Weaver E-cology RCE Flaw Actively Exploited via Exposed Debug API

Summary

A critical unauthenticated remote code execution vulnerability (CVE-2026-22679, CVSS 9.8) in Weaver E-cology 10.0 is being actively exploited in the wild. The flaw exists in an exposed Dubbo RPC debug endpoint that allows attackers to execute arbitrary OS commands without authentication. Exploitation began within five days of patch release on March 12, 2026, with confirmed intrusion campaigns documented by the Vega Research Team targeting internet-facing deployments.

Full text

⚠ Active Exploitation — CVSS 9.8 CVE CVE-2026-22679 Type Unauthenticated RCE Vector Network / No Auth Vulnerability Overview A critical unauthenticated remote code execution vulnerability is being actively exploited in Weaver E-cology, a widely deployed enterprise collaboration and office automation platform. Tracked as CVE-2026-22679 with a CVSS score of 9.8, the flaw allows attackers to execute arbitrary operating system commands on vulnerable servers without any authentication. The vulnerability resides in an exposed debug endpoint that is part of the Dubbo RPC framework integration. Attackers can craft HTTP POST requests with attacker-controlled parameters that are passed directly into internal method invocation logic without validation, ultimately reaching OS command execution helpers within the application's Java Virtual Machine running under Tomcat. The Shadowserver Foundation observed the first signs of active exploitation on March 31, 2026. Chinese security vendor QiAnXin independently confirmed successful reproduction of the vulnerability on March 17, 2026. The Vega Research Team published a detailed report documenting a confirmed intrusion campaign that began as early as March 17, 2026 — just five days after patches were shipped. CVE ID CVE-2026-22679 CVSS Score 9.8 — Critical Vulnerability Type Missing Authentication (CWE-306) Attack Vector Network (Remote) Authentication None Required User Interaction None Vendor Weaver (Fanwei) Product E-cology 10.0 Affected Builds Prior to 20260312 Exploitation Status Active — In the Wild First Exploitation March 17, 2026 Patch Status Fixed — Build 20260312 Technical Details The vulnerability exists in the exposed Dubbo RPC debug endpoint at /papi/esearch/data/devops/dubboApi/debug/method. This endpoint is designed for internal development and debugging purposes but was left accessible without authentication in production deployments of E-cology 10.0. The endpoint accepts HTTP POST requests containing JSON parameters including "interfaceName" and "methodName" fields. These user-supplied inputs are passed directly into the Dubbo RPC framework's method invocation logic without sanitization or authorization checks. An attacker can specify crafted values for these parameters to invoke internal Java methods that ultimately reach OS command execution helpers within the application's JVM. Because the application runs under Tomcat, successful exploitation grants command execution with the privileges of the Tomcat service account. The vendor addressed the vulnerability on March 12, 2026, by removing the vulnerable debug endpoint entirely from production builds. Public proof-of-concept exploits are available, and detection scripts for both Python and Nmap have been published on GitHub. Confirmed Intrusion Campaign The Vega Research Team documented a confirmed multi-phase intrusion campaign exploiting CVE-2026-22679. The attack targeted an internet-facing Windows server running an unpatched E-cology instance. All malicious activity originated from java.exe, confirming the RCE vulnerability as the entry point. The campaign included RCE verification via ping callbacks, three failed payload delivery attempts using PowerShell, an MSI implant disguised as "fanwei0324.msi" (using the romanized Chinese name for Weaver), and discovery commands including whoami, ipconfig, and tasklist. Affected Versions The vulnerability affects all Weaver E-cology 10.0 builds released prior to March 12, 2026. The vendor has not released comprehensive information about whether earlier major versions (9.x and below) are also affected. Organizations should verify their specific deployment with the vendor. Product Affected Builds Fixed Build Status E-cology 10.0 All builds < 20260312 20260312 Patched E-cology 9.x and earlier Unknown — Check with Vendor Recommendations Update E-cology to build 20260312 or later immediately. This update removes the vulnerable debug endpoint entirely. Contact Weaver support if you are unable to locate the update through standard channels. Block access to the vulnerable endpoint. As an interim measure, configure your web application firewall or reverse proxy to deny all requests to the path /papi/esearch/data/devops/dubboApi/debug/method. Audit for indicators of compromise. Review process execution logs for suspicious child processes spawned by java.exe, particularly whoami, ipconfig, tasklist, powershell.exe, and msiexec.exe. Check for connections to external infrastructure or the presence of unfamiliar MSI packages. Restrict internet exposure. Weaver E-cology instances should not be directly accessible from the public internet without authentication and network-level access controls. Place them behind a VPN or Zero Trust access gateway. Run detection scans. Use the publicly available CVE-2026-22679 detection scanner to identify vulnerable instances in your environment. The tool performs safe, non-destructive endpoint checks. Context Weaver E-cology is one of the most widely deployed enterprise OA (Office Automation) platforms in China, used across government agencies, financial institutions, manufacturing firms, and large enterprises for workflow management, document collaboration, and internal communications. The platform's broad adoption makes it a high-value target for threat actors, particularly those operating in or targeting the Chinese enterprise ecosystem. The speed of exploitation — just five days after the patch release — underscores the importance of rapid patch adoption for internet-facing enterprise applications. The confirmed intrusion campaign demonstrated a methodical attack sequence including initial verification, multiple payload delivery attempts, and lateral movement preparation, suggesting an organized threat actor rather than opportunistic scanning. References The Hacker News — Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API NVD — CVE-2026-22679 MITRE — CVE-2026-22679 Record GitHub — CVE-2026-22679 Detection Scanner & Analysis CyberPress — Critical Weaver E-cology RCE Flaw Actively Exploited by Attackers

Indicators of Compromise

• cve — CVE-2026-22679
• malware — fanwei0324.msi

Entities