CVE-2025-53095 is a critical Cross-Site Request Forgery (CSRF) vulnerability affecting the web UI of LizardByte's Sunshine, a self-hosted game streaming server used in conjunction with Moonlight clients. Prior to version 2025.628.4510, Sunshine's web interface lacks CSRF protections, allowing attackers to craft malicious web pages that, when visited by authenticated users, can trigger unauthorized actions within the application. The vulnerability is particularly severe because Sunshine inherently supports OS command execution via its 'Command Preparations' feature. Exploiting this CSRF flaw enables an attacker to inject arbitrary OS commands that execute with Administrator privileges whenever a game or application is launched through Sunshine. This can lead to full system compromise, including data theft, system manipulation, or persistent backdoors. The vulnerability has a CVSS v3.1 score of 9.7, reflecting its criticality, with network attack vector, no privileges required, but user interaction needed (visiting a malicious page). The scope is changed, as the attack can affect the entire system beyond the web UI. No known exploits are currently reported in the wild, but the potential impact is severe. The issue was patched in version 2025.628.4510 by adding proper CSRF protections to the web UI.

For European organizations using Sunshine for game streaming or remote access, this vulnerability poses a significant risk. An attacker could leverage social engineering to trick authenticated users into visiting malicious websites, resulting in arbitrary command execution with administrative rights on the host system. This could lead to data breaches, unauthorized access to sensitive information, disruption of services, or deployment of malware/ransomware. Organizations with less mature security awareness or lacking network segmentation may be particularly vulnerable. Since Sunshine is self-hosted, compromised hosts could serve as pivot points for lateral movement within corporate networks. The impact extends beyond confidentiality to integrity and availability, as attackers can manipulate system processes or disrupt streaming services. Given the criticality and ease of exploitation, European entities relying on Sunshine should prioritize remediation to prevent potential operational and reputational damage.

1. Immediate upgrade to Sunshine version 2025.628.4510 or later to apply the official patch that addresses the CSRF vulnerability. 2. Implement network-level protections such as web application firewalls (WAFs) to detect and block suspicious CSRF attack patterns targeting the Sunshine web UI. 3. Enforce strict Content Security Policy (CSP) headers and SameSite cookie attributes to reduce the risk of CSRF exploitation. 4. Educate users about the risks of visiting untrusted websites while authenticated to Sunshine, emphasizing phishing and social engineering awareness. 5. Restrict access to the Sunshine web UI to trusted networks or VPNs to minimize exposure to external attackers. 6. Monitor logs for unusual command execution or access patterns indicative of exploitation attempts. 7. Consider deploying endpoint detection and response (EDR) solutions to detect anomalous OS command executions. 8. Regularly audit and review administrative privileges and command preparation configurations within Sunshine to limit potential abuse.