Unauthenticated File/Directory Listing Vulnerability in Remote Sunrise Helper for Windows 2026.14 Exposes System Files
What Happened – A publicly‑available exploit (EDB‑52566) demonstrates that the Remote Sunrise Helper service (version 2026.14) on Windows 10/11 allows anyone to query the /api/listFiles endpoint without authentication, returning a JSON‑encoded directory listing.
Why It Matters for TPRM –
- Unauthenticated enumeration can reveal sensitive configuration files, credential stores, or proprietary data on third‑party systems.
- Attackers can use the listing as a foothold for deeper lateral movement or ransomware deployment.
- Vendors that embed Remote Sunrise Helper in their managed‑service stacks inherit this exposure, expanding the attack surface of their clients.
Who Is Affected – Organizations across all sectors that deploy Remote Sunrise Helper (commonly used by MSPs, IT service desks, and internal support teams).
Recommended Actions –
- Verify whether Remote Sunrise Helper 2026.14 is in use across your vendor ecosystem.
- Apply the vendor‑released patch or upgrade to a version that enforces authentication on the API.
- If patching is not immediate, block inbound traffic to TCP 49762 and restrict outbound calls to the helper service.
- Conduct a file‑system audit on affected hosts to ensure no sensitive data was accessed.
Technical Notes – The exploit sends a GET request to https://<target>:49762/api/listFiles (optionally with a URL‑encoded path). The service returns a JSON array of file names when the requires.auth flag is false. No CVE has been assigned yet. The vulnerability stems from a missing authentication check (misconfiguration) in the helper’s REST API. Source: Exploit‑DB 52566