https://feed.craftedsignal.io/products/remote-sunrise-helper-for-windows-2026.14/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 15 May 2026 12:53:11 +0000https://feed.craftedsignal.io/briefs/2026-05-remote-sunrise-helper-rce/Fri, 15 May 2026 12:53:11 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-remote-sunrise-helper-rce/A remote code execution vulnerability exists in Remote Sunrise Helper for Windows version 2026.14, which can be exploited without authentication, as demonstrated by a public exploit published on Exploit-DB.A remote code execution vulnerability has been identified in Remote Sunrise Helper for Windows 2026.14. A public exploit (EDB-52565) demonstrating the vulnerability has been published on Exploit-DB, indicating a heightened risk for systems running the vulnerable software. The exploit targets the application’s API endpoints to execute arbitrary commands on the host. Successful exploitation allows an unauthenticated attacker to execute commands on the targeted Windows system.

Attack Chain

1. Attacker identifies a vulnerable Remote Sunrise Helper instance running on a Windows host.
2. The attacker sends a GET request to /api/getVersion to the target on port 49762 to verify the application version and check if authentication is disabled.
3. The application responds with a JSON object indicating the version and the value of requires.auth. If requires.auth is False, the system is vulnerable.
4. The attacker crafts a POST request to /api/executeScript with the X-Script header containing the command to execute.
5. The attacker sets the X-HostName, X-ClientToken, and X-HostFullModel headers.
6. The vulnerable application executes the command specified in the X-Script header.
7. The application returns the result of the executed command in JSON format.
8. The attacker gains remote code execution on the Windows host, potentially leading to further compromise.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary code on the affected Windows system. This could lead to complete system compromise, including data theft, installation of malware, or denial of service. The availability of a public exploit makes this vulnerability highly accessible to attackers.

Recommendation

• Apply appropriate mitigations to prevent unauthorized access to port 49762 used by Remote Sunrise Helper.
• Deploy the Sigma rule Detect Remote Sunrise Helper Vulnerability Check to identify systems potentially probing for the vulnerability.
• Deploy the Sigma rule Detect Remote Sunrise Helper Exploit to detect exploit attempts against the /api/executeScript endpoint.
• Monitor web server logs for POST requests to /api/executeScript with suspicious X-Script headers.

]]>highthreatremote-code-executionexploitwindowshttps://feed.craftedsignal.io/briefs/2026-05-remote-sunrise-helper-file-listing/Fri, 15 May 2026 12:52:58 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-remote-sunrise-helper-file-listing/A local exploit has been published for Remote Sunrise Helper for Windows 2026.14, detailing an unauthenticated file/directory listing vulnerability. Successful exploitation allows unauthenticated attackers to list files and directories on the affected system.A public exploit has been published on Exploit-DB (EDB-52566) detailing an unauthenticated file/directory listing vulnerability in Remote Sunrise Helper for Windows 2026.14. The vulnerable software exposes an API endpoint /api/listFiles which can be accessed without authentication to list directory contents on the target Windows system. The exploit leverages HTTP GET requests to this endpoint, potentially allowing attackers to enumerate sensitive files and directories. The availability of this exploit increases the risk to systems running the affected version of Remote Sunrise Helper.

Attack Chain

1. Attacker identifies a target system running Remote Sunrise Helper for Windows 2026.14 on port 49762.
2. The attacker crafts an HTTP GET request to https://<target_ip>:49762/api/getVersion to determine if authentication is required.
3. If the response indicates that authentication is not required ( "requires.auth": False), the attacker proceeds to the next step.
4. The attacker crafts an HTTP GET request to https://<target_ip>:49762/api/listFiles with the X-HostName, X-ClientToken, and X-HostFullModel headers set to arbitrary values.
5. To list a specific directory, the attacker URL-encodes the path and includes it in the request to https://<target_ip>:49762/api/listFiles=<encoded_path>.
6. The server responds with a JSON payload containing a list of files and directories within the requested path.
7. The attacker parses the JSON response to enumerate files and directories on the target system.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to list files and directories on the Windows system running Remote Sunrise Helper 2026.14. This information can be used to discover sensitive information, identify potential targets for further exploitation, or gather intelligence about the system’s configuration. The impact is information disclosure, potentially leading to further compromise of the affected system.

Recommendation

• Apply appropriate access controls or remove the affected software.
• Monitor webserver logs for requests to the /api/listFiles endpoint from unusual source IPs, as detailed in the overview.
• Deploy the Sigma rule to detect unauthenticated access to the /api/listFiles endpoint as outlined below.

]]>mediumadvisoryunauthenticated-accessfile-listingwindows