{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/file-listing/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Remote Sunrise Helper for Windows (2026.14)"],"_cs_severities":["medium"],"_cs_tags":["unauthenticated-access","file-listing","windows"],"_cs_type":"advisory","_cs_vendors":["rs"],"content_html":"\u003cp\u003eA public exploit has been published on Exploit-DB (EDB-52566) detailing an unauthenticated file/directory listing vulnerability in Remote Sunrise Helper for Windows 2026.14. The vulnerable software exposes an API endpoint \u003ccode\u003e/api/listFiles\u003c/code\u003e which can be accessed without authentication to list directory contents on the target Windows system. The exploit leverages HTTP GET requests to this endpoint, potentially allowing attackers to enumerate sensitive files and directories. The availability of this exploit increases the risk to systems running the affected version of Remote Sunrise Helper.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target system running Remote Sunrise Helper for Windows 2026.14 on port 49762.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET request to \u003ccode\u003ehttps://\u0026lt;target_ip\u0026gt;:49762/api/getVersion\u003c/code\u003e to determine if authentication is required.\u003c/li\u003e\n\u003cli\u003eIf the response indicates that authentication is not required ( \u003ccode\u003e\u0026quot;requires.auth\u0026quot;: False\u003c/code\u003e), the attacker proceeds to the next step.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET request to \u003ccode\u003ehttps://\u0026lt;target_ip\u0026gt;:49762/api/listFiles\u003c/code\u003e with the \u003ccode\u003eX-HostName\u003c/code\u003e, \u003ccode\u003eX-ClientToken\u003c/code\u003e, and \u003ccode\u003eX-HostFullModel\u003c/code\u003e headers set to arbitrary values.\u003c/li\u003e\n\u003cli\u003eTo list a specific directory, the attacker URL-encodes the path and includes it in the request to \u003ccode\u003ehttps://\u0026lt;target_ip\u0026gt;:49762/api/listFiles=\u0026lt;encoded_path\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server responds with a JSON payload containing a list of files and directories within the requested path.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the JSON response to enumerate files and directories on the target system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to list files and directories on the Windows system running Remote Sunrise Helper 2026.14. This information can be used to discover sensitive information, identify potential targets for further exploitation, or gather intelligence about the system\u0026rsquo;s configuration. The impact is information disclosure, potentially leading to further compromise of the affected system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate access controls or remove the affected software.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for requests to the \u003ccode\u003e/api/listFiles\u003c/code\u003e endpoint from unusual source IPs, as detailed in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect unauthenticated access to the \u003ccode\u003e/api/listFiles\u003c/code\u003e endpoint as outlined below.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T12:52:58Z","date_published":"2026-05-15T12:52:58Z","id":"https://feed.craftedsignal.io/briefs/2026-05-remote-sunrise-helper-file-listing/","summary":"A local exploit has been published for Remote Sunrise Helper for Windows 2026.14, detailing an unauthenticated file/directory listing vulnerability. Successful exploitation allows unauthenticated attackers to list files and directories on the affected system.","title":"Remote Sunrise Helper for Windows 2026.14 - Unauthenticated File/Directory Listing","url":"https://feed.craftedsignal.io/briefs/2026-05-remote-sunrise-helper-file-listing/"}],"language":"en","title":"CraftedSignal Threat Feed — File-Listing","version":"https://jsonfeed.org/version/1.1"}