Sunshine Unquoted Service Path Vulnerability in SunshineService Allows Local Privilege Escalation

A vulnerability exists in Sunshine, a self-hosted game streaming host for Moonlight, prior to version 2025.923.33222. The issue arises because the Windows service SunshineService is installed with an unquoted executable path. This flaw can be exploited if Sunshine is installed in a directory with spaces, allowing the Service Control Manager (SCM) to misinterpret the path and execute a malicious binary placed earlier in the search string. The vulnerability allows local code execution with NT AUTHORITY\SYSTEM privileges when the service starts.

Impact

Exploitation of this vulnerability allows a local, low-privileged user to execute arbitrary code as the SYSTEM user, leading to unauthorized access and control over the affected system.

Reproduction

To reproduce this vulnerability, install Sunshine in a directory path that includes spaces, such as 'C:\Program\Game Stream\Sunshine'. After installation, the unquoted service path can be confirmed by checking the 'BINARY_PATH_NAME' of the 'SunshineService' using the 'sc.exe qc SunshineService' command. Once the service is started, the SCM will attempt to parse the unquoted path, allowing a malicious executable named 'Game.exe' to be executed with SYSTEM privileges.

Remediation

Users are advised to update to Sunshine version 2025.923.33222, which patches the vulnerability by enclosing the service path in quotation marks. The updated version can be downloaded from the Sunshine GitHub releases page.