Skip to content
Threat Feed
high threat

Remote Sunrise Helper for Windows 2026.14 Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Remote Sunrise Helper for Windows version 2026.14, which can be exploited without authentication, as demonstrated by a public exploit published on Exploit-DB.

A remote code execution vulnerability has been identified in Remote Sunrise Helper for Windows 2026.14. A public exploit (EDB-52565) demonstrating the vulnerability has been published on Exploit-DB, indicating a heightened risk for systems running the vulnerable software. The exploit targets the application’s API endpoints to execute arbitrary commands on the host. Successful exploitation allows an unauthenticated attacker to execute commands on the targeted Windows system.

Attack Chain

  1. Attacker identifies a vulnerable Remote Sunrise Helper instance running on a Windows host.
  2. The attacker sends a GET request to /api/getVersion to the target on port 49762 to verify the application version and check if authentication is disabled.
  3. The application responds with a JSON object indicating the version and the value of requires.auth. If requires.auth is False, the system is vulnerable.
  4. The attacker crafts a POST request to /api/executeScript with the X-Script header containing the command to execute.
  5. The attacker sets the X-HostName, X-ClientToken, and X-HostFullModel headers.
  6. The vulnerable application executes the command specified in the X-Script header.
  7. The application returns the result of the executed command in JSON format.
  8. The attacker gains remote code execution on the Windows host, potentially leading to further compromise.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary code on the affected Windows system. This could lead to complete system compromise, including data theft, installation of malware, or denial of service. The availability of a public exploit makes this vulnerability highly accessible to attackers.

Recommendation

  • Apply appropriate mitigations to prevent unauthorized access to port 49762 used by Remote Sunrise Helper.
  • Deploy the Sigma rule Detect Remote Sunrise Helper Vulnerability Check to identify systems potentially probing for the vulnerability.
  • Deploy the Sigma rule Detect Remote Sunrise Helper Exploit to detect exploit attempts against the /api/executeScript endpoint.
  • Monitor web server logs for POST requests to /api/executeScript with suspicious X-Script headers.

Detection coverage 2

Detect Remote Sunrise Helper Vulnerability Check

low

Detects requests to /api/getVersion to check for the Remote Sunrise Helper unauthenticated RCE vulnerability

sigma tactics: discovery techniques: T1595.002 sources: webserver

Detect Remote Sunrise Helper Exploit

high

Detects exploitation of Remote Sunrise Helper RCE vulnerability via the /api/executeScript endpoint.

sigma tactics: execution techniques: T1059.004 sources: webserver

Detection queries are available on the platform. Get full rules →