Sunshine
CVE-2024-45407
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Sunshine is a self-hosted game stream host for Moonlight. Clients that experience a MITM attack during the pairing process may inadvertantly allow access to an unintended client rather than failing authentication due to a PIN validation error. The pairing attempt fails due to the incorrect PIN, but the certificate from the forged pairing attempt is incorrectly persisted prior to the completion of the pairing request. This allows access to the certificate belonging to the attacker.
AnalysisAI
Sunshine is a self-hosted game stream host for Moonlight. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-300. Sunshine is a self-hosted game stream host for Moonlight. Clients that experience a MITM attack during the pairing process may inadvertantly allow access to an unintended client rather than failing authentication due to a PIN validation error. The pairing attempt fails due to the incorrect PIN, but the certificate from the forged pairing attempt is incorrectly persisted prior to the completion of the pairing request. This allows access to the certificate belonging to the attacker. Affected products include: Lizardbyte Sunshine.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Sunshine is a self-hosted game stream host for Moonlight. Rated medium severity (CVSS 6.7). Public exploit code availabl
Sunshine is a self-hosted game stream host for Moonlight. Rated medium severity (CVSS 5.9), this vulnerability is remote
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks p
Sunshine is a self-hosted game stream host for Moonlight. Rated high severity (CVSS 7.3), this vulnerability is remotely
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks p
Sunshine is a self-hosted game stream host for Moonlight. Rated low severity (CVSS 2.9).
A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely prior ver
Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability, allowing attackers
Sunshine is a self-hosted game stream host for Moonlight. Rated high severity (CVSS 7.7), this vulnerability is remotely
Same weakness CWE-300 – Channel Accessible by Non-Endpoint
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today