file path, which the system then executes with elevated service privileges. Since Sunshine for Windows runs as a service, exploitation of this vulnerability can lead to privilege escalation from a standard user to SYSTEM or administrative level. The vulnerability requires local access to the system but does not require user interaction beyond placing the malicious executable. No known public exploits have been reported yet, and no CVSS score has been assigned. The lack of a patch link suggests that a fix may not yet be publicly available or is pending. This vulnerability is significant because it leverages a common misconfiguration in Windows service paths, which can be exploited easily if local access is obtained, potentially compromising system integrity and confidentiality by allowing attackers to execute arbitrary code with high privileges.

For European organizations, the impact of this vulnerability can be substantial, especially in environments where Sunshine for Windows is deployed. If exploited, attackers could gain elevated privileges on affected systems, enabling them to install persistent malware, access sensitive data, or disrupt operations. This is particularly critical for organizations handling sensitive personal data under GDPR, as unauthorized access could lead to data breaches and regulatory penalties. Additionally, privilege escalation vulnerabilities can serve as a stepping stone for lateral movement within corporate networks, increasing the risk of widespread compromise. The local nature of the vulnerability limits remote exploitation but does not diminish the risk in environments where insider threats or compromised user accounts exist. Organizations relying on Sunshine for Windows for remote desktop or streaming services may face operational disruptions if attackers leverage this vulnerability to disable or manipulate the service. The absence of known exploits in the wild provides a window for proactive mitigation but also underscores the need for vigilance as attackers may develop exploits once the vulnerability becomes widely known.

To mitigate this vulnerability effectively, European organizations should first verify if Sunshine for Windows is installed and identify the affected versions. Immediate steps include: 1) Manually inspecting the service executable paths for unquoted spaces by using commands like 'sc qc <service_name>' and ensuring that all paths are properly quoted. 2) If unquoted paths are found, administrators should correct the service configuration by enclosing the executable paths in double quotes to prevent unintended execution paths. 3) Restrict write permissions on directories in the service path to prevent unauthorized users from placing malicious executables. 4) Monitor local user activities and audit service configurations regularly to detect unauthorized changes. 5) Implement strict local user privilege management to minimize the number of users with local access capable of exploiting this vulnerability. 6) Stay updated with vendor advisories for official patches or updates addressing this issue and apply them promptly once available. 7) Employ endpoint detection and response (EDR) solutions to detect suspicious activities related to service execution and privilege escalation attempts. These targeted actions go beyond generic advice by focusing on the specific nature of unquoted service paths and local privilege escalation vectors.