Attackers exploit Weaver E-cology RCE via debug API

A high-severity unauthenticated remote code execution flaw (CVE-2026-22679, CVSS 9.8) in Weaver (Fanwei) E-cology has been exploited in the wild. The issue affects Weaver E-cology 10.0 releases prior to the 20260312 update and centers on the /papi/esearch/data/devops/dubboApi/debug/method endpoint. Administrators should install the 20260312 patch or later.

The vulnerability allows crafted POST requests that include attacker-controlled interfaceName and methodName parameters to reach debug helpers and execute arbitrary commands without authentication, according to the NIST National Vulnerability Database.

Chinese security vendor QiAnXin reproduced the remote code execution on March 17, 2026. The Vega Research Team’s analysis identified evidence of attacker activity beginning on March 17, which the team notes occurred five days after vendor patches were released on March 12, 2026. The Shadowserver Foundation recorded initial signs of exploitation on March 31, 2026.

Vega’s analysis reported roughly a week of operator activity that began with RCE verification, followed by three failed payload drops and an attempted installation of a malicious MSI named fanwei0324.msi. Researchers observed short bursts of attempts to retrieve PowerShell payloads from external infrastructure and execution of system discovery commands including whoami, ipconfig and tasklist.

In Vega’s report, researcher Daniel Messing summarized the intrusion:

“RCE verification, three unsuccessful payload deployments, a failed pivot via an MSI installer, and attempts to fetch additional payloads.”

Security researcher Kerem Oruc published a Python detection script that checks whether the vulnerable API endpoint is reachable. Vendor-supplied fixes remove or secure the exposed debug functionality; organizations running affected versions should install the 20260312 update or later and confirm the /papi/esearch/data/devops/dubboApi/debug/method endpoint is not accessible from untrusted networks.

Teams should review logs for the discovery commands and attempted payload retrievals described by researchers and isolate any systems showing signs of compromise. Weaver E-cology is an enterprise office automation and collaboration platform.