Cyber Resilience

CVE-2025-53096

Medium

Published: 01 July 2025

Published
01 July 2025
Modified
22 August 2025
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
EPSS Score 0.0019 40.8th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53096 is a medium-severity Improper Restriction of Rendered UI Layers or Frames (CWE-1021) vulnerability in Lizardbyte Sunshine. Its CVSS base score is 5.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Windows Service (T1543.003); ranked at the 40.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a malicious website using an invisible…

more

or disguised iframe. If a user is tricked into interacting (one or multiple clicks) with the malicious page while authenticated, they may unknowingly perform actions within the Sunshine application without their consent. This issue has been patched in version 2025.628.4510.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1543.003 Windows Service Persistence
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.
T1489 Service Stop Impact
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.
T1531 Account Access Removal Impact
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Why these techniques?

Clickjacking vulnerability enables tricking authenticated users into executing UI actions: modifying service configuration (T1031), stopping/restarting the service (T1489), and removing client access/pairings (T1531).

Affected Assets

lizardbyte
sunshine
≤ 2025.628.4510

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References