Full Report
A critical security vulnerability in Weaver (Fanwei) E-cology, an enterprise office automation (OA) and collaboration platform, has come under active exploitation in the wild. The vulnerability (CVE-2026-22679, CVSS score: 9.8) relates to a case of unauthenticated remote code execution affecting Weaver E-cology 10.0 versions prior to 20260312. The issue resides in the "/papi/esearch/data/devops/
Analysis Summary
# Vulnerability: Weaver E-cology Unauthenticated Remote Code Execution via Debug API
## CVE Details
- **CVE ID:** CVE-2026-22679
- **CVSS Score:** 9.8 (Critical)
- **CWE:** Not specifically listed (categorized as Unauthenticated Remote Code Execution)
## Affected Systems
- **Products:** Weaver (Fanwei) E-cology (Enterprise OA/Collaboration platform)
- **Versions:** Weaver E-cology 10.0 versions prior to update **20260312**.
- **Configurations:** Systems exposing the `/papi/` endpoint to the internet.
## Vulnerability Description
The vulnerability exists in the `/papi/esearch/data/devops/dubboApi/debug/method` endpoint. The flaw is rooted in an improperly secured debug interface that allows unauthenticated users to invoke internal methods. Specifically, attackers can craft malicious HTTP POST requests with controlled `interfaceName` and `methodName` parameters. These parameters are used by the application to reach internal command-execution helpers, leading to arbitrary code execution on the underlying server.
## Exploitation
- **Status:** **Exploited in the wild.** Active abuse was noted as early as March 17, 2026.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **PoC Availability:** Reproducible by security vendors (QiAnXin); a Python-based detection script is publicly available on GitHub.
## Impact
- **Confidentiality:** Total (Full access to system data and files)
- **Integrity:** Total (Ability to modify system files and install malware/MSI implants)
- **Availability:** Total (Ability to execute system-level commands or disrupt services)
## Remediation
### Patches
- Users must upgrade to **Weaver E-cology 10.0 version 20260312** or later.
- Official vendor advisory: `https://www.weaver.com.cn/cs/security/edm20260312_opzuyukeiouit0312topeywer[.]html`
### Workarounds
- **Network Filtering:** Restrict or block external access to the `/papi/` URI path at the Web Application Firewall (WAF) or reverse proxy level.
- **Disable Debugging:** Ensure all Dubbo API debug and DevOps functionalities are disabled in production environments.
## Detection
- **Indicators of Compromise (IoCs):**
- Presence of a file named `fanwei0324.msi` (malicious installer).
- Execution of discovery commands: `whoami`, `ipconfig`, and `tasklist`.
- Unusual POST requests to: `/papi/esearch/data/devops/dubboApi/debug/method`
- **Detection methods and tools:**
- **Script:** A Python detection tool by Kerem Oruc is available at `https://github[.]com/keraattin/CVE-2026-22679`.
- **Log Analysis:** Scrutinize web access logs for HTTP 200 responses to the `/papi/esearch/data/devops/dubboApi/debug/method` endpoint from unknown IP addresses.
## References
- **NVD:** `https://nvd.nist.gov/vuln/detail/CVE-2026-22679`
- **Vega Research:** `https://blog.vega[.]io/posts/cve-2026-22679-weaver-ecology-exploitation/`
- **QiAnXin Alert:** `https://ti.qianxin[.]com/vulnerability/notice-detail/1760`