Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API

Source: The Hacker News

Overview

A critical security vulnerability in Weaver (Fanwei) E‑cology, an enterprise office automation (OA) and collaboration platform, is being actively exploited in the wild.

Vulnerability Details

• CVE: CVE‑2026‑22679
• CVSS v3.1 Base Score: 9.8 (Critical)
• Affected Versions: Weaver E‑cology 10.0 prior to 20260312
• Vulnerable Endpoint: POST /papi/esearch/data/devops/dubboApi/debug/method
• Impact: Unauthenticated remote code execution (RCE) via crafted interfaceName and methodName parameters that invoke internal debug helpers.

“Attackers can craft POST requests with attacker‑controlled interfaceName and methodName parameters to reach command‑execution helpers and achieve arbitrary command execution on the system,” – NVD description.

Exploitation Activity

• Shadowserver Foundation observed the first signs of active exploitation on 31 Mar 2026.

• QiAnXin reproduced the RCE in its own analysis and released an alert on 17 Mar 2026.

• Vega Research Team reported exploitation evidence dating back to 17 Mar 2026, only five days after patches were released. Their analysis described a week‑long intrusion chain:

  1. RCE verification.
  2. Three failed payload drops.
  3. Attempted pivot to an MSI installer (named fanwei0324.msi) that did not install successfully.
  4. Brief attempts to retrieve PowerShell payloads from attacker‑controlled infrastructure.

  The threat actor also executed discovery commands such as whoami, ipconfig, and tasklist throughout the campaign.

Mitigation and Detection

• Patch: Apply the update released on 12 Mar 2026 – Weaver security advisory.
• Detection Script: A Python‑based tool that checks the accessibility of the vulnerable API endpoint is available on GitHub – kerattin/CVE-2026-22679.

References

• NVD entry for CVE‑2026‑22679
• QiAnXin vulnerability notice
• Vega Research exploitation analysis
• Weaver patch details
• Detection script repository