2026-05-05 00:00
β BackA critical security vulnerability in Weaver (Fanwei)E-cology, an enterprise office automation (OA) and collaboration platform, has come under active exploitation in the wild. The vulnerability (CVE-2026-22679, CVSS score: 9.8) relates to a case of unauthenticated remote code execution affecting Weaver E-cology 10.0 versions prior to 20260312. The issue resides in the "/papi/esearch/data/devops/dubboApi/debug/method" endpoint that allows an attacker to execute arbitrary commands by invoking exposed debug functionality. "Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system," according to adescription of the flawin the NIST National Vulnerability Database (NVD). The advisory also noted that the Shadowserver Foundation observed the first signs of active exploitation on March 31, 2026. A similar alertpublishedby QiAnXin on March 17, 2026, revealed that the Chinese security vendor was able to successfully reproduce the remote code execution vulnerability without sharing any further details. However, in a report published last week, the Vega Research Team said it identified active exploitation of CVE-2026-22679 much before, with the earliest evidence of abuse dating back to March 17, 2026, five days afterpatches were shippedfor the flaw. "The intrusion unfolded over roughly a week of operator activity: RCE verification, three failed payload drops,...
A critical security vulnerability in Weaver (Fanwei)E-cology, an enterprise office automation (OA) and collaboration platform, has come under active exploitation in the wild. The vulnerability (CVE-2026-22679, CVSS score: 9.8) relates to a case of unauthenticated remote code execution affecting Weaver E-cology 10.0 versions prior to 20260312. The issue resides in the "/papi/esearch/data/devops/dubboApi/debug/method" endpoint that allows an attacker to execute arbitrary commands by invoking exposed debug functionality. "Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system," according to adescription of the flawin the NIST National Vulnerability Database (NVD). The advisory also noted that the Shadowserver Foundation observed the first signs of active exploitation on March 31, 2026. A similar alertpublishedby QiAnXin on March 17, 2026, revealed that the Chinese security vendor was able to successfully reproduce the remote code execution vulnerability without sharing any further details. However, in a report published last week, the Vega Research Team said it identified active exploitation of CVE-2026-22679 much before, with the earliest evidence of abuse dating back to March 17, 2026, five days afterpatches were shippedfor the flaw. "The intrusion unfolded over roughly a week of operator activity: RCE verification, three failed payload drops, an attempted pivot to an MSI implant that did not produce a working install, and a short burst of attempts to retrieve PowerShell payloads from attacker-controlled infrastructure," security researcher Daniel Messingsaid.
The MSI installer, per the Israeli cybersecurity company, used the name "fanwei0324.msi," indicating an attempt to pass off the malicious payload as harmless by using the romanized Chinese name for Weaver. The unknown threat actor has also been observed running discovery commands, such as whoami, ipconfig, and tasklist, throughout the campaign. Security researcher Kerem Oruc hasmade availablea Python-based detection script that identifies vulnerable Weaver E-cology instances by checking if the susceptible API endpoint is accessible. Users are advised to apply the updates, if not already, to stay protected. Learn how to stop patient zero attacks before they bypass detection and compromise your systems at entry points. Learn how to validate real attack paths and reduce exploitable risk with continuous agentic security validation. Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.