CVE-2026-22679
published 2026-04-07CVE-2026-22679: Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
21.48%
97.3th percentile
Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-03-31 (UTC).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| weaver | e-cology | < 20260312 | 20260312 |
| weaver_network_co_ltd | e-cology | < 20260312 | 20260312 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests targeting the vulnerable debug API endpoint; no authentication headers should precede exploitation. ↗
- →Monitor for ping commands initiated by java.exe toward external callback infrastructure (Goby-linked), used by attackers to verify RCE capability. ↗
- →Detect obfuscated and fileless PowerShell execution spawned from java.exe, used to repeatedly fetch remote scripts after initial payload drops failed. ↗
- →Flag the presence or download of fanwei0324.msi on Weaver E-cology hosts as a high-confidence indicator of compromise. ↗
- ·The vulnerable debug endpoint is entirely removed in the patched build; the endpoint should not be accessible on patched systems (build 20260312 or later). ↗
- ·No alternative mitigations or workarounds exist; upgrading to build 20260312 or later is the only remediation path. ↗
- ·Exploitation requires no authentication and no input validation is performed on interfaceName and methodName parameters, meaning any network-accessible instance is at risk. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vg4v-xjcr-x7p5: Weaver (Fanwei) E-cology 10
ghsa_unreviewed·2026-04-07
CVE-2026-22679 [CRITICAL] CWE-306 GHSA-vg4v-xjcr-x7p5: Weaver (Fanwei) E-cology 10
Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-03-31 (UTC).
VulnCheck
Missing Authentication for Critical Function
vulncheck·2026·CVSS 9.3
CVE-2026-22679 [CRITICAL] Missing Authentication for Critical Function
Missing Authentication for Critical Function
Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-03-31 (UTC).
Affected: Weaver Network Co., Ltd. E-cology
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavai
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
blogs_hackernews·2026-05-11·CVSS 9.3
CVE-2026-6973 [CRITICAL] ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Rough Monday.
Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.
The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping st
Hackernews
Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API
blogs_hackernews·2026-05-05·CVSS 9.3
CVE-2026-22679 [CRITICAL] Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API
A critical security vulnerability in Weaver (Fanwei) E-cology , an enterprise office automation (OA) and collaboration platform, has come under active exploitation in the wild.
The vulnerability ( CVE-2026-22679 , CVSS score: 9.8) relates to a case of unauthenticated remote code execution affecting Weaver E-cology 10.0 versions prior to 20260312. The issue resides in the "/papi/esearch/data/devops/dubboApi/debug/method" endpoint that allows an attacker to execute arbitrary commands by invoking exposed debug functionality.
"Attackers can craft POST requ
Bleepingcomputer
Weaver E-cology critical bug exploited in attacks since March
blogs_bleepingcomputer·2026-05-04·CVSS 9.3
CVE-2026-22679 [CRITICAL] Weaver E-cology critical bug exploited in attacks since March
## Weaver E-cology critical bug exploited in attacks since March
## Bill Toulas
Hackers have been exploiting a critical vulnerability (CVE-2026-22679) in the Weaver E-cology office automation since mid-March to run discovery commands.
The attacks started five days after the software vendor released a security update to address the issue, and two weeks before disclosing it publicly.
Researchers at threat intelligence company Vega documented the malicious activity and reported that the attacks lasted roughly a week, each with several distinct phases.
Weaver E-cology is an enterprise office automation (OA) and collaboration platform used for workflows, document management, HR, and internal business processes. The product is primarily used by Chinese organizations .
CVE-2026-22679 is a c
https://h4cker.zip/post/d5d211/https://ti.qianxin.com/vulnerability/notice-detail/1760https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-rce-via-dubboapi-debug-endpointhttps://www.weaver.com.cn/cs/securityDownload.html#https://blog.vega.io/posts/cve-2026-22679-weaver-ecology-exploitation/
2026-04-07
Published
Exploited in the wild