Weaver E-cology Critical RCE Flaw Under Active Exploitation via Debug API Endpoint

TL;DR — CVE-2026-22679, a critical unauthenticated remote code execution vulnerability in Weaver E-cology 10.0, is actively exploited in the wild. The flaw resides in an exposed debug API endpoint that accepts attacker-controlled parameters to execute arbitrary commands. Active exploitation began by March 17, 2026, according to the Vega Research Team, with the threat actor attempting payload delivery and lateral movement techniques.

What happened

A critical remote code execution vulnerability in Weaver E-cology 10.0 — an enterprise office automation and collaboration platform — has been exploited by an unknown threat actor. The vulnerability, tracked as CVE-2026-22679 with a CVSS score of 9.8, stems from insufficient access controls on a debug API endpoint.

The vulnerable endpoint /papi/esearch/data/devops/dubboApi/debug/method accepts unauthenticated POST requests. Attackers craft requests with attacker-controlled interfaceName and methodName parameters to invoke command-execution helpers, resulting in arbitrary code execution on the target system.

According to the extracted facts, the Shadowserver Foundation first observed active exploitation on March 31, 2026. However, the Vega Research Team identified earlier evidence of abuse dating back to March 17, 2026 — five days after patches were made available for the vulnerability. The intrusion campaign unfolded over approximately one week and included several operator activities: RCE verification, three failed payload drops, an attempted pivot to an MSI installer named "fanwei0324.msi" (using the romanized name for Weaver), and multiple attempts to retrieve PowerShell payloads from attacker infrastructure. The threat actor also executed standard discovery commands including whoami, ipconfig, and tasklist.

QiAnXin, a Chinese security vendor, published an alert on March 17, 2026, confirming the vulnerability could be reproduced but did not disclose additional operational details at that time.

Why it matters

This vulnerability represents a direct path to system compromise for any unpatched Weaver E-cology 10.0 installation. E-cology serves as a central collaboration and office automation platform in many enterprises; successful exploitation grants an attacker code execution in a trust-critical system. The absence of authentication requirements lowers the barrier to exploitation — no valid credentials or legitimate access are needed.

The exploitation pattern observed in the wild demonstrates that threat actors have moved beyond proof-of-concept. The campaign included persistence attempts via MSI installation and lateral movement reconnaissance, indicating intent to maintain access and expand compromise. For SOC analysts and system administrators in the region, this signals active threat activity targeting this software in production environments.

Affected systems and CVEs

Weaver E-cology 10.0 (versions prior to 20260312): CVE-2026-22679

What to do

Apply security updates to Weaver E-cology version 20260312 or later immediately if not already deployed.
Deploy the Python-based detection script released by security researcher Kerem Oruc to identify vulnerable instances by checking accessibility of the susceptible API endpoint.
Restrict network access to the /papi/esearch/data/devops/dubboApi/debug/method endpoint at the firewall or WAF level, permitting only known legitimate traffic.
Monitor outbound connections from E-cology systems for unexpected PowerShell payload retrieval or command execution.
Review logs for POST requests to the vulnerable endpoint, particularly those containing interfaceName and methodName parameters, from March 17, 2026 forward.

Open questions

Identity of the threat actor conducting the exploitation campaign remains unknown.
Total number of systems compromised or targeted globally is not disclosed.
Specific organizations, sectors, or regions affected by the campaign are not identified in available reporting.
Details of the three failed payload drops mentioned in the campaign are not specified.
Current status of active exploitation — whether the campaign is ongoing or concluded — is not stated.
Scope of data exfiltration or collateral damage from successful compromises has not been disclosed.