Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API

Summary

CVE-2026-22679, a critical unauthenticated remote code execution flaw in Weaver E-cology 10.0 (CVSS 9.8), is being actively exploited in the wild via an exposed debug API endpoint at /papi/esearch/data/devops/dubboApi/debug/method. Attackers craft POST requests with malicious interfaceName and methodName parameters to execute arbitrary commands; exploitation began within days of the March 12, 2026 patch release. The unknown threat actor has been observed performing reconnaissance, attempting payload delivery including a malicious MSI installer named "fanwei0324.msi," and running discovery commands.

Full text

Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API Ravie LakshmananMay 05, 2026Vulnerability / Network Security A critical security vulnerability in Weaver (Fanwei) E-cology, an enterprise office automation (OA) and collaboration platform, has come under active exploitation in the wild. The vulnerability (CVE-2026-22679, CVSS score: 9.8) relates to a case of unauthenticated remote code execution affecting Weaver E-cology 10.0 versions prior to 20260312. The issue resides in the "/papi/esearch/data/devops/dubboApi/debug/method" endpoint that allows an attacker to execute arbitrary commands by invoking exposed debug functionality. "Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system," according to a description of the flaw in the NIST National Vulnerability Database (NVD). The advisory also noted that the Shadowserver Foundation observed the first signs of active exploitation on March 31, 2026. Chinese security vendor QiAnXin said it was able to successfully reproduce the remote code execution vulnerability in its own alert released on March 17, 2026. However, in a report published last week, the Vega Research Team said it identified active exploitation of CVE-2026-22679, with the earliest evidence of abuse dating back to March 17, 2026, five days after patches were shipped for the flaw. "The intrusion unfolded over roughly a week of operator activity: RCE verification, three failed payload drops, an attempted pivot to an MSI implant that did not produce a working install, and a short burst of attempts to retrieve PowerShell payloads from attacker-controlled infrastructure," security researcher Daniel Messing said. The MSI installer, per the Israeli cybersecurity company, used the name "fanwei0324.msi," indicating an attempt to pass off the malicious payload as harmless by using the romanized Chinese name for Weaver. The unknown threat actor has also been observed running discovery commands, such as whoami, ipconfig, and tasklist, throughout the campaign. Security researcher Kerem Oruc has made available a Python-based detection script that identifies vulnerable Weaver E-cology instances by checking if the susceptible API endpoint is accessible. Users are advised to apply the updates, if not already, to stay protected. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, data security, Enterprise Software, Malware, network security, remote code execution, Threat Intelligence, Vulnerability ⚡ Top Stories This Week Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages Vercel Finds More Compromised Accounts in Context.ai-Linked Breach ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking and More Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately ⭐ Featured Resources [Webinar] Stop Chasing Alerts and Start Focusing on Real Exposures [Guide] How to Enable Secure Data Movement Without Added Risk Learn How Hidden Identity Blind Spots Weaken Your Security Systems [Guide] Learn a Practical Framework to Evaluate AI Tools for Production

Indicators of Compromise

• cve — CVE-2026-22679
• malware — fanwei0324.msi

Entities