CVE-2025-54081 is a vulnerability classified under CWE-428 (Unquoted Search Path or Element) affecting the Sunshine software by LizardByte, a self-hosted game streaming server for Moonlight clients. The issue arises from the Windows service 'SunshineService' being installed with an unquoted executable path prior to version 2025.923.33222. When the installation directory path contains spaces and is not enclosed in quotes, the Windows Service Control Manager (SCM) may misinterpret the executable path. This can lead to the SCM searching for executables incrementally along the path segments, potentially executing a malicious binary placed by an attacker in a directory earlier in the search path. This vulnerability allows an attacker with limited privileges (low-level privileges) and requiring user interaction to escalate privileges or execute arbitrary code with the service's permissions. The CVSS v3.1 base score is 6.7, indicating a medium severity level, with a vector showing local attack vector, high attack complexity, low privileges required, user interaction required, and high impact on confidentiality, integrity, and availability. The vulnerability has been patched in version 2025.923.33222, and no known exploits are currently reported in the wild. The root cause is a common Windows service misconfiguration that can be exploited in environments where the software is installed in directories with spaces in their names, such as 'C:\Program Files\Sunshine'.

For European organizations, this vulnerability presents a moderate risk primarily in environments where Sunshine is deployed on Windows systems. Given that Sunshine is a niche product used for game streaming, the impact is likely limited to organizations or individuals using this software for remote game streaming or related purposes. However, exploitation could lead to privilege escalation or arbitrary code execution on affected hosts, potentially allowing attackers to gain persistent access or move laterally within a network. This could compromise confidentiality, integrity, and availability of the affected systems. In enterprise environments, especially those with gaming or multimedia development, or where Sunshine is used for remote access, this vulnerability could be leveraged as a foothold for further attacks. The requirement for local access and user interaction reduces the risk of widespread remote exploitation but does not eliminate the threat in scenarios where attackers have some level of access or can trick users into executing malicious binaries. The medium severity rating reflects these factors. Organizations with strict endpoint security and controlled software installation paths are less likely to be impacted, but those with less stringent controls or legacy installations may be vulnerable.

To mitigate this vulnerability, European organizations should: 1) Immediately update Sunshine to version 2025.923.33222 or later, where the unquoted path issue is fixed. 2) Audit existing installations to verify the installation path does not contain spaces or ensure the executable path is properly quoted in the service configuration. 3) Use Windows tools such as 'sc qc SunshineService' to check the service executable path and correct it if unquoted. 4) Restrict write permissions on directories in the executable path to prevent unauthorized users from placing malicious binaries. 5) Employ application whitelisting and endpoint protection solutions to detect and block unauthorized executable files. 6) Educate users about the risks of executing unknown binaries and enforce least privilege principles to limit the ability of attackers to exploit local vulnerabilities. 7) Monitor logs for unusual service behavior or unexpected process executions related to SunshineService. These steps go beyond generic patching by addressing the root cause and reducing the attack surface related to service path misconfigurations.