{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/rs-ltd/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Remote Sunrise Helper for Windows (2026.14)"],"_cs_severities":["high"],"_cs_tags":["remote-code-execution","exploit","windows"],"_cs_type":"threat","_cs_vendors":["rs ltd"],"content_html":"\u003cp\u003eA remote code execution vulnerability has been identified in Remote Sunrise Helper for Windows 2026.14. A public exploit (EDB-52565) demonstrating the vulnerability has been published on Exploit-DB, indicating a heightened risk for systems running the vulnerable software. The exploit targets the application\u0026rsquo;s API endpoints to execute arbitrary commands on the host. Successful exploitation allows an unauthenticated attacker to execute commands on the targeted Windows system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Remote Sunrise Helper instance running on a Windows host.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a GET request to \u003ccode\u003e/api/getVersion\u003c/code\u003e to the target on port 49762 to verify the application version and check if authentication is disabled.\u003c/li\u003e\n\u003cli\u003eThe application responds with a JSON object indicating the version and the value of \u003ccode\u003erequires.auth\u003c/code\u003e. If \u003ccode\u003erequires.auth\u003c/code\u003e is \u003ccode\u003eFalse\u003c/code\u003e, the system is vulnerable.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to \u003ccode\u003e/api/executeScript\u003c/code\u003e with the \u003ccode\u003eX-Script\u003c/code\u003e header containing the command to execute.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eX-HostName\u003c/code\u003e, \u003ccode\u003eX-ClientToken\u003c/code\u003e, and \u003ccode\u003eX-HostFullModel\u003c/code\u003e headers.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application executes the command specified in the \u003ccode\u003eX-Script\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe application returns the result of the executed command in JSON format.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution on the Windows host, potentially leading to further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary code on the affected Windows system. This could lead to complete system compromise, including data theft, installation of malware, or denial of service. The availability of a public exploit makes this vulnerability highly accessible to attackers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate mitigations to prevent unauthorized access to port 49762 used by Remote Sunrise Helper.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Remote Sunrise Helper Vulnerability Check\u003c/code\u003e to identify systems potentially probing for the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Remote Sunrise Helper Exploit\u003c/code\u003e to detect exploit attempts against the \u003ccode\u003e/api/executeScript\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/api/executeScript\u003c/code\u003e with suspicious \u003ccode\u003eX-Script\u003c/code\u003e headers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T12:53:11Z","date_published":"2026-05-15T12:53:11Z","id":"https://feed.craftedsignal.io/briefs/2026-05-remote-sunrise-helper-rce/","summary":"A remote code execution vulnerability exists in Remote Sunrise Helper for Windows version 2026.14, which can be exploited without authentication, as demonstrated by a public exploit published on Exploit-DB.","title":"Remote Sunrise Helper for Windows 2026.14 Remote Code Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-remote-sunrise-helper-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Rs Ltd","version":"https://jsonfeed.org/version/1.1"}