{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/remote-sunrise-helper-for-windows-2026.14/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Remote Sunrise Helper for Windows (2026.14)"],"_cs_severities":["high"],"_cs_tags":["remote-code-execution","exploit","windows"],"_cs_type":"threat","_cs_vendors":["rs ltd"],"content_html":"\u003cp\u003eA remote code execution vulnerability has been identified in Remote Sunrise Helper for Windows 2026.14. A public exploit (EDB-52565) demonstrating the vulnerability has been published on Exploit-DB, indicating a heightened risk for systems running the vulnerable software. The exploit targets the application\u0026rsquo;s API endpoints to execute arbitrary commands on the host. Successful exploitation allows an unauthenticated attacker to execute commands on the targeted Windows system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Remote Sunrise Helper instance running on a Windows host.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a GET request to \u003ccode\u003e/api/getVersion\u003c/code\u003e to the target on port 49762 to verify the application version and check if authentication is disabled.\u003c/li\u003e\n\u003cli\u003eThe application responds with a JSON object indicating the version and the value of \u003ccode\u003erequires.auth\u003c/code\u003e. If \u003ccode\u003erequires.auth\u003c/code\u003e is \u003ccode\u003eFalse\u003c/code\u003e, the system is vulnerable.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to \u003ccode\u003e/api/executeScript\u003c/code\u003e with the \u003ccode\u003eX-Script\u003c/code\u003e header containing the command to execute.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eX-HostName\u003c/code\u003e, \u003ccode\u003eX-ClientToken\u003c/code\u003e, and \u003ccode\u003eX-HostFullModel\u003c/code\u003e headers.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application executes the command specified in the \u003ccode\u003eX-Script\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe application returns the result of the executed command in JSON format.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution on the Windows host, potentially leading to further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary code on the affected Windows system. This could lead to complete system compromise, including data theft, installation of malware, or denial of service. The availability of a public exploit makes this vulnerability highly accessible to attackers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate mitigations to prevent unauthorized access to port 49762 used by Remote Sunrise Helper.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Remote Sunrise Helper Vulnerability Check\u003c/code\u003e to identify systems potentially probing for the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Remote Sunrise Helper Exploit\u003c/code\u003e to detect exploit attempts against the \u003ccode\u003e/api/executeScript\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/api/executeScript\u003c/code\u003e with suspicious \u003ccode\u003eX-Script\u003c/code\u003e headers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T12:53:11Z","date_published":"2026-05-15T12:53:11Z","id":"https://feed.craftedsignal.io/briefs/2026-05-remote-sunrise-helper-rce/","summary":"A remote code execution vulnerability exists in Remote Sunrise Helper for Windows version 2026.14, which can be exploited without authentication, as demonstrated by a public exploit published on Exploit-DB.","title":"Remote Sunrise Helper for Windows 2026.14 Remote Code Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-remote-sunrise-helper-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Remote Sunrise Helper for Windows (2026.14)"],"_cs_severities":["medium"],"_cs_tags":["unauthenticated-access","file-listing","windows"],"_cs_type":"advisory","_cs_vendors":["rs"],"content_html":"\u003cp\u003eA public exploit has been published on Exploit-DB (EDB-52566) detailing an unauthenticated file/directory listing vulnerability in Remote Sunrise Helper for Windows 2026.14. The vulnerable software exposes an API endpoint \u003ccode\u003e/api/listFiles\u003c/code\u003e which can be accessed without authentication to list directory contents on the target Windows system. The exploit leverages HTTP GET requests to this endpoint, potentially allowing attackers to enumerate sensitive files and directories. The availability of this exploit increases the risk to systems running the affected version of Remote Sunrise Helper.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target system running Remote Sunrise Helper for Windows 2026.14 on port 49762.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET request to \u003ccode\u003ehttps://\u0026lt;target_ip\u0026gt;:49762/api/getVersion\u003c/code\u003e to determine if authentication is required.\u003c/li\u003e\n\u003cli\u003eIf the response indicates that authentication is not required ( \u003ccode\u003e\u0026quot;requires.auth\u0026quot;: False\u003c/code\u003e), the attacker proceeds to the next step.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET request to \u003ccode\u003ehttps://\u0026lt;target_ip\u0026gt;:49762/api/listFiles\u003c/code\u003e with the \u003ccode\u003eX-HostName\u003c/code\u003e, \u003ccode\u003eX-ClientToken\u003c/code\u003e, and \u003ccode\u003eX-HostFullModel\u003c/code\u003e headers set to arbitrary values.\u003c/li\u003e\n\u003cli\u003eTo list a specific directory, the attacker URL-encodes the path and includes it in the request to \u003ccode\u003ehttps://\u0026lt;target_ip\u0026gt;:49762/api/listFiles=\u0026lt;encoded_path\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server responds with a JSON payload containing a list of files and directories within the requested path.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the JSON response to enumerate files and directories on the target system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to list files and directories on the Windows system running Remote Sunrise Helper 2026.14. This information can be used to discover sensitive information, identify potential targets for further exploitation, or gather intelligence about the system\u0026rsquo;s configuration. The impact is information disclosure, potentially leading to further compromise of the affected system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate access controls or remove the affected software.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for requests to the \u003ccode\u003e/api/listFiles\u003c/code\u003e endpoint from unusual source IPs, as detailed in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect unauthenticated access to the \u003ccode\u003e/api/listFiles\u003c/code\u003e endpoint as outlined below.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T12:52:58Z","date_published":"2026-05-15T12:52:58Z","id":"https://feed.craftedsignal.io/briefs/2026-05-remote-sunrise-helper-file-listing/","summary":"A local exploit has been published for Remote Sunrise Helper for Windows 2026.14, detailing an unauthenticated file/directory listing vulnerability. Successful exploitation allows unauthenticated attackers to list files and directories on the affected system.","title":"Remote Sunrise Helper for Windows 2026.14 - Unauthenticated File/Directory Listing","url":"https://feed.craftedsignal.io/briefs/2026-05-remote-sunrise-helper-file-listing/"}],"language":"en","title":"CraftedSignal Threat Feed — Remote Sunrise Helper for Windows (2026.14)","version":"https://jsonfeed.org/version/1.1"}