A critical security vulnerability in Weaver (Fanwei) E-cology, an enterprise office automation (OA) and collaboration platform, has been exploited in the wild.
This vulnerability (CVE-2026-22679, CVSS score: 9.8) is related to an unauthenticated remote code execution case that affects Weaver E-cology 10.0 versions prior to 20260312. The issue exists in the “/papi/esearch/data/devops/dubboApi/debug/method” endpoint, which allows execution by an attacker. You can invoke exposed debugging functionality to execute arbitrary commands.
According to the flaw description in the NIST National Vulnerability Database (NVD), “An attacker can craft a POST request with attacker-controlled interfaceName and methodName parameters to reach the command execution helper and execute arbitrary commands on the system.”
The advisory also notes that the Shadowserver Foundation observed the first signs of active exploitation on March 31, 2026. Chinese security vendor QiAnXin said it had successfully reproduced a remote code execution vulnerability in its alert released on March 17, 2026.
However, in a report published last week, the Vega Research Team said it had identified active exploitation of CVE-2026-22679, with the earliest evidence of exploitation dating back to March 17, 2026, five days after a patch for the flaw was shipped.
Security researcher Daniel Messing said, “The intrusion unfolded over approximately a week of operator activity: RCE validation, three failed payload drops, an attempt to pivot to an MSI implant that did not produce a working installation, and short bursts of attempts to obtain PowerShell payloads from attacker-controlled infrastructure.”
According to the Israeli cybersecurity firm, the MSI installer uses the name “fanwei0324.msi,” indicating an attempt to romanize Weaver’s Chinese name to disguise the malicious payload as harmless. Unknown attackers have also been observed running discovery commands such as whoami, ipconfig, and tasklist during the campaign.
Security researcher Kerem Oruc published a Python-based detection script that identifies vulnerable Weaver E-cology instances by checking whether susceptible API endpoints are accessible. To stay protected, we recommend applying updates if you haven’t already done so.
Source link
